Note: If you are using Tidelift's catalog features, please see Setting standards for your catalog.
Sometimes it's right to ignore errors flagged by the dependency checker, rather than fixing them. This can be done by placing a
.tidelift.yml file in the root of your repository on GitHub or including it when uploading dependency files for a scan.
Configuration is by type of test, where a test refers to a kind of error the dependency checker can generate. The test types are:
removed- package doesn't seem to exist anymore
deprecated- package is marked deprecated
unmaintained- package appears to be unmaintained
vulnerable- package release appears to have a security vulnerability
unlicensed- package is confirmed to have no license
missing_license- package lacks a machine-readable license
non_spdx_license- package license is not in SPDX format
license_prohibited- package release license is prohibited by settings in licensing section
inactive_stream- package release is on a version that is marked as inactive
not_in_catalog- package release is not available for use at your organization
Tests can be set to three modes:
skip- ignore the test
warn- failures generate a warning but don't set failing status on pull requests
fail- failures generate an error and set failing status on pull requests
By default, tests apply to all files that list dependencies.
inactive_stream types cause warnings while the rest are fatal errors.
To globally skip a certain type of test, use a snippet like this (this disables the
removed test globally):
# don't run removed test on any dependencies tests: removed: skip
To change the
removed test to a warning instead of an error, you'd do this:
# make removed test a warning rather than an error, globally tests: removed: warn
To provide a list of allowed licenses, or to disallow specific licenses, list those licenses in the
Only one of
disallowed: can be used. If you have an
allowed: section, the
disallowed: section will be ignored.
Each item in the list should be an SPDX identifier. See the list at https://spdx.org/licenses/.
Example: allow ONLY 0BSD, AAL, Abstyles and Adobe-2006, any license not one of these will fail the build.
licensing: allowed: - 0BSD - AAL - Abstyles - Adobe-2006
Example: disallow a selection of licenses (0BSD, AAL, Abstyles and Adobe-2006), any of these will fail the build.
licensing: disallowed: - 0BSD - AAL - Abstyles - Adobe-2006
(examples chosen alphabetically from SPDX, Tidelift imposes no opinion on which licenses you should use)
To allow an exception for a specific package's license, while still allowing that license to fail everywhere else, add an exception like this:
licensing: disallowed: - 0BSD exceptions: - name: thing platform: rubygems tests: - license_prohibited
Note: some licenses have multiple variants. Be sure to list all variants shown on the SPDX list, including their list of deprecated identifiers.
For example, to disallow all forms of Affero GPL, you would need to list these variants:
licensing: disallowed: - AGPL-1.0-only - AGPL-1.0-or-later - AGPL-3.0-only - AGPL-3.0-or-later - AGPL-1.0 - AGPL-3.0