Do you need to ship better code, more quickly?

We've been talking to engineering leads over the last year to learn to learn how they use open source, and how it affects their team velocity.

The more code you have, the more slowly your team moves. We've all been there. Faced with a business problem, you start to build software. As the code grows, you spend more and more of your team's capacity maintaining code you already have.

You're already outsourcing whatever you can, but some code can't be a service. SaaS takes software off your plate and puts it in the hands of a vendor, but it's tough to do this with a JSON parser, an ORM, or a web framework. That's when you pull open source packages into your application, "outsourcing" the initial development of reusable components and libraries. Without open source packages you'd spend the first two years of every project reinventing wheels.

Many assume that widely used open source software always gets maintained somehow. Nothing could be further from the truth; it's become an industry crisis. The Ford Foundation report Roads & Bridges did a lot to raise awareness, but we're reminded daily by crises like the recent hack of event-stream.


Open source dependencies are part of your code, and code needs maintenance time.

  • timeTime for staying up to date with the latest bugfix versions.
  • Time for porting to new, incompatible major versions of frameworks—when the upstream project has no bandwidth to support old releases.
  • Time to cope when package maintainers disappear: you get to waste your team's time porting to a replacement package (best case) or risk a nasty trojan (worst case).
  • Time to handle requests from your legal department to list every package you're using, along with their licenses.
  • Time to document everything you use for your security team, and address live vulnerabilities.


This is slowing your team down and draining their attention, and we haven't even talked about actually improving these packages, or keeping them in sync with new frameworks and architectures… who's doing those things?

For many packages, nobody is.

How much faster could you move if your dependencies had that last 10% of refinement: decent documentation, nicer error messages, removing that one annoying limitation with 107 upvotes on GitHub…


“We’ve lost half a day at release time because of a sudden vulnerability in a dependency and having to figure out whether to update and hope it doesn't break anything.”

New Call-to-action

Two bad ways to manage open source dependencies

1 Scanning tools make more work for you

You can buy tools to generate long lists of legal and security concerns. We've spoken with hundreds of companies who bought these, and frequently… the list of concerns is just sitting there. Nobody has time to slog through countless false positives and maybe-you-should-investigate-this warnings related to the thousands of open source projects.

A cynic might say these tools are a way for security and legal teams to blame engineering… you knew about the big list of warnings! Why didn't you fix them all?

Of course, even if you worked through all the security and legal warnings, it would do nothing for general maintenance and bug-fixing of the libraries you depend on.


"Existing tools are helpful for guiding conversations, but don't get to the heart of the problem"


"I need to get maximum time for senior engineers on senior things, not babysitting PRs"

2 Bureaucracy fails while making everyone sad

You can adopt a vetting or approval processes for every new package. This fails in two ways:

  • Developers circumvent them, because individually approving thousands of packages isn't realistic and it’s inhumane.
  • Vetting a package at a point in time isn't enough; maintainers disappear constantly, licenses change, and APIs break.


What if someone stood behind open source packages?

When you buy software as SaaS or from a vendor, it's the vendor's problem to fix licensing issues, keep the code maintained, and tell you when and how to patch security vulnerabilities.

What if open source worked like that?

  • When someone at your company runs a security or licensing scanner, you could take that long list of warnings and send them to someone else to resolve.
  • When legal asks for a list of packages with their licenses, you could forward that email to someone else to handle.
  • When there's a security vulnerability, someone would tell you about it quickly and give you a new package that's actually practical to upgrade to.
  • When there's a new version, it would come with clear guidance on what's changed, why to upgrade, and whether it's likely to break your code.
  • And most importantly… packages would keep improving all the time, in response to customer feedback.
In short, what if you could have the flexibility of open source with the assurances of vendor-provided code?

Maybe you could move fast and not break things.

It'd be great to choose any open source you need from Maven Central, npm, Rubygems, PyPI, or wherever, and have someone take care of it.

Instead of buying a scanner tool to tell you all the stuff you need to fix in your open source dependencies, what if you could buy… open source dependencies that don't need fixing?

You probably see where this is going. That's the product we've built. 

Let us take care of your dependencies for you

It's called the Tidelift Subscription. Here's how it works, from the perspective of your software team:

  • Keep us informed on what software you're using (we give you simple tools to do this by adding a hook to your CI system).
  • We'll be your dependencies vendor, keeping your libraries in line—any open source packages you choose from the major package repositories.

Please don't buy (or, ugh, build) tools that create more busywork and bureaucracy for your team around open source packages. Instead, for a fraction of one developer's salary, hire Tidelift to do this for you. Outsource this non-core task!

Ready to learn more? 


request a demo

We're paying maintainers to fix problems at the root

How do we do it? We've set up software and business processes to manage all open source packages, at scale, for our subscribers. The two key elements:

  • We support upstream projects directly. We've created a business relationship with the maintainers of the packages you use. Through direct funding, education, and tools we bring upstream projects up to uniform standards our subscribers would like to see, and we can work with maintainers to address new problems that arise.
  • We have a solutions-as-a-service mindset. Our goal isn't to tell you about problems; it's to fix them before you see them. We're about root-cause fixes, not band-aids late in the software lifecycle.

 Here's exactly what happens when you subscribe to Tidelift.

  • We give you the tools to continuously catalog your open source dependencies. You can give your service access to your repositories on, or you can call our APIs from any CI job you already have to upload your dependency manifest files.
  • We go to work ensuring your dependencies have proactive maintenance. For every dependency, if we don't already have a maintainer on the hook, we'll get to work finding someone. We'll always prefer to work with and support upstream projects directly—so they stick around, and you aren't left to maintain those projects yourself.
  • We run scans for security, licensing, and maintenance issues… and then we start knocking the issues out for you. You can look at these if you want. But you don't have to; we'll work on them anyway.


  • We'll give you a way to measure your open source dependencies' health. And that measure will improve even if your team spends zero time on it. You can do even better if you use the information we provide to curate what you're using, but we're working for you either way.

shorthand-svgHere's how your job gets easier with the Tidelift Subscription

done_1If you already subscribe to another open source problem-discovery service, send us the complaints it has about your dependencies. We'd be happy to bring you solutions instead of bringing you more problems.

done_1Next time legal asks for a list of packages with their licenses, download them as CSV from your Tidelift Subscription dashboard. We'll actually have correct license information for all of your packages—and if we don't, you can make it our problem.

done_1Next time there's a security vulnerability in one of your dependencies, we'll give you a new package that's actually practical to upgrade to. If it's necessary to fork an old version of the package and backport a fix—we'll maintain that for you.

done_1When there's a new version of a package you use, we'll tell you whether and when to update to it. Maybe it's compatible, maybe it isn't—maybe it fixes something important and maybe it doesn't—we'll give you that guidance.

Managing your open source dependencies can be a solved problem. Your job is to tell us what you use, and our job is to keep it in good shape. We can keep track of thousands of dependencies both better and at lower cost than someone on your team could.

Ready to see how the Tidelift Subscription would look with your codebase?

request a demo