Do you need to ship better code, more quickly?

We've been talking to engineering leads over the last year to learn to learn how they use open source, and how it affects their team velocity.

The more code you have, the more slowly your team moves. We've all been there. Faced with a business problem, you start to build software. As the code grows, you spend more and more of your team's capacity maintaining code you already have.

You're already outsourcing whatever you can, but some code can't be a service. SaaS takes software off your plate and puts it in the hands of a vendor, but it's tough to do this with a JSON parser, an ORM, or a web framework. That's when you pull open source packages into your application, "outsourcing" the initial development of reusable components and libraries. Without open source packages you'd spend the first two years of every project reinventing wheels.

Many assume that widely used open source software always gets maintained somehow. Nothing could be further from the truth; it's become an industry crisis. The Ford Foundation report Roads & Bridges did a lot to raise awareness, but we're reminded daily by crises like the recent hack of event-stream.

 New Call-to-action

Open source dependencies are part of your code, and code needs maintenance time.

  • timeTime for staying up to date with the latest bugfix versions.
  • Time for porting to new, incompatible major versions of frameworks—when the upstream project has no bandwidth to support old releases.
  • Time to cope when package maintainers disappear: you get to waste your team's time porting to a replacement package (best case) or risk a nasty trojan (worst case).
  • Time to handle requests from your legal department to list every package you're using, along with their licenses.
  • Time to document everything you use for your security team, and address live vulnerabilities.


This is slowing your team down and draining their attention, and we haven't even talked about actually improving these packages, or keeping them in sync with new frameworks and architectures… who's doing those things?

For many packages, nobody is.

How much faster could you move if your dependencies had that last 10% of refinement: decent documentation, nicer error messages, removing that one annoying limitation with 107 upvotes on GitHub…


“We’ve lost half a day at release time because of a sudden vulnerability in a dependency and having to figure out whether to update and hope it doesn't break anything.”

What if you had an all-in-one solution to manage open source packages?

What if you could have the flexibility of open source with the assurances of vendor-provided code? It'd be great to choose any open source you need from Maven Central, npm, Rubygems, PyPI, or wherever, and manage it all in one place. What if you could easily set up continuous tracking of your dependencies, and then have a straightforward list of issues to be aware of—all in one place?

That'd be great, but you'd still have to fix those issues. What if you could also get some proactive assurances that the list of issues will go down in the future—that your dependencies in particular won't have so many security, licensing, and maintenance problems to worry about? You'd have significantly more peace-of-mind around your open source stack.

That's the product we've built.

It's called the Tidelift Subscription. Here's how it works:

  • Keep us informed on what software you're using (we give you simple tools to do this by adding a hook to your CI system).
  • We'll tell you about issues with that software you need to be aware of.
  • We'll send part of your subscription dollars straight to the upstream maintainers behind your software—paying them to support professional security, licensing, and maintenance assurances.

Ready to learn more?



request a demo

We're paying maintainers to fix problems at the root

How do we do it? We've set up software and business processes for our subscribers to manage all their open source packages, at scale The two key elements:

  • We support upstream projects directly. We've created a business relationship with the maintainers of the packages you use. Through direct funding, education, and tools we bring upstream projects up to uniform standards our subscribers would like to see. This reduces the number of new issues you encounter.
  • We have comprehensive tools for you to track which packages you use and any issues associated with those packages.

Here's exactly what happens when you subscribe to Tidelift.

  • We give you the tools to continuously catalog your open source dependencies. You can give your service access to your repositories on, or you can call our APIs from any CI job you already have to upload your dependency manifest files.
  • We go to work ensuring your dependencies have proactive maintenance. For every dependency, if we don't already have a maintainer on the hook, we'll get to work finding someone. We'll always prefer to work with and support upstream projects directly—so they stick around, and you aren't left to maintain those projects yourself.
  • We run scans for security, licensing, and maintenance issues, and show you what you need to address. Our all-in-one tool keeps it simple and shows only the highest-priority problems.
  • We'll give you a way to measure your open source dependencies' health. So you can track the value of working on open source problems and choosing better-maintained packages.

Analysis - from PR

Dependencies export selection

We're offering all the tools you need to get your open source dependencies under control, backed by the maintainers that wrote the code in the first place.

Ready to see how the Tidelift Subscription would look with your codebase?

request a demo