No deprecated dependencies

ab-002148 · code-quality-essentials.dependencies.no-deprecated

Severity: highactive

Why it matters

Deprecated packages signal that the maintainer has abandoned the library and will not ship security patches. OWASP A06 (Vulnerable and Outdated Components) identifies unmaintained dependencies as a primary attack vector — CWE-1104 and CWE-1357 classify this as a supply-chain defect. A package like request (deprecated 2020) or moment (maintenance-mode, bloated, no new security releases) is a liability: any vulnerability discovered in it will not receive a fix, leaving the codebase permanently exposed.

Severity rationale

High because deprecated dependencies will not receive security patches, permanently exposing the application to any vulnerability discovered after the deprecation date.

Remediation

Replace deprecated packages with their maintained alternatives. Common migrations:

# Remove deprecated request package (use native fetch, Node.js 18+)
npm uninstall request

# Migrate from moment to date-fns
npm uninstall moment
npm install date-fns

# Migrate from babel-eslint to @typescript-eslint/parser
npm uninstall babel-eslint
npm install -D @typescript-eslint/parser @typescript-eslint/eslint-plugin

# Migrate from node-uuid to uuid
npm uninstall node-uuid
npm install uuid

Run npm outdated to surface packages that haven't received a release in an extended period.

Detection

ID: no-deprecated
Severity: high
What to look for: Scan dependencies and devDependencies in package.json for known deprecated or unmaintained packages. Common examples to look for: request (deprecated, use node-fetch or native fetch), node-uuid (deprecated, use uuid), moment (in maintenance mode, prefer date-fns or dayjs), react-scripts (CRA is deprecated), @types/node-fetch (no longer needed for modern fetch), babel-eslint (deprecated, use @typescript-eslint/parser), ts-node in certain configurations (often replaced by tsx or ts-node/esm). Run npm outdated mentally — packages not updated in 3+ years with active replacements are candidates. Check for packages with deprecated warnings in their npm registry entries.
Pass criteria: Enumerate all relevant code locations. No obviously deprecated or unmaintained packages in the dependency list. All major dependencies have recent releases with at least 1 verified location.
Fail criteria: One or more deprecated packages present in dependencies or devDependencies. A partial implementation does not count as pass.
Skip (N/A) when: Not a Node.js project (no package.json).
Detail on fail: "Found deprecated package(s): [list them]. These are no longer maintained and may have unpatched vulnerabilities." (list specific packages)

Remediation: Replace deprecated packages with their recommended alternatives. Common migrations:

# Remove deprecated request package
npm uninstall request
# Use native fetch (Node.js 18+) or node-fetch v3+

# Migrate from moment to date-fns
npm uninstall moment
npm install date-fns

# Migrate from babel-eslint to @typescript-eslint/parser
npm uninstall babel-eslint
npm install -D @typescript-eslint/parser @typescript-eslint/eslint-plugin

External references

cwe · CWE-1104 — Use of Unmaintained Third-Party Components
cwe · CWE-1357 — Reliance on Insufficiently Trustworthy Component
owasp:2021 · A06 — Vulnerable and Outdated Components

Taxons

supply-chain

History

2026-04-18·v1.0.0·Initial import from code-quality-essentials·automated