Open source is the modern application development platform. However, there are several hidden risks associated with using open source—exposing organizations to cybersecurity threats. Vulnerable open source packages create risk that could potentially impact your organization’s revenue, data, and business continuity.

At Tidelift, we partner with open source maintainers and pay them to implement industry-leading secure software development practices and document the practices they follow.

The result: a valuable source of cross-ecosystem package intelligence that customers can use to identify and eliminate bad packages and ensure the packages they rely on keep getting better. 

In this guide, you will learn how Tidelift helps organizations answer deeper package analysis questions such as: 

• Is the package recommended or not recommended for use by Tidelift?
• Is the open source package maintained, deprecated, or does it have an upcoming end-of-life date? 
• Does the package conform to your organization’s license policies?
• Is a CVE a false positive?
• Are there specific recommendations for effective remediation?