Your software composition analysis (SCA) scanner gives you a clean bill of health. Your CVE feed is quiet. Your dependency audit passes. And yet your application may be riddled with unpatched vulnerabilities — because the open source packages you depend on have reached end-of-life, and nobody is filing CVEs for them anymore.
This is the EOL blind spot: a structural gap in the vulnerability intelligence ecosystem that leaves organizations dangerously exposed to risks their security tooling was never designed to catch.
The Problem With EOL and CVE Coverage
The Common Vulnerabilities and Exposures (CVE) system works on a straightforward principle: a security researcher discovers a flaw, files a report, a CVE is assigned, and the information flows into the National Vulnerability Database (NVD), which SCA tools query to flag vulnerable packages in your dependency tree.
That pipeline depends on one critical assumption: someone is watching the package and filing CVEs when vulnerabilities are found.
For actively maintained open source projects, that assumption holds. For end-of-life software, it breaks down:
| Scenario | CVE Filed? | SCA Tool Flags It? |
|---|---|---|
| Vulnerability in maintained package | Yes | Yes |
| Vulnerability in EOL package — unmaintained | Rarely | No |
| Vulnerability in EOL package — researcher finds it privately | Sometimes | Delayed or never |
| Vulnerability inherited from EOL transitive dependency | Almost never | No |
The result: critical vulnerabilities can exist in EOL open source code your SCA scanner silently approves.
How Widespread Is This?
HeroDevs, the firm that provides commercial long-term support (LTS) for end-of-life open source packages, analyzed the gap in their EOL vulnerability research. Their findings highlight several patterns:
- EOL packages remain in production for years after their support window closes. The economics of software maintenance mean that updating a major framework dependency is frequently deferred in favor of feature work.
- Transitive dependencies compound the risk — a modern application may have dozens of EOL packages buried three or four levels deep in its dependency tree that no developer actively chose.
- SCA tools are only as good as the CVE data they query — if a vulnerability never gets a CVE number, it never appears in a scan result, regardless of how dangerous it is.
- EOL packages attract less scrutiny — because vendors and security researchers concentrate their attention on maintained software, EOL codebases are less likely to be audited for new vulnerabilities.
Common EOL Packages Still Widely Used
Several high-profile open source projects have reached EOL while remaining embedded in large numbers of production applications:
| Package / Framework | EOL Date | Still Common In |
|---|---|---|
| AngularJS (1.x) | December 2021 | Legacy enterprise web apps |
| Node.js 14.x | April 2023 | Containerized microservices |
| Vue 2.x | December 2023 | Front-end applications |
| Python 3.8 | October 2024 | ML pipelines, backend APIs |
| jQuery < 3.0 | Ongoing security debt | Legacy CMS and portals |
| Spring Boot 2.x | November 2023 | Java enterprise applications |
Each of these ecosystems has known vulnerabilities discovered after their EOL date — vulnerabilities that were quietly patched in the successor version but never backported, and may not have received a formal CVE designation.
The SCA Tool Gap in Practice
A typical SCA workflow:
# Run dependency audit — clean output
npm audit
# 0 vulnerabilities found
# Or with a dedicated SCA tool
snyk test
# No issues found
# Reality check: how many of your deps are EOL?
npx is-my-node-vulnerable
# Checks Node.js runtime version — but what about packages?The clean output is accurate — for the CVE feed the tool knows about. What it cannot tell you is whether EOL packages in your tree have unpatched vulnerabilities that were never reported to NVD.
An Illustrative Example
Imagine an application using an EOL version of a popular authentication library. A security researcher discovers a session fixation vulnerability in the library's token generation logic. They report it to the maintainer — who has since moved on to a new project and does not respond. The researcher files a GitHub advisory. No CVE is requested or assigned. No NVD entry is created.
Your SCA tool scans your dependencies. It checks the library version against the NVD. No CVE exists. The tool reports no vulnerabilities. The session fixation flaw remains undetected, unpatched, and exploitable.
What You Can Do
1. Inventory Your EOL Dependencies
Standard SCA tools don't always flag EOL status. Use supplementary tooling:
# Node.js — check for deprecated and EOL packages
npx depcheck
npx npm-check
# Python — check for EOL packages
pip install pip-audit
pip-audit --require-hashes -r requirements.txt
# Check the Node.js runtime EOL status
node --version # then verify against https://endoflife.date/nodejsThe endoflife.date project maintains a community-sourced database of EOL dates for hundreds of open source projects and is a useful supplement to standard SCA tooling.
2. Evaluate Commercial EOL Support
For organizations that cannot immediately migrate off EOL dependencies — a common situation with large legacy codebases — commercial EOL support providers like HeroDevs offer:
- Continued security patching for EOL packages (AngularJS, Vue 2, jQuery, Node.js LTS, etc.)
- CVE-equivalent advisories for vulnerabilities discovered post-EOL
- Drop-in compatible releases that don't require code changes
This is not a long-term strategy, but it bridges the gap while migration work proceeds.
3. Run an EOL-Aware Scan
HeroDevs offers a free end-of-life scan for open source projects that can identify EOL packages in your dependency tree that standard SCA tools overlook. This provides visibility into the scope of the problem before committing to a remediation approach.
4. Prioritize Dependency Modernization
The only durable solution is keeping dependencies current:
# Node.js — interactive upgrade tool
npx npm-check -u
# Python — check for outdated packages
pip list --outdated
# Java (Maven) — check for dependency updates
mvn versions:display-dependency-updatesBuild dependency modernization into your engineering roadmap as ongoing hygiene, not a one-time project. Deferred upgrades accumulate compound interest in the form of EOL security debt.
The Takeaway for Security Teams
CVE feeds and SCA tools are essential — but they have a structural blind spot that most organizations don't account for. A clean scan result is not the same as a secure dependency tree. EOL packages represent a category of risk that lives outside the CVE ecosystem, and that risk is larger and more common than most organizations realize.
An effective vulnerability management program in 2026 needs to account for:
- Known CVEs — covered by standard SCA tooling
- EOL package risk — requires supplementary tooling and EOL-aware policies
- Unreported vulnerabilities — mitigated by staying current and using well-maintained, actively audited dependencies
The gap between (1) and (2) is where breaches happen — silently, invisibly, and without a CVE number to explain them.