Running a major version that is 2+ releases behind the current means you are on a branch of the dependency that no longer receives backported security patches. React 16 does not receive fixes for vulnerabilities discovered in React's rendering pipeline. Express 3 has not received security patches since 2015. OWASP A06 (Vulnerable and Outdated Components) directly names major version lag as a risk vector. CWE-1104 (Use of Unmaintained Third Party Components) applies when the installed major version has reached end-of-life. The deeper the lag, the larger the eventual migration — skipping from React 16 to 19 requires addressing three sets of breaking changes simultaneously, while each single-major upgrade is manageable. Major version lag is technical debt with a compounding interest rate.
Low because being one or two majors behind does not introduce immediate exploits, but it accumulates migration debt and means security patches from the current major branch do not apply to your version.
Upgrade primary framework dependencies one major version at a time to minimize the blast radius of breaking changes. Check what's available before upgrading:
npx npm-check-updates -u --target major
Review the migration guide for each framework (React, Next.js, Vue, etc.) before running the install, then run your full test suite:
npm install react@latest react-dom@latest
npm test
Fix failures before moving to the next major. Never skip multiple majors in a single PR.
ID: dependency-supply-chain.maintenance.current-major-versions
Severity: low
What to look for: Examine major framework and library dependencies in package.json. Check whether primary dependencies (React, Next.js, Vue, Express, etc.) are on the current major version or one major behind. Major version lag of 2+ versions indicates the project is on an end-of-life or near-end-of-life release. Compare installed major versions against known current majors: React (19.x), Next.js (15.x), Vue (3.x), Nuxt (3.x), SvelteKit (2.x), Express (4.x), Fastify (4.x). Note: The version reference table above reflects versions current at the time this audit was written. The auditing model's training data may include more recent releases. When in doubt, check the framework's official documentation for the current major version. Do not fail a project for using a newer major version than listed here. This is an informational finding — a major version behind is not inherently broken, but it signals technical debt. Count every dependency that is 2+ major versions behind the latest release. Enumerate each with current vs. latest version.
Pass criteria: Primary framework and library dependencies are within one major version of the current release. The implementation must be verifiable by examining the codebase and must handle the documented requirements completely. At least 1 implementation must be confirmed.
Fail criteria: Primary framework or library dependency is 2+ major versions behind the current release.
Skip (N/A) when: No package.json detected. Skip for internal/private packages without public major version tracking.
Cross-reference: The no-duplicate-packages check in Optimization verifies whether outdated major versions cause duplicate sub-dependencies.
Detail on fail: "React is on v16.x — current major is v19.x. This is 3 major versions behind and means missing significant performance improvements, hooks API improvements, and concurrent rendering features."
Remediation: Major version lag accumulates technical debt and eventually forces a large migration. While upgrading is disruptive, staying current major-by-major is much easier than skipping multiple majors at once.
Check for breaking changes before upgrading:
npx npm-check-updates -u # shows what can be updated
# Review the changelog, then upgrade one major at a time
npm install react@latest react-dom@latest
Run your test suite after each major upgrade to catch breaking changes early.