保護DataHogo
Security Encyclopedia/Supply Chain
mediumCWE-1104A06:2021

Abandoned Packages

Dependencies that haven't been updated in 2+ years are unlikely to receive security patches when new vulnerabilities are discovered.

How It Works

When a maintainer stops working on a package, CVEs pile up without patches. Attackers sometimes specifically target abandoned popular packages, acquiring them via npm transfer requests or social engineering, then publishing a malicious update to all existing users.

Vulnerable Code
// BAD: dependency last updated 3 years ago with known CVEs
// package.json
{
  "dependencies": {
    "request": "^2.88.0"  // deprecated since 2020, no security patches
  }
}
Secure Code
// GOOD: replace abandoned packages with maintained alternatives
// package.json
{
  "dependencies": {
    "got": "^13.0.0"  // actively maintained HTTP client
    // or use the native fetch API in Node 18+
  }
}

Real-World Example

The 'request' npm package (500M+ weekly downloads) was deprecated in 2020 and has accumulated multiple unpatched vulnerabilities. Projects still using it are exposed with no official fix path.

How to Prevent It

  • Run npm outdated regularly and replace dependencies with no recent releases
  • Use npm audit or socket.dev to flag packages marked as deprecated
  • Check the GitHub activity of critical dependencies before adopting them
  • Set a policy: if a package has no release in 24 months, evaluate a replacement

Affected Technologies

Node.jsPython

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Typosquatting

high

Installing a package with a name one character off from a popular library can install malware instead of the real package.

CWE-829A06:2021

Malicious Install Scripts

high

npm postinstall scripts run automatically with your system permissions during npm install, making them a common vector for malware.

CWE-829A06:2021

Dependency Confusion

high

Private internal packages without a scope prefix can be hijacked by publishing a higher-versioned public package with the same name.

CWE-830A06:2021

Missing Lockfile

medium

Without a lockfile, npm install resolves the latest compatible version of every dependency — which can introduce a newly compromised package on your next deploy.

CWE-1104A06:2021