No deprecated dependencies

Why it matters

Deprecated packages signal that the maintainer has abandoned the library and will not ship security patches. OWASP A06 (Vulnerable and Outdated Components) identifies unmaintained dependencies as a primary attack vector — CWE-1104 and CWE-1357 classify this as a supply-chain defect. A package like request (deprecated 2020) or moment (maintenance-mode, bloated, no new security releases) is a liability: any vulnerability discovered in it will not receive a fix, leaving the codebase permanently exposed.

Remediation

Replace deprecated packages with their maintained alternatives. Common migrations:

# Remove deprecated request package (use native fetch, Node.js 18+)
npm uninstall request

# Migrate from moment to date-fns
npm uninstall moment
npm install date-fns

# Migrate from babel-eslint to @typescript-eslint/parser
npm uninstall babel-eslint
npm install -D @typescript-eslint/parser @typescript-eslint/eslint-plugin

# Migrate from node-uuid to uuid
npm uninstall node-uuid
npm install uuid

Run npm outdated to surface packages that haven't received a release in an extended period.

Detection

ID: code-quality-essentials.dependencies.no-deprecated
Severity: high
What to look for: Scan dependencies and devDependencies in package.json for known deprecated or unmaintained packages. Common examples to look for: request (deprecated, use node-fetch or native fetch), node-uuid (deprecated, use uuid), moment (in maintenance mode, prefer date-fns or dayjs), react-scripts (CRA is deprecated), @types/node-fetch (no longer needed for modern fetch), babel-eslint (deprecated, use @typescript-eslint/parser), ts-node in certain configurations (often replaced by tsx or ts-node/esm). Run npm outdated mentally — packages not updated in 3+ years with active replacements are candidates. Check for packages with deprecated warnings in their npm registry entries.
Pass criteria: Enumerate all relevant code locations. No obviously deprecated or unmaintained packages in the dependency list. All major dependencies have recent releases with at least 1 verified location.
Fail criteria: One or more deprecated packages present in dependencies or devDependencies. A partial implementation does not count as pass.
Skip (N/A) when: Not a Node.js project (no package.json).
Detail on fail: "Found deprecated package(s): [list them]. These are no longer maintained and may have unpatched vulnerabilities." (list specific packages)

Remediation: Replace deprecated packages with their recommended alternatives. Common migrations:

# Remove deprecated request package
npm uninstall request
# Use native fetch (Node.js 18+) or node-fetch v3+

# Migrate from moment to date-fns
npm uninstall moment
npm install date-fns

# Migrate from babel-eslint to @typescript-eslint/parser
npm uninstall babel-eslint
npm install -D @typescript-eslint/parser @typescript-eslint/eslint-plugin

Why it matters

Remediation

Replace deprecated packages with their maintained alternatives. Common migrations:

# Remove deprecated request package (use native fetch, Node.js 18+)
npm uninstall request

# Migrate from moment to date-fns
npm uninstall moment
npm install date-fns

# Migrate from babel-eslint to @typescript-eslint/parser
npm uninstall babel-eslint
npm install -D @typescript-eslint/parser @typescript-eslint/eslint-plugin

# Migrate from node-uuid to uuid
npm uninstall node-uuid
npm install uuid

Run npm outdated to surface packages that haven't received a release in an extended period.

Detection

ID: code-quality-essentials.dependencies.no-deprecated
Severity: high
What to look for: Scan dependencies and devDependencies in package.json for known deprecated or unmaintained packages. Common examples to look for: request (deprecated, use node-fetch or native fetch), node-uuid (deprecated, use uuid), moment (in maintenance mode, prefer date-fns or dayjs), react-scripts (CRA is deprecated), @types/node-fetch (no longer needed for modern fetch), babel-eslint (deprecated, use @typescript-eslint/parser), ts-node in certain configurations (often replaced by tsx or ts-node/esm). Run npm outdated mentally — packages not updated in 3+ years with active replacements are candidates. Check for packages with deprecated warnings in their npm registry entries.
Pass criteria: Enumerate all relevant code locations. No obviously deprecated or unmaintained packages in the dependency list. All major dependencies have recent releases with at least 1 verified location.
Fail criteria: One or more deprecated packages present in dependencies or devDependencies. A partial implementation does not count as pass.
Skip (N/A) when: Not a Node.js project (no package.json).
Detail on fail: "Found deprecated package(s): [list them]. These are no longer maintained and may have unpatched vulnerabilities." (list specific packages)

Remediation: Replace deprecated packages with their recommended alternatives. Common migrations:

# Remove deprecated request package
npm uninstall request
# Use native fetch (Node.js 18+) or node-fetch v3+

# Migrate from moment to date-fns
npm uninstall moment
npm install date-fns

# Migrate from babel-eslint to @typescript-eslint/parser
npm uninstall babel-eslint
npm install -D @typescript-eslint/parser @typescript-eslint/eslint-plugin

No deprecated dependencies

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

No deprecated dependencies

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History