Open source end-of-life (EOL) packages are frequently omitted from CVE investigations and vulnerability feeds, leaving millions of versions unflagged and enterprises exposed. Industry research from HeroDevs and Sonatype shows 5.4M EOL package versions across major registries and finds that AI-driven discovery like Project Glasswing may increase uncovered vulnerabilities in unmaintained code. #SpringSecurity #ProjectGlasswing
Keypoints
- CVE advisories routinely exclude EOL versions, so scanners give false negatives for uninvestigated releases.
- HeroDevs reports about 80% of CVEs on supported versions also affect EOL versions that were not listed as affected.
- Across npm, PyPI, Maven, NuGet, and other registries, roughly 5.4 million package versions are EOL and appear in enterprise SBOMs.
- AI-scale vulnerability research (e.g., Project Glasswing) will likely surface more issues in EOL code that maintainers do not patch.
- HeroDevs offers an EOL dataset and free scan to identify EOL dependencies, including transitive packages, in under five minutes.