BOSTON, April 30, 2019—Tidelift today announced extensive enhancements to the Tidelift Subscription to improve productivity and reduce risk for application development teams using open source components. New features include a broader set of subscriber software tools and substantially expanded coverage from open source maintainers who are compensated to maintain their projects in partnership with Tidelift. The Tidelift Subscription is the most comprehensive solution for managing the security, maintenance, and licensing aspects of the community-led open source packages that form the backbone of thousands of commercial applications.
More than 90 percent of new applications today include open source components, often with hundreds of dependencies on other projects and libraries. Keeping current with the flow of changes to those components and their impact on applications utilizing them has historically been difficult or even impossible. Through its platform, Tidelift provides a powerful set of tools to help organizations manage their open source usage more effectively, while also paying participating maintainers to deliver assurances for over 1,000 of their most widely used packages.
“Nearly all application developers rely heavily on open source code because of the many benefits it provides, yet most don’t have a strategy to keep that code secure and well maintained,” said Donald Fischer, CEO and co-founder of Tidelift. “We're partnering with creators and maintainers of a vast array of community-led open source projects to introduce the concept of managed open source, where organizations can save time and reduce risk by paying Tidelift's participating maintainers to ensure their packages meet uniform and comprehensive commercial standards.”
The Tidelift Subscription monitors over 3.3 million open source packages across 37 different ecosystems, with the number of maintainers providing added security, maintenance, and licensing assurances growing rapidly. Tidelift also announced today that over 4,000 open source projects across the JavaScript, Python, PHP, Ruby, Java, and .NET ecosystems are eligible for immediate income. Apache Struts, Joda-Time, Vue, Babel, Material-UI, Gulp, Mongoose, Nokogiri, and hundreds of other community-led projects that are pivotal to corporate application development are now part of the Tidelift Subscription.
“As an open source maintainer, I'm always looking for scalable ways to help people make better use of my code,” said prolific open source creator Jon Schlinkert, maintainer of Micromatch, Enquirer, and many other JavaScript libraries. “The Tidelift Subscription gives development teams a way to manage their open source usage more effectively while getting security and maintenance assurances they need from a single source. Meanwhile, maintainers like me earn predictable income that allows us to focus on the projects that so many organizations depend on. With Tidelift’s model, it's really clear how economic value is created for all parties.”
A new Tidelift study finds application developers spend over 30 percent of their time on code maintenance tasks, with more than a quarter directly related to the open source components they use. With the Tidelift Subscription in place, organizations can save time their developers would otherwise spend addressing the impact of changes to those components. Subscribers also minimize their exposure to open source risk by identifying vulnerabilities in components that lead to security issues such as the Heartbleed bug in OpenSSL, the Apache Struts breach at Equifax, and the software supply chain attack on the event-stream npm package.
Software tools available with the Tidelift Subscription now include an overview of security vulnerabilities and licensing issues across dependencies, at-a-glance metrics that help developers gauge how package updates impact their applications, and recommendations on when to upgrade key frameworks and libraries.
The Tidelift Subscription also supports application developers frustrated by tools that report security, maintenance, and licensing problems in transitive dependencies (dependencies-of-dependencies) without providing a way to help resolve them. Tidelift surfaces these problems to its network of open source maintainers, who work to resolve the root causes on behalf of subscribers.
Development teams wanting to learn more about their dependencies can now explore the Tidelift Subscription in the context of their own applications through the free self-service Tidelift open source dependency analyzer. Those interested can simply share the package manager files from one of their projects, and Tidelift will analyze them and create a free report on the high-level state of their open source dependencies, including three actionable suggestions to address today.
Tidelift makes open source work better—for everyone. Through the Tidelift Subscription and in direct partnership with maintainers, Tidelift is a single source for proactively managed open source components and professional assurances around those components. Tidelift makes it possible for open source projects to thrive, so we can all create even more incredible software, even faster. For more: tidelift.com
Media Contact
Chris Grams
Head of Marketing, Tidelift
Email: press@tidelift.com
Phone: 919-523-2388