tidelift.yml reference

Sometimes it's right to ignore errors flagged by the dependency checker, rather than fixing them.

This can be done by placing a  .tidelift.yml file in the root of your repository on GitHub.

Configuration is by type of test, where a test refers to a kind of error the dependency checker can generate. The test types are:

  • removed - package doesn't seem to exist anymore
  • deprecated - package is marked deprecated
  • unmaintained - package appears to be unmaintained
  • unlicensed - package has no license
  • vulnerable - package release appears to have a security vulnerability
  • license_prohibited - package release license is prohibited by settings in licensing section
  • inactive_stream - package release is on a version that is marked as inactive
  • not_in_catalog - package release is not available for use at your organization 

Tests can be set to three modes:

  • skip - ignore the test
  • warn - failures generate a warning but don't set failing status on pull requests
  • fail - failures generate an error and set failing status on pull requests

By default, tests apply to all files that list dependencies.  unmaintained and inactive_stream types cause warnings while the rest are fatal errors.

.tidelift.yml recipes

To globally skip a certain type of test, use a snippet like this (this disables the  removed test globally):

# don't run removed test on any dependencies
tests:
  removed: skip
	

To change the  removed test to a warning instead of an error, you'd do this:

# make removed test a warning rather than an error, globally
tests:
  removed: warn
	

Licensing

To provide a list of allowed licenses, or to disallow specific licenses, list those licenses in the  licensing: section.

Only one of  allowed: or disallowed: can be used. If you have an allowed: section, the disallowed: section will be ignored.

Each item in the list should be an SPDX identifier. See the list at https://spdx.org/licenses/.

Example: allow ONLY 0BSD, AAL, Abstyles and Adobe-2006, any license not one of these will fail the build.

licensing:
  allowed:
    - 0BSD
    - AAL
    - Abstyles
    - Adobe-2006
	

Example: disallow a selection of licenses (0BSD, AAL, Abstyles and Adobe-2006), any of these will fail the build.

licensing:
  disallowed:
    - 0BSD
    - AAL
    - Abstyles
    - Adobe-2006<br>
	

(examples chosen alphabetically from SPDX, Tidelift imposes no opinion on which licenses you should use)

To allow an exception for a specific package's license, while still allowing that license to fail everywhere else, add an exception like this:

licensing:
  disallowed:
    - 0BSD
exceptions:
  - name: thing
    platform: rubygems
    tests:
      - license_prohibited
	

Note: some licenses have multiple variants. Be sure to list all variants shown on the SPDX list, including their list of deprecated identifiers.

For example, to disallow all forms of Affero GPL, you would need to list these variants:

licensing:
  disallowed:
    - AGPL-1.0-only
    - AGPL-1.0-or-later
    - AGPL-3.0-only
    - AGPL-3.0-or-later
    - AGPL-1.0
    - AGPL-3.0
	
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us