How are measured nested dependencies or indirect usage

Hi,

I have doubts on how does Tidelift considers the case where a client makes indirect usage of a “lifted” library.

Let’s say that a client has a project P, which directly depends on libraries L1, L2 & L3, and let’s also say that L1 & L2 depend on L4, and L3 & L4 depend on L5…

P
├────┬─────┐
L1   L2    L3
└─┬──┘     │
  L4       │
   └─┬─────┘
     L5

Are only L1, L2 & L3 eligible to be rewarded? (for this specific project), and in case L4 & L5 are eligible too, how is their score computed?

My intuition tells me that it would be fair to make them eligible too, with a score inversely proportional to a growing function of the distance from the project to them, and proportional to a growing function of the number of intermediate dependencies that depend on them.

Something like (just as a vague idea):

score(lib) = value_from_static_analysis_and_other_factors(lib) * sum([W(pkg)/(1 + pow(dist(P, pkg), k)) for pkg in dependents(lib) ])

where:

  • one of those pkg instances could be P as well, so dist(P, pkg) would be 0
  • dependents(lib) is computed, of course, only in the scope of the given project P
  • W(pkg) is between 0 and 1, and is a growing function of score(pkg), but of course it could be the constant 1. W ( P ) would be 1 by convention.
  • k >= 1.

Best regards