The Tidelift Subscription is a managed open source subscription for application dependencies covering thousands of open source projects across JavaScript, Python, Java, PHP, Ruby, .NET, and more.
Speed up application development, save money, and reduce risk when building apps with open source.
92% of enterprise software projects include open source dependencies, and of those, as much as 70% of the code is open source. There’s good reason for this: the bulk of innovation in software today is happening in open source.
There are tens of thousands of open source dependencies in use across global organizations, and each one can have scores of different versions. Not all of these dependencies are going to be appropriate for your organization, for a number of reasons:
With this approach, developers on each team bring in new components on their own. If scanning tools are being used, the results are often ignored.
With this approach, the organization tightly controls open source usage to avoid risk. Scanning tools block deployments until developers address concerns, which they can’t always do.
Your engineers need access to open source dependencies to build the applications your business users and customers need. Your business policies demand that those applications only be built with “good” dependencies. Determining which dependencies are “good” is an intense, on-going effort.
An ideal solution would:
This will all save your application development teams from the ongoing, manual effort of parsing painful scanner reports full of false positives and open source trivia, while mitigating the IP, vulnerability, and availability risks associated with using open source software.
With Tidelift, you don’t have to choose between “move fast” or “stay safe.” Because we partner with the independent creators of open source, our customers are able to have both at once.
Tidelift partners directly with the maintainers of thousands of open source components to manage them for you, satisfying the basic criteria you’d require for any commercial-grade software:
A core element of the Tidelift solution is the concept of the catalog, which is a collection of approved packages that meet standards such as:
Developers will always know what’s approved for use and can proactively check if their projects are aligned with their catalog using the Tidelift web app or Tidelift CLI.
With a catalog in place, customers can choose from several mechanisms to keep their software projects aligned with the approved releases in the catalog:
The Tidelift Subscription also provides bill of materials management, so you always know what package releases are used where. If you are made aware of a zero-day exploit in the wild, you can determine if it’s:
Tidelift works directly with the maintainers of the packages, compensating them for the work they do to keep packages enterprise-ready.