tidelift.yml reference

Note: If you are using Tidelift's catalog features, please see Setting standards for your catalog.

Sometimes it's right to ignore errors flagged by the dependency checker, rather than fixing them. This can be done by placing a  .tidelift.yml file in the root of your repository on GitHub or including it when uploading dependency files for a scan.

Configuration is by type of test, where a test refers to a kind of error the dependency checker can generate. The test types are:

  • removed - package doesn't seem to exist anymore
  • deprecated - package is marked deprecated
  • unmaintained - package appears to be unmaintained
  • vulnerable - package release appears to have a security vulnerability
  • unlicensed - package is confirmed to have no license
  • missing_license - package lacks a machine-readable license
  • non_spdx_license - package license is not in SPDX format
  • license_prohibited - package release license is prohibited by settings in licensing section
  • inactive_stream - package release is on a version that is marked as inactive
  • not_in_catalog - package release is not available for use at your organization

Tests can be set to three modes:

  • skip - ignore the test
  • warn - failures generate a warning but don't set failing status on pull requests
  • fail - failures generate an error and set failing status on pull requests

By default, tests apply to all files that list dependencies.  unmaintained and inactive_stream types cause warnings while the rest are fatal errors.

.tidelift.yml recipes

To globally skip a certain type of test, use a snippet like this (this disables the  removed test globally):

# don't run removed test on any dependencies
  removed: skip

To change the  removed test to a warning instead of an error, you'd do this:

# make removed test a warning rather than an error, globally
  removed: warn


To provide a list of allowed licenses, or to disallow specific licenses, list those licenses in the  licensing: section.

Only one of  allowed: or disallowed: can be used. If you have an allowed: section, the disallowed: section will be ignored.

Each item in the list should be an SPDX identifier. See the list at https://spdx.org/licenses/.

Example: allow ONLY 0BSD, AAL, Abstyles and Adobe-2006, any license not one of these will fail the build.

    - 0BSD
    - AAL
    - Abstyles
    - Adobe-2006

Example: disallow a selection of licenses (0BSD, AAL, Abstyles and Adobe-2006), any of these will fail the build.

    - 0BSD
    - AAL
    - Abstyles
    - Adobe-2006

(examples chosen alphabetically from SPDX, Tidelift imposes no opinion on which licenses you should use)

To allow an exception for a specific package's license, while still allowing that license to fail everywhere else, add an exception like this:

    - 0BSD
  - name: thing
    platform: rubygems
      - license_prohibited

Note: some licenses have multiple variants. Be sure to list all variants shown on the SPDX list, including their list of deprecated identifiers.

For example, to disallow all forms of Affero GPL, you would need to list these variants:

    - AGPL-1.0-only
    - AGPL-1.0-or-later
    - AGPL-3.0-only
    - AGPL-3.0-or-later
    - AGPL-1.0
    - AGPL-3.0