# Use of Unmaintained Third Party Components (CWE-1104) The product relies on third-party components that are no longer being maintained by the original developer or by the open source community. **Stack:** JavaScript - Prevalence: 보통 2개 언어 지원 - Impact: 보통 검토 권장 - Prevention: 문서화됨 5개의 수정 예시 **OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5 ## Description Without ongoing maintenance, newly discovered vulnerabilities in these components will not be patched. This creates an increasing risk as time passes and vulnerabilities are discovered. ## Prevention 2개의 Shoulder 탐지 규칙을 기반으로 한 Use of Unmaintained Third Party 예방 전략. ### JavaScript Update .nvmrc to a supported Node.js LTS version (22 or 20) Align Node.js versions across .nvmrc, Dockerfile, and package.json to the same LTS version ## Warning Signs - [MEDIUM] .nvmrc specifies ... - [MEDIUM] Node.js versions are inconsistent across configuration files. Check the docker-image-outdated finding for the latest rec - [MEDIUM] inconsistent Node ## Consequences - 승인되지 않은 코드 실행 - 애플리케이션 데이터 읽기 - DoS ## Mitigations - 서드파티 의존성을 정기적으로 감사하고 업데이트하세요 - 구성 요소의 취약점을 모니터링하는 프로세스를 마련하세요 - 유지보수가 중단된 구성 요소를 교체할 계획을 마련하세요 ## Detection - Total rules: 5 - Languages: dockerfile, javascript ## Rules by Language ### Javascript (2 rules) - **.nvmrc Specifies Outdated Node.js Version** [MEDIUM]: Detects .nvmrc files specifying outdated or end-of-life (EOL) Node.js versions. The .nvmrc file is used by Node Version Manager (nvm) to automatically switch to the correct Node.js version for a project. When this file specifies an outdated version, developers may be running insecure or incompatible Node.js versions in their development environments. Node.js version lifecycle (as of 2025): - Node 14.x: EOL April 2023 - Node 16.x: EOL September 2023 - Node 18.x: EOL April 2025 - Node 20.x: Main - Remediation: Update .nvmrc to a supported Node.js LTS version (20.x or 22.x). - **Node.js Version Mismatch Between Configuration Files** [MEDIUM]: Detects inconsistent Node.js versions across project configuration files. When .nvmrc specifies one Node.js version but Dockerfile uses a different version, it causes environment drift: - "Works on my machine" bugs (code works locally but fails in production) - Security inconsistencies (development may use patched version while production uses vulnerable version) - Dependency incompatibilities (npm packages may behave differently) - Debugging difficulties (hard to reproduce production issues - Remediation: Align ALL configuration files to use the SAME Node.js version. IMPORTANT: Check the docker-image-outdated finding for the LATEST version. The API provides real-time version recommendations. After determining the latest version from docker-image-outdated, update: - Dockerfile: FROM node:-alpine - .nvmrc: - package.json engines.node: ">=.0.0" NEVER downgrade. Always use the NEWER version shown in docker-image-outdated.