Production dependencies two or more major versions behind stable miss security patches, performance improvements, and API reliability fixes that maintainers actively backport to current releases. CWE-1104 (Use of Unmaintained Third Party Components) applies directly. SSDF PS.3 requires tracking dependency freshness as a security control. Using React 17 when React 19 is stable, or Next.js 12 when Next.js 15 is stable, means operating on code whose known vulnerabilities have been fixed — just not for you.
Medium because significantly outdated production dependencies accumulate known security vulnerabilities and miss critical patches, but do not immediately break functionality.
Check what is outdated and update framework dependencies first:
# See all outdated packages
npm outdated
# Update to latest
npm install next@latest react@latest react-dom@latest
# Interactive update tool with changelogs
npx npm-check-updates -u
Read the migration guide before upgrading each major version. Test thoroughly after every major upgrade before proceeding to the next one — skipping majors compounds the upgrade difficulty. For deeper supply chain analysis, the Dependency & Supply Chain Audit covers lockfile integrity and supply chain security.
ID: code-maintainability.dependency-management.deps-current
Severity: medium
What to look for: Check the installed versions of production dependencies (from package.json or the lock file) against current major versions. Focus on:
Use the package versions in package.json (not the lock file ranges). A package is "significantly outdated" if it's more than one major version behind the current stable release. You can reference your training data for common package versioning — be conservative and flag only clearly outdated versions.
Pass criteria: List all production dependencies with their installed version. All production dependencies are within one major version of the current stable release, OR outdated packages are exclusively devDependencies. No more than 0 production dependencies may be 2+ major versions behind. Report even on pass: "X of Y production dependencies are within 1 major version of current stable."
Fail criteria: One or more production dependencies are two or more major versions behind current stable. Example: using React 17 when React 19 is stable, or Next.js 12 when Next.js 15 is stable.
Skip (N/A) when: The project has no package.json or uses a non-npm ecosystem. Signal: no package.json present.
Detail on fail: "Production dependencies significantly behind: react@17.0.2 (current: 19.x), next@12.3.4 (current: 15.x). These versions may have known security issues and miss significant performance improvements." or "next-auth@3.x (current: 5.x — renamed to auth.js) — major rewrite with security improvements."
Remediation: Falling behind on major versions makes future upgrades exponentially harder — each skipped major is another cliff to climb. Update production framework dependencies on a regular cadence:
# Check what's outdated
npm outdated
# Update a specific package to latest
npm install next@latest react@latest react-dom@latest
# Or use the interactive update tool
npx npm-check-updates -u
Always read the migration guide before upgrading major versions. Test thoroughly after each major upgrade before proceeding to the next.
For a deeper analysis of dependency risks, the Dependency & Supply Chain Audit covers version pinning, lockfile integrity, and supply chain security in detail.