Tidelift Subscription Enhanced
made extensive enhancements to the Tidelift Subscription to improve
productivity and reduce risk for application development teams using
open source components. New features include a broader set of subscriber
software tools and substantially expanded coverage from open source
maintainers who are compensated to maintain their projects in
partnership with Tidelift. The Tidelift Subscription is the most
comprehensive solution for managing the security, maintenance, and
licensing aspects of the community-led open source packages that form
the backbone of thousands of commercial applications.
More than 90 percent of new applications today include open source
components, often with hundreds of dependencies on other projects and
libraries. Keeping current with the flow of changes to those components
and their impact on applications utilizing them has historically been
difficult or even impossible. Through its platform, Tidelift provides a
powerful set of tools to help organizations manage their open source
usage more effectively, while also paying participating maintainers to
deliver assurances for over 1,000 of their most widely used packages.
"Nearly all application developers rely heavily on open source code
because of the many benefits it provides, yet most don't have a strategy
to keep that code secure and well maintained," said Donald Fischer, CEO
and co-founder of Tidelift. "We're partnering with creators and
maintainers of a vast array of community-led open source projects to
introduce the concept of managed open source, where organizations can
save time and reduce risk by paying Tidelift's participating maintainers
to ensure their packages meet uniform and comprehensive commercial
The Tidelift Subscription monitors over 3.3 million open source packages
across 37 different ecosystems, with the number of maintainers providing
added security, maintenance, and licensing assurances growing rapidly.
Tidelift also announced today that over 4,000 open source projects
eligible for immediate income. Apache Struts, Joda-Time, Vue, Babel,
Material-UI, Gulp, Mongoose, Nokogiri, and hundreds of other
community-led projects that are pivotal to corporate application
development are now part of the Tidelift Subscription.
"As an open source maintainer, I'm always looking for scalable ways to
help people make better use of my code," said prolific open source
creator Jon Schlinkert, maintainer of Micromatch, Enquirer, and many
teams a way to manage their open source usage more effectively while
getting security and maintenance assurances they need from a single
source. Meanwhile, maintainers like me earn predictable income that
allows us to focus on the projects that so many organizations depend on.
With Tidelift's model, it's really clear how economic value is created
for all parties."
Accelerate software development
A new Tidelift study finds application developers spend over 30 percent
of their time on code maintenance tasks, with more than a quarter
directly related to the open source components they use. With the
Tidelift Subscription in place, organizations can save time their
developers would otherwise spend addressing the impact of changes to
those components. Subscribers also minimize their exposure to open
source risk by identifying vulnerabilities in components that lead to
security issues such as the Heartbleed bug in OpenSSL, the Apache Struts
breach at Equifax, and the software supply chain attack on the
event-stream npm package.
tools available with the Tidelift Subscription now include an overview
of security vulnerabilities and licensing issues across dependencies,
at-a-glance metrics that help developers gauge how package updates
impact their applications, and recommendations on when to upgrade key
frameworks and libraries.
The Tidelift Subscription also supports application developers
frustrated by tools that report security, maintenance, and licensing
problems in transitive dependencies (dependencies-of-dependencies)
without providing a way to help resolve them. Tidelift surfaces these
problems to its network of open source maintainers, who work to resolve
the root causes on behalf of subscribers.
Development teams wanting to learn more about their dependencies can now
explore the Tidelift Subscription in the context of their own
applications through the free self-service Tidelift open source
dependency analyzer. Those interested can simply share the package
manager files from one of their projects, and Tidelift will analyze them
and create a free report on the high-level state of their open source
dependencies, including three actionable suggestions to address today.