Uploading package files manually

This article covers why and how you can upload package files manually through the Tidelift web app.

While the Tidelift Subscription is most useful when fully integrated into your workflow, you can also manually upload package files manually. Uploading these files manually allows you to:

  • More quickly evaluate the Tidelift Subscription
  • Initiate one-off scans of repositories that are not being automatically tracked

When uploading package files manually, you will need:

  • Manifest file – The manifest file lists the direct dependencies used in your project. Examples include package.json (Javascript), Gemfile (Ruby), pom.xml (Java), and Pipfile (Python).
  • Lockfile – The lockfile lists the transitive dependencies (the dependencies of your direct dependencies). Examples include package-lock.json (Javascript), Gemfile.lock (Ruby), maven-resolved-dependencies.txt (Java), and Pipfile.lock (Python).

You can typically fetch these files from the root directory of your repository. See full list of compatible files here.

How to manually upload a package file

You can upload manifest files manually at any time – even if you already have scans configured through the API.

  1. From the Subscriber Dashboard navigation, select Projects
  2. Select the Project you wish to upload files for
  3. Select Upload Updated Manifests
  4. You can upload the manifest and lockfile.

Your scan will begin immediately and, when complete, you can see results within the Tidelift web app.

Note: If you are already using Tidelift with our GitHub application installed, these options will not be immediately available to you. Reach out to support@tidelift.com and we can help.

Still need help? Contact Us Contact Us