Overview

The Tidelift extension helps you achieve a healthy open source software supply chain by monitoring your dependencies for issues like vulnerabilities, packages that are end-of-life, releases that have been removed upstream, and more. As a developer you can see issues in your project before you push code, saving you from tedious changes later in your build process.

Key features

Continuous scanning: Tidelift will monitor and evaluate your project dependencies against the standards set by your organization.
Timely notifications: If a dependency change introduces new standards violations to your project, Tidelift will let you know so that you can avoid taking on new tech and security debt.
Helpful categorization: Want to identify and fix certain types of violations like vulnerabilities or end-of-life packages first? The extension groups information in multiple ways so that you can use the it in a way that’s most helpful to you.

Requirements

To use the Tidelift extension you must meet the following requirements:

Have a Tidelift API key
Have one of the following
- .tidelift file in your project's root directory
- slugs for the organization and either the catalog or project within Tidelift that your repository is associated with
Use one of the supported ecosystems and manifest files for your project

Supported ecosystems

Ecosystem	Package manager	Package repository	Manifest file names	Lock file names
Generic SBOM	N/A	N/A	cyclonedx.yml, cyclonedx.json, *.spdx	N/A
Java	Maven	https://central.sonatype.com/	pom.xml
Java	Gradle¹	https://central.sonatype.com/	build.gradle
JavaScript	NPM	https://www.npmjs.com/	package.json	package-lock.json, npm-shrinkwrap.json
JavaScript	Yarn¹	https://www.npmjs.com/	package.json	yarn.lock
Python	pip¹	https://pypi.org/	requirements.txt
Python	pipenv¹	https://pypi.org/	Pipfile	Pipfile.lock
Python	poetry¹	https://pypi.org/	pyproject.toml	poetry.lock
Golang	go¹	https://pkg.go.dev/	go.mod
Swift	cocoapods¹	https://cocoapods.org/	Podfile, *.podspec	Podfile.lock
C#	NuGet¹	https://www.nuget.org/	*.csproj, project.assets.json	packages.lock.json
Ruby	Rubygems¹	https://rubygems.org/	Gemfile	Gemfile.lock
Rust	Cargo¹	https://crates.io/	Cargo.toml	Cargo.lock

¹ Some extension features such as automatic alignments and package data on hover are not yet supported.

Installation

Download and install the Tidelift extension from the VS Code Marketplace
Navigate to Tidelift to generate or retrieve your API key
In VS Code open the command palette using ctrl+shift+p (cmd+shift+p) and type “Tidelift: set API key” selecting the command when it appears in the list.
Paste your API key and push enter.

If you don't have a .tidelift file in your project's root directory, you must also configure your extension settings by performing the following steps:

Open the command palette again and type “Tidelift: settings”, selecting the command when it appears in the list.
Add your organization and catalog

Usage

The Tidelift extension can be accessed at any time from the activity bar. Upon initial configuration and after every dependency change, Tidelift will run an alignment. Alignment results are available via the extension, as is information about specific releases or violations.

If a dependency is introduced or a dependency changes versions and new violations are detected, the extension will notify you and allow you to view the details.