Security researchers warn that many npm packages are being deprecated and abandoned by their maintainers without a clear warning to users. Such packages can accumulate serious vulnerabilities over time and sometimes their maintainers even abandon them particularly because they don’t have the time or interest to fix reported security issues.
Out of the top 50,000 most downloaded packages on the npm registry, around 8% are “officially” deprecated or have a direct dependency that is deprecated. This means their authors flagged those packages as deprecated and posted a warning to users. However, researchers from software supply chain security firm Aqua Security found that by expanding the search with other criteria that could indicate “deceptive” or non-explicit deprecation, the rate rises to 21% of packages.
The problem is probably much worse because Aqua only checked direct dependencies, not transient ones as well — the dependencies of dependencies. The dependency chain for npm packages can go many levels deep and not accounting for this is a common reason why vulnerable code might make it into projects undetected.
“ââThis situation becomes critical when maintainers, instead of addressing security flaws with patches or CVE assignments, opt to deprecate affected packages,” the Aqua researchers said in their report. “What makes this particularly concerning is that, at times, these maintainers do not officially mark the package as deprecated on npm, leaving a security gap for users who may remain unaware of potential threats.”
To help organizations Aqua Security released an open-source tool called the Dependency Deprecation Checker that can take a project’s package.json and iterate through its dependency tree in order to find packages that match the deprecation criteria chosen by the user.
Official versus practical deprecation
In practical terms, software code can be considered deprecated when its author takes the decision to no longer update the code or to fix issues found within it, security-related or otherwise. This can happen because they no longer have time to maintain it — most open-source development is volunteer work — and they haven’t found someone else to take over the job, because someone else created a better alternative, they originally created it for themselves and have since moved on to other things, or simply because they became annoyed with the community’s response.
When it comes to open source, making that choice is perfectly fine because the code doesn’t come with a support contract attached and it’s available for anyone to take, modify, and improve if they want to keep using it. The author doesn’t have to announce their decision, either, and it’s up to the users to figure out when the code quality no longer satisfies their expectations.
The npm repository package maintainers do have the option of marking packages as deprecated, which will appear as a warning to users visiting the page. They can also include a note for users with additional information such as alternatives. This can be considered as official deprecation.
However, other signs can indicate that a project is dead even if it doesn’t have a big warning on it. For example, the GitHub repository that’s associated with the npm package is archived or even completely deleted. Based on GitHub’s documentation, “You can archive a repository to make it read-only for all users and indicate that it’s no longer actively maintained.”
When the Aqua researchers included a check for archived repositories, the rate of npm packages among the top 50,000 that were deprecated or had a direct deprecated dependency jumped from 8% to 12%. When they also added a check for unavailable repositories — either deleted or made private — the rate jumped to 15%. Finally, when they also included the absence of a repository link on the npm page as a potential sign of deprecation, the rate grew to 21.2%.
“The number of weekly downloads for the deprecated packages from the top 50k packages, according to our extended definitions, amounts to 2.1 billion,” the researchers said. “Itâs generally advisable to utilize only fully maintained packages, where the maintainers actively address security issues and provide ongoing support for the package. Using unmaintained packages increases the risk of unfixed vulnerabilities and even threat actors taking over packages to insert malicious code.”
Open-source dependencies present broader security risk
Aqua scanned only the direct dependencies of the top 50K packages without going many levels deep, which would likely drive the deprecation rate even higher. But it’s also worth pointing out that many of these deprecated packages from the top 50K are so popular because they too are a dependency for other packages higher up in the chain.
For example, the package called “request” is officially deprecated and has over 55,000 packages that use it as a dependency. Those 55,000 packages that use a deprecated package, should probably be considered deprecated themselves from a practical point of view. Another package called “through” is not marked as officially deprecated, but its latest version was released nine years ago and its GitHub repository has been archived. This package continues to have over 3,000 dependents.
Aqua recommends that organizations establish their own deprecation criteria beyond the npm’s registry official designation, use the Dependency Deprecation Checker tool to scan their packages and then replace the deprecated dependencies with actively maintained alternatives.