Using maintained and undeprecated packages

Using deprecated packages is a risk to your organization. As these packages are no longer actively maintained, they are more susceptible to security vulnerabilities and becoming stale. If a deprecated package has a security vulnerability, it is also less likely to get fixed. With the Tidelift Subscription, you can keep deprecated packages out of your organization's catalog by using the 'No deprecated packages' standard.

Tidelift is regularly monitoring for package deprecation from the following sources:

  • From the package manager, when a maintainer indicates that a package has been deprecated
  • Directly from the maintainers and catalog administrators, for instances when deprecation information has not been shared publicly 

We will notify you when your team is using or wants to use deprecated packages and help you uphold this standard. We will also display any additional information that a maintainer has provided about the deprecation, which may include recommendations for alternate packages.

How do I keep my team from using deprecated packages?

You can begin creating violations for deprecated packages from the Catalog > Standards page and turning on the "No Deprecated Packages" standard.  

What happens if a package release in my catalog becomes deprecated?

Tidelift is regularly monitoring all packages and will notify you if a package release that you are currently using becomes deprecated. A task will be generated for the catalog administrators to notify them about already-approved releases that violate this standard. For each package, the catalog administrators can resolve the violation by doing one of the following:

  1. Creating an exception for the deprecated package
  2. Deny all releases of the package

What happens when a newly requested package release is deprecated?

If a developer requests a package that Tidelift knows to be deprecated, the catalog administrators reviewing the request will see that there is a standard violation. The catalog administrators can do any of the following:

  1. Create an exception for the package and approve the release
  2. Deny the release

Creating exceptions for deprecated packages

When a package becomes deprecated or a developer requests a deprecated package, you may still want to create an exception for this package release to be approved in your catalog.

Exceptions can be created when completing a task and can apply to an entire package. You can view and export all deprecated package exceptions by going to Standards > View no deprecated package standard exceptions.