BETA Shoulder ist in der Beta — Befunde können manchmal falsch sein. Dein Feedback bestimmt, was wir als Nächstes beheben. Feedback teilen
📦

Use of Unmaintained Third Party Components

🛡️ 5 Regeln erkennen dies

Use of Unmaintained Third Party Components

The product relies on third-party components that are no longer being maintained by the original developer or by the open source community.

Without ongoing maintenance, newly discovered vulnerabilities in these components will not be patched. This creates an increasing risk as time passes and vulnerabilities are discovered.

Verbreitung
Mittel
2 Sprachen abgedeckt
Auswirkung
Mittel
Review empfohlen
Prävention
Dokumentiert
5 Fix-Beispiele
2 Prävention
2 Prävention

So behebst du diese Schwachstelle

Präventionsstrategien für Use of Unmaintained Third Party basierend auf 5 Shoulder-Erkennungsregeln.

Docker Base Image Security MEDIUM

Pin base images to specific version tags or SHA digests for reproducible builds

+5 -4 dockerfile
- FROM node:latest
- WORKDIR /app
- COPY . .
- RUN npm install
+ FROM node:24-alpine
+ WORKDIR /app
+ COPY package*.json ./
+ RUN npm ci
+ COPY . .
  
Use npm ci for Reproducible Builds LOW

Use npm ci instead of npm install for deterministic, reproducible Docker builds

+1 -1 dockerfile
  FROM node:24-alpine
  WORKDIR /app
  COPY package*.json ./
- RUN npm install
+ RUN npm ci --omit=dev
  COPY . .
  
Dockerfile Uses Outdated Node.js Version MEDIUM

Update FROM to a supported Node.js LTS version (24-alpine or 22-alpine)

+1 -1 dockerfile
- FROM node:16-alpine
+ FROM node:24-alpine
  WORKDIR /app
  COPY . .
  RUN npm ci
  
.nvmrc Specifies Outdated Node.js Version MEDIUM

Update .nvmrc to a supported Node.js LTS version (22 or 20)

+1 -1 javascript
- 16
+ 22
  
Node.js Version Mismatch Between Configuration Files MEDIUM

Align Node.js versions across .nvmrc, Dockerfile, and package.json to the same LTS version

+6 -5 javascript
- # .nvmrc says 18, Dockerfile says 22
- # .nvmrc
- 18
- # Dockerfile
- FROM node:22-alpine
+ # .nvmrc
+ 22
+ # Dockerfile
+ FROM node:22-alpine
+ # package.json engines
+ { "engines": { "node": ">=22.0.0" } }
  
3 Erkennung
3 Erkennung

Finden Sie Schwachstellen in Ihrem Code

Verwenden Sie Shoulder, um Ihren Code nach Use of Unmaintained Third Party Components-Mustern zu scannen. 5 Regeln.

Terminal
# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=1104

# Or scan entire project
npx @shoulderdev/cli trust .

Erkennungsregeln (5)

4 Warnzeichen
4 Warnzeichen

Worauf bei Code-Reviews zu achten ist

Diese Muster weisen auf potenzielle Use of Unmaintained Third Party Components-Schwachstellen hin. Achten Sie bei Code-Reviews und Sicherheitsaudits darauf.

🟡
Dockerfile uses ...: ... docker-base-image-security
🟡
base images using "latest" tag or missing version tags docker-base-image-security
🟡
Dockerfile uses ... which is end-of-life or outdated. IMPORTANT: Update to node:24-alpine (Active LTS) or node:22-alpine docker-outdated-node-version
🟡
Dockerfiles using outdated or end-of-life Node docker-outdated-node-version
🟡
.nvmrc specifies ... nodejs-outdated-nvmrc-version
🟡
Node.js versions are inconsistent across configuration files. Check the docker-image-outdated finding for the latest rec nodejs-version-mismatch
🟡
inconsistent Node nodejs-version-mismatch
🔵
Dockerfile uses 'npm install' - consider 'npm ci' for reproducible builds. docker-nodejs-npm-ci
🔍

Scanne deine Codebasis nach Use of Unmaintained Third Party Components

Shoulder CLI findet anfällige Muster in deiner gesamten Codebasis.