System and software updates applied timely

CMMC 2.0 SI.L1-3.14.5 (NIST 800-171r2 3.14.5) requires that organizations perform periodic scans and real-time monitoring of organizational systems, including applying security-relevant software updates. Dependencies that are multiple major versions behind their latest releases carry unpatched CVEs that are often publicly documented and weaponized. A Next.js 12 installation, for example, carries CVEs fixed in Next.js 13+ that attackers actively exploit. Without automated tooling (Dependabot, Renovate) and a CI/CD pipeline, updates depend entirely on developer vigilance — a process that fails silently. CWE-1395 and SSDF RV.2 require update cadence as a verifiable practice.

Configure Dependabot for weekly automated update PRs and pin your Node.js version to an active LTS release. Outdated runtimes are a CMMC finding independent of application code:

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: 'npm'
    directory: '/'
    schedule:
      interval: 'weekly'
    versioning-strategy: auto

Pin the Node.js runtime in .nvmrc and in package.json:

// package.json
{
  "engines": { "node": ">=20.0.0", "npm": ">=10.0.0" }
}

# .nvmrc
20

Add a deploy workflow that runs npm audit --audit-level=high before every production deployment — builds that introduce new critical CVEs are blocked at CI rather than discovered post-deploy. Check key framework versions quarterly against their latest releases; more than one major version behind warrants an immediate upgrade plan.

• ID: system-updates

• Severity: low

• CMMC Practice: SI.L1-3.14.5

• What to look for: Examine the currency of dependencies and the deployment pipeline. In package.json, check major version numbers against known latest releases for key dependencies (framework, auth library, database driver). Look for automated update tooling (Dependabot, Renovate) that creates PRs for updates. Check for a CI/CD pipeline that enables automated deployment of updates. Look for any dependencies that are more than two major versions behind their latest releases — this signals update neglect. Check for Node.js version specifications (.nvmrc, engines field in package.json) to ensure the runtime is kept current.

• Pass criteria: List all key framework dependencies with their installed and latest versions. Key dependencies are not more than 1 major version behind their latest releases. At least 1 automated update mechanism is configured (Dependabot or Renovate). Report: "X of Y key dependencies are within 1 major version of latest."

• Fail criteria: Dependencies multiple major versions behind their latest releases. No automated update mechanism configured. Manual deployment only with no CI/CD. Node.js version in end-of-life or maintenance mode.

• Skip (N/A) when: Never — applying updates timely is a CMMC Level 1 requirement.

• Detail on fail: Identify the update gaps. Example: "next@12.x installed, current is 15.x — 3 major versions behind. No Dependabot configured. No .github/workflows/ found — manual deployment only. Node.js pinned to v16 (EOL)." Keep under 500 characters.

• Remediation: Configure automated updates and establish a CI/CD pipeline:

  # .github/dependabot.yml
  version: 2
  updates:
    - package-ecosystem: 'npm'
      directory: '/'
      schedule:
        interval: 'weekly'
      versioning-strategy: auto
  

  Pin your Node.js version to an active LTS release:

  # .nvmrc
  20
  

  // package.json — add engines field
  {
    "engines": {
      "node": ">=20.0.0",
      "npm": ">=10.0.0"
    }
  }
  

  Set up a basic CI/CD workflow for production deployments:

  # .github/workflows/deploy.yml
  name: Deploy
  on:
    push:
      branches: [main]
  
  jobs:
    deploy:
      runs-on: ubuntu-latest
      steps:
        - uses: actions/checkout@v4
        - uses: actions/setup-node@v4
          with:
            node-version-file: '.nvmrc'
        - run: npm ci
        - run: npm run build
        - name: Deploy to Vercel
          run: npx vercel --prod --yes --token ${{ secrets.VERCEL_TOKEN }}