Tidelift ✨

Lyn Muldrow for Tidelift

Posted on

Why can't Tidelift tell me who uses my package?

person asking 'why'

This is a question that we get pretty frequently and we wanted to provide a forum to discuss.

Subscribers are concerned about potential security threats that may come from revealing packages in use (so have contractually required us to not reveal details), but we're exploring what information we can share that would be useful.

As part of that exploration – what would you find useful? Would knowledge of subscriber information for your package shape the way you work?

Share how you're feeling in the comments below!

Top comments (3)

shadowspawn profile image
John Gee

I am interested in what versions of my package subscribers are using. (i.e. subscriber counts by version.)

Mostly for interest. But in particular if a security vulnerability is uncovered, I can include usage when deciding how far back to port the fix.

firefoxmetzger profile image
Sebastian Wallkötter

Actually, I would be quite interested to know this. Not so much the who, but the how, i.e., which parts of our public API are actually used downstream.

I have more bug reports and features requests than I can work on given the time I have to work on the library, so, if I could get a better grasp on how downstream consumes the library, I could better prioritize and work on things that actually matter to users.

galtzo profile image
Peter Boling

Who uses a package is a security risk, for sure, and for that reason, even reporting the versions in use by userbase, could be a security risk.

On the other hand - if you only show the version usage information to the maintainer(s) of the project, it stands to reason that companies are not any more vulnerable than they would be if the maintainer decided to release a new version with intentional malware. Either way they are at the mercy of the maintainer.