About lifted and managed packages
Tidelift works with a network of maintainers to provide support for millions of open source dependencies. On top of our base support, we provide additional proactive benefits for managed packages; these benefits include guaranteed security updates even when the original project does not provide an update, and guaranteed SPDX-compliant license tags even when the original project does not provide them. Our managed packages include the core, mission-critical packages in the most common development ecosystems.
A managed package can also be lifted. For lifted packages, we are directly partnering with one or more of that project's core maintainers. These maintainers work on many major open source dependencies across ecosystems–including Vue, Project Lombok, Pillow, and thousands more. We call maintainers that partner with Tidelift lifters because they provide an additional set of assurances for their (lifted) projects. These tasks include:
- Setting up a confidential security reporting process
- Using 2-factor authentication to reduce the risk of trojan horse attacks
- Provide release notes and version guidance for their project
- Being responsive to subscriber feedback
For all managed & lifted packages, we provide key benefits that do not come along for free with traditional open source consumption. Our scope of support details a comprehensive list of benefits provided for our managed and lifted packages.