No deprecated packages in dependencies

ab-000956 · dependency-supply-chain.maintenance.no-deprecated-packages

Severity: highactive

Why it matters

Deprecated packages receive no further releases, which means any vulnerability discovered after the deprecation date will never be patched by the original maintainer. OWASP A06 (Vulnerable and Outdated Components) and CWE-1104 (Use of Unmaintained Third Party Components) define this risk precisely. The request library — deprecated in 2020 — is still found in production codebases years later, and every CVE filed against node-fetch or axios since then represents a risk that request users cannot mitigate. SSDF PW.4 requires that known weaknesses in components be identified and addressed; shipping a deprecated dependency means you've accepted permanent vulnerability exposure for whatever the package does.

Severity rationale

High because deprecated packages cannot receive security patches, meaning any CVE discovered after deprecation creates permanent, unresolvable vulnerability exposure in your production stack.

Remediation

Identify deprecated packages and migrate to their recommended successors. Check deprecation status for any suspect package:

npm view package-name deprecated

Common migrations:

request → native fetch (Node 18+) or axios
node-uuid → uuid
glob@<9 → glob@latest
rimraf@<4 → rimraf@latest

Migrate one package at a time and run your test suite after each to surface any API differences.

Detection

ID: no-deprecated-packages
Severity: high
What to look for: Look for packages in package.json that are officially marked deprecated on npm. The most reliable signal is running npm install — npm prints deprecation warnings during install. If you cannot run npm, check for well-known deprecated packages: request (use node-fetch, axios, or native fetch), node-uuid (use uuid), hoek (use @hapi/hoek), joi (has moved to @hapi/joi or zod/yup), rimraf (<4, use v4+), glob (<8, use v9+), inflight (deprecated), @humanwhocodes/config-array (use @eslint/config-array), domexception (deprecated). Also check for @types/* packages for projects that have moved to bundled types. Count all instances found and enumerate each.
Pass criteria: No deprecated packages found in dependencies or devDependencies. The implementation must be verifiable by examining the codebase and must handle the documented requirements completely. At least 1 implementation must be confirmed.
Fail criteria: One or more packages in dependencies are officially deprecated.
Skip (N/A) when: No package.json detected.
Detail on fail: "Package 'request' is deprecated in dependencies — the maintainer recommends using node-fetch, axios, or native fetch instead" or "3 deprecated packages found: request, node-uuid, hoek"
Remediation: Deprecated packages receive no further updates, including security patches. The npm ecosystem moves quickly, and deprecated packages can become liabilities.

For each deprecated package, follow the migration path recommended in the deprecation notice:
```
npm deprecate-check    # third-party tool for scanning
# Or check manually:
npm view package-name deprecated
```
Common migrations:
- request → node-fetch or native fetch (Node 18+)
- node-uuid → uuid
- glob@<9 → glob@latest
- rimraf@<4 → rimraf@latest

External references

cwe · CWE-1104 — Use of Unmaintained Third Party Components
owasp:2021 · A06 — Vulnerable and Outdated Components
ssdf:800-218 · PW.4 — Reuse Existing, Well-Secured Software

Taxons

supply-chain

History

2026-04-18·v1.0.0·Initial import from dependency-supply-chain·automated