# Tidelift CLI release Notes - 1.16.X - [1.16.16] May 12, 2025 - Adds TIDELIFT_DEBUG var as an alternate to passing --debug flag. - [1.16.15] May 5, 2025 - Ensure that Maven and Gradle lockfile generation errors show up regardless of --debug. - [1.16.14] Apr 30, 2025 - Ensure that color output is disabled on main Gradle command. - [1.16.13] Apr 28, 2025 - NPM fix to skip lockfile generation if there's a bun lockfile. - [1.16.12] Apr 28, 2025 - Nuget optimization to reduce size of lockfiles. - [1.16.11] Apr 23, 2025 - Do not follow symlinks when recursing into a project - [1.16.10] Apr 22, 2025 - Fix rare freeze related to finding the Tidelift API Key in the OS keychain - [1.16.9] Apr 18, 2025 - Less chatty logs - [1.16.8] Apr 17, 2025 - Nuget fix to include lockfiles from "obj/" folders that had been ignored, when we have their corresponding manifest already. - [1.16.7] Apr 14, 2025 - Optimize Maven lockfile resolution by extracting sub-module lockfiles from root lockfile output. - [1.16.6] Apr 10, 2025 - Use INFO log level when running external commands. - Use INFO log level for listing the included/excluded files. - [1.16.5] Apr 10, 2025 - Include size of pre-processed Gradle files in debug logs. - [1.16.4] Apr 8, 2025 - Optimize Gradle lockfile resolution for multi-project Gradle builds. - [1.16.3] Mar 31, 2025 - Output system requirements error as a useful warning when venv fails on some Debian systems. - Use PNPM to generate a lockfile, if necessary. - [1.16.2] Mar 26, 2025 - Adds support for detecting Bun lockfiles. - Fix regression with disabling Maven Wrapper resolution. - Fix issue with `--exclude` using CWD instead of the project directory - [1.16.1] Mar 21, 2025 - Fix regression with tidelift-generated npm lockfiles not working. - [1.16.0] Mar 20, 2025 - Stop running "mvn:list" in favor of only running "mvn:tree", i.e. stop generating "maven-resolved-dependencies.txt". - 1.15.X - [1.15.7] Mar 17, 2025 - Improve the `--exclude` flag to allow quoted values containing commas, and allow multiple instances of the flag. These improvements do not yet apply to the TIDELIFT_EXCLUDED_MANIFESTS environment variable. - [1.15.6] Mar 17, 2025 - Adds support for detecting PNPM lockfiles. - [1.15.5] Mar 14, 2025 - Fix a bug with gradle projects containing both build.gradle and build.gradle.kts in the same project - [1.15.4] Mar 7, 2025 - Fix a bug with gradle using --directory and --recursive - [1.15.3] Mar 7, 2025 - Add TIDELIFT_ALLOW_MANIFEST_FAILURES configuration to allow the CLI to continue when a package manager fails to generate a lockfile - [1.15.2] Mar 6, 2025 - Default to running `npm install` with `--ignore-scripts` option enabled - Excluded manifest configuration now accepts Glob patterns - Performance improvements for recursive manifest search - Log config in `--debug` mode - [1.15.1] Feb 25, 2025 - Add TIDELIFT_MAVEN_IGNORE_WRAPPER variable to disable Maven Wrapper resolution - [1.15.0] Feb 24, 2025 - Add support for Maven wrapper - 1.14.X - [1.14.1] Feb 20, 2025 - go 1.24.0 - Fix: handle the "--directory" flag properly for gradlew - [1.14.0] Jan 31, 2025 - Fix: make the "--directory" flag work for "projects save-lockfiles" - Fix: handle empty "--directory" flag nil pointer error - Add option to specify output filename for save-lockfiles command - 1.13.X - [1.13.56] - Dec 13, 2024 - Fix: indicate package replacements are not CLI performable - [1.13.55] - Dec 12, 2024 - Add developeractions feature - Include platform in the json alignment's developer actions - [1.13.54] - Dec 9, 2024 - Remove "switch to approved releases" text in favor of developer actions - Remove support for conda (environment.yml) - [1.13.53] - Nov 14, 2024 - Include suggested_package_name in the json alignment. - [1.13.52] - Nov 14, 2024 - Add count of violations avoided for actions in saved alignment text output. - [1.13.51] - Oct 29, 2024 - Fix selfupdate for ARM64 Linux - [1.13.50] - Oct 21, 2024 - Add --include-text-output to be used in conjunction with --json in alignments - [1.13.49] - Oct 7, 2024 - Refine display of dependency source (direct or transitive) - [1.13.48] - Oct 2, 2024 - Added dependency source (direct or transitive) to release data returned on alignment - [1.13.47] - Sep 25, 2024 - Add support for SPDX json manifests. - Setup virtual env in temp folders instead of current working directory. Override using TIDELIFT_TMPDIR. - [1.13.46] - Sep 24, 2024 - Surface virtual env creation error when it fails during pip lockfile resolution. - [1.13.45] - September 9, 2024 - Added "project" to alignment json output. - [1.13.44] - September 4, 2024 - Added "action_to_take" to violations in saved alignment text output. - [1.13.43] - Aug 29, 2024 - Output more detailed error message from selftest, in favor of always using "API error" - [1.13.42] - Aug 22, 2024 - Don't pass a message when performing a catalog request - Add --json mode support to the `selftest` command. - [1.13.41] - Aug 2, 2024 - Show 0% for 0% alignments instead of 100%. - [1.13.40] - Aug 01, 2024 - Ignore the new "packaging" dependency from "pipdeptree" when generating "pip-dependency-graph.json". - Fix bug which could emit invalid json in --json mode. - [1.13.39] - Skipped - [1.13.38] - July 29, 2024 - Include catalog_standards list with in alignment json output. - [1.13.37] - July 26, 2024 - Adds "error" and "warnings" fields to alignment output to surface manifest issues. - Do not search for manifests and lockfiles for platforms not supported by Tidelift. - Return upgrade guidance from alignments. - Add additional information to release violation alignment text. - [1.13.36] - July 8, 2024 - Allow alignments to return a status, and detailed violation information. - [1.13.35] - July 3, 2024 - Don't try to analyze unsupported nuget manifests - [1.13.34] - June 21, 2024 - Add "requirement" field to release data returned on alignment. - [1.13.33] - June 6, 2024 - Add useful debugging logs for pip venv initialization. - [1.13.32] - May 24, 2024 - Generate and upload "pip-dependency-graph.json" with dependency data from "pipdeptree". - [1.13.31] - May 17, 2024 - Enrich "go-resolved-dependencies.json" with dependency data from "go mod graph". - [1.13.30] - April 3, 2024 - Return a new error when redundant lockfiles are found in same directory, e.g. "package-lock.json" and "yarn.json". - [1.13.29] - March 4, 2024 - Build with CGO_ENABLED=0 to be portable - [1.13.28] - March 4, 2024 - Ensure manifests are formatted properly on upload - Build with newer golang - [1.13.27] - February 2, 2024 - Fix "tidelift init --json" so it only returns JSON. - [1.13.26] - January 11, 2024 - Switch to a non-proxy'd endpoint for the status command - [1.13.25] - January 10, 2024 - Collect "Replace" field info in go-resolved-depenencies.json - [1.13.24] - January 2, 2024 - Switch to a new API field used by groups commands - [1.13.23] - December 22, 2023 - Update manifest searching implementation - [1.13.22] - December 21, 2023 - Bug fix for status requests containing slashes - [1.13.21] - December 20, 2023 - Added more debug logging during manifest searching - [1.13.20] - December 19, 2023 - Added more debug logging - [1.13.19] - December 14, 2023 - Brings back error while auto-detecting branch from the git repo - Remove deprecated `--allow-requested` option for `tidelift alignment` - [1.13.18] - December 5, 2023 - Bug fix to silence Go test imports command warning - Revert attempt to check for functioning secret service - [1.13.17] - December 5, 2023 - Extends the timeout for `tidelift selfupdate` to a more generous duration. - Add `lifter_recommendation` to `tidelift alignment save --wait --json` response for vulnerabilities with recommendations - Don't check for updates if TIDELIFT_SKIP_UPDATE_CHECK=1 - Make local alignment error messages more verbose. - [1.13.16] - November 10, 2023 - Output violations for catalog release lookup results - Move to a 64-bit build for ARM linux. - [1.13.15] - November 8, 2023 - Output manifest resolution duration when --debug is passed. - [1.13.14] - November 8, 2023 - Notify Tidelift when alignment polling takes too long. - [1.13.13] - November 6, 2023 - Start to add support for uploading more than 100 manifests for very large projects. - [1.13.12] - October 16, 2023 - Add `--external-identifier` optional flag to `tidelift alignment save` command. - [1.13.11] - Aug 16, 2023 - Fix a bug with git branch detection that stripped characters. - [1.13.10] - Aug 15, 2023 - Add support for SPDX tag/value manifests. - [1.13.9] - Aug 9, 2023 - Ensure that at least the standard slug name is shown for alignment errors - Sync standards display names with Tidelift UI - [1.13.8] - Aug 7, 2023 - Handle empty external_identifier string errors when creating/updating projects. - [1.13.7] - Aug 4, 2023 - Adds an `--external-identifier` flag to the `tidelift init`, `tidelift projects new`, and `tidelift projects update` commands. - [1.13.6] - July 13, 2023 - Handle a small number of api keys with partially invalid data - Update saved alignment error message with org keys. - Fix error message when organization is not set. - [1.13.5] - June 12, 2023 - Allow org keys to work with `tidelift catalogs list`. - [1.13.4] - June 12, 2023 - Allow --name to set a Project's updated name. - Update api key url shown after creating an api key. - [1.13.3] - May 30, 2023 - Remove requirement to prefix org with org type (and assume "team" as default) - [1.13.2] - May 26, 2023 - Allow for periods in project names - [1.13.1] - May 14, 2023 - Add a darwin/arm64 build for native mac silicon - [1.13.0] - April 27, 2023 - Add scoped alignment output to json output - 1.12.X - [1.12.31] - April 18, 2023 - Bugfix: Don't try to use --mode=update-lockfile with older yarn. - [1.12.30] - March 30, 2023 - Bugfix: fixes a mistake made when disabling vendor mode in 1.12.29 - [1.12.29] - March 30, 2023 - Fixes go resolution for vendored go projects by disabling vendor mode, and improves scope detection in go. - [1.12.28] - March 29, 2023 - Fixes go lockfile detection to properly detect "go-resolved-dependencies.json" - [1.12.27] - March 13, 2023 - Add support for api-key type naming changes from "repository" to "project" - [1.12.26] - March 1, 2023 - Adds `branching-behavior` flag to `tidelift projects update` command. - [1.12.25] - March 1, 2023 - Adds new auto status values to alignment statistics. - [1.12.24] - February 1, 2023 - Fixes `init` and `projects new` so that failure to detect the git branch is not a fatal error - [1.12.23] - January 26, 2023 - Switch Catalog lookup endpoint so it no longer requires a project to be defined. - Use new standard error format in projects commands. - [1.12.22] - January 26, 2023 - Fixes a regression from 1.4.0 where "alignment save" was not observing the "--directory" flag. - [1.12.21] - January 24, 2023 - Give an error if uploading too many files (> 99) - [1.12.20] - January 6, 2023 - Don't generate a lockfile if npm-shrinkwrap.json already exists. - [1.12.19] - January 6, 2023 - Fixes the output for `--dry-run` to return JSON instead of plaintext. - [1.12.18] - January 5, 2023 - `init` and `projects new` commands will now auto-detect the current branch and set it as the default branch if `--default-branch` is not specified. - [1.12.17] - December 1, 2022 - Quiet some go output unless --debug is passed. - [1.12.16] - November 28, 2022 - The --debug flag will now show output from NPM and Yarn when the CLI is resolving dependencies. - [1.12.15] - November 28, 2022 - Include a few new fields in the --json output for package release lookups. - [1.12.14] - November 17, 2022 - Returns a more helpful HTTP timeout message containing a `TIDELIFT_TIMEOUT` hint. - [1.12.13] - November 11, 2022 - Allow directories to be passed to `--exclude`/`-e`/`TIDELIFT_EXCLUDED_MANIFESTS` too. - [1.12.12] - November 8, 2022 - Adds `--exclude`/`-e` flag and `TIDELIFT_EXCLUDED_MANIFESTS` env var to exclude a comma-delimited list of manifest filepaths. - [1.12.11] - November 4, 2022 - Fix bug where rare "pending" status was returning "0 packages found." - [1.12.10] - October 12, 2022 - Return a successful response for scans with no packages found. - [1.12.9] - September 16, 2022 - Change the --catalog flag exit into a warning for now. - [1.12.8] - September 13, 2022 - Disallow the --catalog flag on `alignment save`, since saved alignments always run against their set catalog. - [1.12.7] - August 18, 2022 - Adds `TIDELIFT_GRADLE_CONFIGURATION_PATTERN=...` environment var to limit the configurations resolved in a Gradle project. - [1.12.6] - August 18, 2022 - Show catalog display names in `catalogs list`. - [1.12.5] - July 14, 2022 - Fail silently if command to get import scopes fails, and treat everything as "runtime". - [1.12.4] - June 28, 2022 - Populate a custom "Scope" field in go-resolved-dependencies.json with "runtime" or "test". - [1.12.3] - June 21, 2022 - Add dependencies.csv to manifest file name globs. - [1.12.2] - June 10, 2022 - Ensure that approved with violations are shown even when alignment is 100%. - [1.12.1] - June 7, 2022 - Show approved releases that have violations in saved alignments. - [1.12.0] - May 24, 2022 - Allow specifying a baseline alignment number to use for alignments. - 1.11.X - [1.11.2] - May 12, 2022 - If available, return baseline alignment information when performing an alignment. - [1.11.1] - May 6, 2022 - Add support for CycloneDX manifests. - [1.11.0] - May 2, 2022 - Add -R flag for recursively searching for manifest files. - 1.10.X - [1.10.0] - April 26, 2022 - Add "newly introduced" information to CLI output. - Fix bug where versions were not coming through for `alignment save` and `status`. - 1.9.X - Unreleased - Add some help copy to "tidelift request" so people know they can pass filenames. - [1.9.4] - April 22, 2022 - Look for gradlew in both command-relative folder AND the manifest-relative folder. - [1.9.3] - April 20, 2022 - Adapt to new error envelope format and new error response for update project endpoint. - [1.9.2] - April 18, 2022 - Adds support for aligning against build.gradle.kts (Kotlin) files. - [1.9.1] - April 13, 2022 - Retry transient errors while waiting on scan status (timeouts, bad gateways, not founds) - [1.9.0] - March 22, 2022 - Adds `tidelift groups remove-project` - Standardize successful removals by removing list response from `tidelift groups remove-user` - 1.8.X - [1.8.0] - March 18, 2022 - Adds `tidelift groups list-projects` - 1.7.X - [1.7.0] - March 16, 2022 - Adds `tidelift groups add-project` - 1.6.X - [1.6.10] - March 15, 2022 - Expose the new project's name field after `tidelift projects new` - [1.6.10] - March 10, 2022 - Handle 422 errors in POST requests. - [1.6.9] - March 10, 2022 - Include users' roles when listing users in a group. - [1.6.8] - March 8, 2022 - Tell Tidelift if lockfiles are generated or not when uploading. - [1.6.7] - March 4, 2022 - Adds `tidelift groups remove-user` - [1.6.6] - March 1, 2022 - Fix json output from `tidelift projects new` - [1.6.5] - March 1, 2022 - Adds `tidelift projects delete` - [1.6.4] - February 28, 2022 - Adds `tidelift groups add-user` - [1.6.3] - February 25, 2022 - Adds `TIDELIFT_MAVEN_FORCE_DEP_PLUGIN=1` flag to ensure Maven Dependency Plugin is installed for lockfile resolution even when it's not available in environment. - [1.6.2] - February 25, 2022 - Adds `tidelift groups list-users` - [1.6.1] - February 18, 2022 - Ensure --organization is constructed correctly when using tidelift init. - [1.6.0] - February 18, 2022 - Adds `tidelift groups new` - Adds `tidelift groups list` - Adds `tidelift groups remove` - 1.5.X - [1.5.11] - February 16, 2022 - Adds TIDELIFT_NPM_NO_RESOLVE and TIDELIFT_NUGET_NO_RESOLVE env vars to skip lockfile resolution. - [1.5.10] - February 14, 2022 - Add `tidelift projects update` command to update branch, catalog, and groups. - [1.5.9] - February 9, 2022 - Adds examples of passing filenames to alignment help text - [1.5.8] - February 8, 2022 - Builds on new behavior of 1.5.5: only fails if both generated files fail. - [1.5.7] - February 8, 2022 - Don't exit early when we get a 404 while waiting on scan, in case of race condition. - [1.5.6] - February 8, 2022 - Fix alignment summary on output, so it prints when --wait is used. - [1.5.5] - February 7, 2022 - Exit with error and status code 1 when Maven lockfile can't be generated. - [1.5.4] - February 7, 2022 - Fix a bug that wasn't surfacing errors while changing directories. - [1.5.3] - February 2, 2022 - Print alignment summary on `tidelift status` - [1.5.2] - February 2, 2022 - Fix a panic in `tidelift projects new-key` - [1.5.1] - January 25, 2022 - Fix `tidelift selftest` for v1 api keys. - [1.5.0] - January 13, 2022 - Allow setting default branch of repository via `init` or `projects new`. - 1.4.X - [1.4.1] - January 14, 2022 - Fix skip-if-cached upper limit - [1.4.0] - January 6, 2022 - Use checksum and TTL (--skip-if-cached=) to determine if scan needs to be re-run or not. - 1.3.x - [1.3.1] - December 13, 2021 - Send checksum of non-generated manifests as checksum.sha256. - [1.3.0] - November 18, 2021 - Breaking Change with Alignment Save. branches are now autodetected (see docs -> https://ptm.tl/cli-docs) and if can not find, required by --branch - 1.2.x - [1.2.5] - November 11, 2021 - Temporarily revert to go 1.17.2 to avoid a net/http regression. - [1.2.4] - November 10, 2021 - Don't regenerate and upload existing Gradle lockfiles twice either. - [1.2.3] - November 4, 2021 - Fixes a bug with NPM/Yarn where lockfiles in subfolders were being uploaded twice. - [1.2.2] - November 3, 2021 - Prioritize gradle wrapper over gradle binary, to avoid environments with mismatched versions. - [1.2.1] - October 26, 2021 - Remove bower support. - [1.2.0] - October 22, 2021 - Generate an ephemeral NPM or Yarn lockfile during alignment if it doesn't exist. - 1.1.x - [1.1.1] - October 12, 2021 - Disable warnings on selfupdate. - [1.1.0] - October 4, 2021 - Allow subdirectories for manifest specification (e.g: `tidelift alignment subdir/package.json`) instead of always needing to be at the root next to the files. - 1.0.x - [1.0.7] - October 1, 2021 - Don't fail if removing a tmpfile fails - [1.0.6] - September 29, 2021 - Makes CLI flag/arg errors a little more consistent. - [1.0.5] - September 28, 2021 - A lot of error message and command output changes to standardize linking to docs, argument counts, and more. - [1.0.4] - September 28, 2021 - Rework Go Build Constraints for Platform Specific Code - [1.0.3] - September 27, 2021 - Adjust how nuget lock files are discovered. - [1.0.2] - September 23, 2021 - Add build for Homebrew, and remove selfupdate ability for homebrew builds. - [1.0.1] - September 22, 2021 - Removing some unused release properties. - [1.0.0] - September 21, 2021 - Cutting our first Majorly Stable Tidelift 1.0.0 version. - 0.34.x - [0.34.5] - September 16, 2021 - Bugfix: Show error when passing incorrect organization types as configuration. - [0.34.4] - September 16, 2021 - Pick up `{"error": {"message": "err"}}` responses, as well as just `{"message": "err"}` - [0.34.3] - September 15, 2021 - Bugfix: Require a Project to be set to run `tidelift status`. - [0.34.2] - September 13, 2021 - Bugfix: Change helptext for `tidelift init --force`. - [0.34.1] - September 13, 2021 - Bugfixes to prevent errors with multiple periods at end due to the way Go formats errors. - [0.34.0] - September 10, 2021 - Show statistics in both `alignment` and `alignment save`'s --json output. This allows you to parse our output yourself, rather than rely on our "blocking build" because of at least one denial. - 0.33.x - [0.33.0] - September 3, 2021 - Remove --allow-requested, which has been silently broken for a while, favor the upcoming --statistics to calculate this manually. - 0.32.x - [0.32.0] - September 2, 2021 - Remove deprecated Scan, TEAM/REPO Settings that we deprecated in March 2021. - 0.31.x - September 2, 2021 - [0.31.0] - September 2, 2021 - Disable npm-ls.json generation and uploading. - 0.30.x - [0.30.0] - August 27, 2021 - Show warning when TIDELIFT_API_KEY is set in .tidelift files, Very important upcoming backwards incompatible change to note. Please use environment variables for project keys, and `tidelift auth` for user keys. - 0.29.x - [0.29.1] - August 18, 2021 - Small Quality of Life changes in `tidelift selftest`, showing who the API user is. - [0.29.0] - August 18, 2021 - Checking authentication before long running commands. This fixes a longstanding problem where we would run pip tooling, before uploading the manifests, when you then realize that the client is not authenticated. By checking beforehand, we minimize the time-to-error response. - 0.28.x - [0.28.0] - August 13, 2021 - Adds a --wait flag to `tidelift request --all`, allows processing on tidelift.com to finish working before continuing on and ending the command. Useful for chaning a `tidelift alignment save` afterwards in CI/CD. - 0.27.x - [0.27.0-0.27.1] - August 4, 2021 - Bug fixes for filename uploading for NuGet - 0.26.x - [0.26.8] - August 3, 2021 - Show error when submitting a non-Tidelift acceptable project name on `tidelift projects new` and `tidelift init` - [0.26.7] - July 29, 2021 - Sanitizing slashes for passing to bibliothecary. - [0.26.6] - July 28, 2021 - Fixed dep tree generation for NPM 7.x - [0.26.5] - July 27, 2021 - Fixed example for `tidelift projects save-lockfiles` - [0.26.4] - July 26, 2021 - Add error when organization not provided to `tidelift init` - [0.26.3] - July 16, 2021 - Show an outdated message as a warning, if outdated, before every command. - [0.26.2] - July 16, 2021 - Make the requests list tree one branching tree, instead of three branching trees. - [0.26.1] - July 15, 2021 - Uses pterm library to make codepage437 trees, vs using own functions. - [0.26.0] - July 15, 2021 - Adds new `tidelift request list` to list (currently only) outstanding requests a user has made. - Adds `--no-trees` to hide the CodePage437 Box Drawing Trees from plaintext output. - 0.25.x - [0.25.6] - June 30, 2021 - Updated help docs to point to CLI docs. - Unhiding `tidelift selftest` - (Fixing date for 0.25.5 in changelog) - [0.25.5] - June 30, 2021 - Added a check in `tidelift selftest` to see whether the installed version is outdated, with instructions on how to selfupdate. - [0.25.4] - May 28, 2021 - Updated `tidelift projects new` to include a `--group` flag, allowing multiple of group flag. - Updated `tidelift init` to include a `--group` flag, allowing multiple of group flag. - [0.25.3] - May 18, 2010 - Fix bug where configuration variable wasn't being set properly due to refactoring - [0.25.1] - Show decision notes in `tidelift releases lookup` output