Use of Unmaintained Third Party Components
The product relies on third-party components that are no longer being maintained by the original developer or by the open source community.
Without ongoing maintenance, newly discovered vulnerabilities in these components will not be patched. This creates an increasing risk as time passes and vulnerabilities are discovered.
보급률
보통
2개 언어 지원
영향
보통
검토 권장
예방
문서화됨
5개의 수정 예시
2 예방
2 예방
이 취약점을 수정하는 방법
5개의 Shoulder 탐지 규칙을 기반으로 한 Use of Unmaintained Third Party 예방 전략.
Docker
모두 보기 Docker 자세히 →
Docker Base Image Security
MEDIUM
Pin base images to specific version tags or SHA digests for reproducible builds
- FROM node:latest - WORKDIR /app - COPY . . - RUN npm install + FROM node:24-alpine + WORKDIR /app + COPY package*.json ./ + RUN npm ci + COPY . .
Use npm ci for Reproducible Builds
LOW
Use npm ci instead of npm install for deterministic, reproducible Docker builds
FROM node:24-alpine WORKDIR /app COPY package*.json ./ - RUN npm install + RUN npm ci --omit=dev COPY . .
Dockerfile Uses Outdated Node.js Version
MEDIUM
Update FROM to a supported Node.js LTS version (24-alpine or 22-alpine)
- FROM node:16-alpine + FROM node:24-alpine WORKDIR /app COPY . . RUN npm ci
JavaScript
모두 보기 JavaScript 자세히 →
.nvmrc Specifies Outdated Node.js Version
MEDIUM
Update .nvmrc to a supported Node.js LTS version (22 or 20)
- 16 + 22
Node.js Version Mismatch Between Configuration Files
MEDIUM
Align Node.js versions across .nvmrc, Dockerfile, and package.json to the same LTS version
- # .nvmrc says 18, Dockerfile says 22 - # .nvmrc - 18 - # Dockerfile - FROM node:22-alpine + # .nvmrc + 22 + # Dockerfile + FROM node:22-alpine + # package.json engines + { "engines": { "node": ">=22.0.0" } }
3 탐지
3 탐지
코드에서 취약점 찾기
Shoulder를 사용하여 코드에서 Use of Unmaintained Third Party Components 패턴을 스캔하세요. 5 규칙.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=1104 # Or scan entire project npx @shoulderdev/cli trust .
탐지 규칙 (5)
🐳
Dockerfile
4 rules
Docker Base Image Security
MEDIUM
Detects base images using "latest" tag or missing version tags.
Use npm ci for Reproducible Builds
LOW
Detects Dockerfiles using `npm install` instead of `npm ci` for production builds.
Dockerfile Uses Outdated Node.js Version
MEDIUM
Detects Dockerfiles using outdated or end-of-life Node.js versions.
Node.js Version Mismatch Between Configuration Files
MEDIUM
Detects inconsistent Node.js versions across project configuration files.
When .nvmrc specifies one Node.js version but Dockerfile uses a different
version, it causes environment drift:
- "Works on my machine" bugs (code works locally but fails in production)
- Security inconsistencies (development may use patched version while
production uses vulnerable version)
- Dependency incompatibilities (npm packages may behave differently)
- Debugging difficulties (hard to reproduce production issues
🟨
Javascript
2 rules
.nvmrc Specifies Outdated Node.js Version
MEDIUM
Detects .nvmrc files specifying outdated or end-of-life (EOL) Node.js versions.
The .nvmrc file is used by Node Version Manager (nvm) to automatically switch
to the correct Node.js version for a project. When this file specifies an
outdated version, developers may be running insecure or incompatible Node.js
versions in their development environments.
Node.js version lifecycle (as of 2025):
- Node 14.x: EOL April 2023
- Node 16.x: EOL September 2023
- Node 18.x: EOL April 2025
- Node 20.x: Main
Node.js Version Mismatch Between Configuration Files
MEDIUM
Detects inconsistent Node.js versions across project configuration files.
When .nvmrc specifies one Node.js version but Dockerfile uses a different
version, it causes environment drift:
- "Works on my machine" bugs (code works locally but fails in production)
- Security inconsistencies (development may use patched version while
production uses vulnerable version)
- Dependency incompatibilities (npm packages may behave differently)
- Debugging difficulties (hard to reproduce production issues
4 경고 신호
4 경고 신호
코드 리뷰에서 주의할 점
이 패턴은 잠재적인 Use of Unmaintained Third Party Components 취약점을 나타냅니다. 코드 리뷰와 보안 감사 중에 찾아보세요.
Dockerfile uses ...: ...
docker-base-image-security
base images using "latest" tag or missing version tags
docker-base-image-security
Dockerfile uses ... which is end-of-life or outdated. IMPORTANT: Update to node:24-alpine (Active LTS) or node:22-alpine
docker-outdated-node-version
Dockerfiles using outdated or end-of-life Node
docker-outdated-node-version
.nvmrc specifies ...
nodejs-outdated-nvmrc-version
Node.js versions are inconsistent across configuration files. Check the docker-image-outdated finding for the latest rec
nodejs-version-mismatch
inconsistent Node
nodejs-version-mismatch
Dockerfile uses 'npm install' - consider 'npm ci' for reproducible builds.
docker-nodejs-npm-ci
코드베이스를 스캔하세요: Use of Unmaintained Third Party Components
Shoulder CLI는 전체 코드베이스에서 취약한 패턴을 찾아냅니다.