Use of Unmaintained Third Party Components (CWE-1104)

Use of Unmaintained Third Party Components

The product relies on third-party components that are no longer being maintained by the original developer or by the open source community.

Without ongoing maintenance, newly discovered vulnerabilities in these components will not be patched. This creates an increasing risk as time passes and vulnerabilities are discovered.

Prevalence

Medium

2 languages covered

Impact

Medium

Review recommended

Prevention

Documented

5 fix examples

2 Prevention

How to fix this vulnerability

Prevention strategies for Use of Unmaintained Third Party based on 5 Shoulder detection rules.

🐳 Docker View all Docker details →

Docker Base Image Security MEDIUM

Pin base images to specific version tags or SHA digests for reproducible builds

+5 -4 dockerfile

- FROM node:latest
- WORKDIR /app
- COPY . .
- RUN npm install
+ FROM node:24-alpine
+ WORKDIR /app
+ COPY package*.json ./
+ RUN npm ci
+ COPY . .

Use npm ci for Reproducible Builds LOW

Use npm ci instead of npm install for deterministic, reproducible Docker builds

+1 -1 dockerfile

  FROM node:24-alpine
  WORKDIR /app
  COPY package*.json ./
- RUN npm install
+ RUN npm ci --omit=dev
  COPY . .

Dockerfile Uses Outdated Node.js Version MEDIUM

Update FROM to a supported Node.js LTS version (24-alpine or 22-alpine)

+1 -1 dockerfile

- FROM node:16-alpine
+ FROM node:24-alpine
  WORKDIR /app
  COPY . .
  RUN npm ci

🟨 JavaScript View all JavaScript details →

.nvmrc Specifies Outdated Node.js Version MEDIUM

Update .nvmrc to a supported Node.js LTS version (22 or 20)

+1 -1 javascript

- 16
+ 22

Node.js Version Mismatch Between Configuration Files MEDIUM

Align Node.js versions across .nvmrc, Dockerfile, and package.json to the same LTS version

+6 -5 javascript

- # .nvmrc says 18, Dockerfile says 22
- # .nvmrc
- 18
- # Dockerfile
- FROM node:22-alpine
+ # .nvmrc
+ 22
+ # Dockerfile
+ FROM node:22-alpine
+ # package.json engines
+ { "engines": { "node": ">=22.0.0" } }

3 Detection

Find vulnerabilities in your code

Use Shoulder to scan your codebase for Use of Unmaintained Third Party Components patterns. 5 rules.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=1104

# Or scan entire project
npx @shoulderdev/cli trust .

Detection Rules (5)

🐳 Dockerfile 4 rules

Docker Base Image Security MEDIUM

Detects base images using "latest" tag or missing version tags.

Use npm ci for Reproducible Builds LOW

Detects Dockerfiles using `npm install` instead of `npm ci` for production builds.

Dockerfile Uses Outdated Node.js Version MEDIUM

Detects Dockerfiles using outdated or end-of-life Node.js versions.

Node.js Version Mismatch Between Configuration Files MEDIUM

Detects inconsistent Node.js versions across project configuration files. When .nvmrc specifies one Node.js version but Dockerfile uses a different version, it causes environment drift: - "Works on my machine" bugs (code works locally but fails in production) - Security inconsistencies (development may use patched version while production uses vulnerable version) - Dependency incompatibilities (npm packages may behave differently) - Debugging difficulties (hard to reproduce production issues locally) This rule detects mismatches between: - .nvmrc and Dockerfile - .nvmrc and package.json engines - .tool-versions and Dockerfile NOTE: Detection is handled by internal/frameworks/nodejs/detector.go. The actual recommended version comes from the docker-image-outdated finding which uses the Docker image API for real-time version data.

🟨 Javascript 2 rules

.nvmrc Specifies Outdated Node.js Version MEDIUM

Detects .nvmrc files specifying outdated or end-of-life (EOL) Node.js versions. The .nvmrc file is used by Node Version Manager (nvm) to automatically switch to the correct Node.js version for a project. When this file specifies an outdated version, developers may be running insecure or incompatible Node.js versions in their development environments. Node.js version lifecycle (as of 2025): - Node 14.x: EOL April 2023 - Node 16.x: EOL September 2023 - Node 18.x: EOL April 2025 - Node 20.x: Maintenance LTS (until April 2026) - Node 22.x: Active LTS (until April 2027) - Node 23.x: Current (non-LTS) This causes: - Security vulnerabilities from missing patches - Inconsistent behavior between development and production - Compatibility issues with modern npm packages NOTE: This rule uses static version patterns. Review and update when new even-numbered LTS versions are released (typically October each year). Next update needed: October 2025 for Node.js 24 LTS.

Node.js Version Mismatch Between Configuration Files MEDIUM

4 Warning Signs

What to watch for in code reviews

These patterns indicate potential Use of Unmaintained Third Party Components vulnerabilities. Look for these during code reviews and security audits.

🟡

Dockerfile uses ...: ... docker-base-image-security

🟡

base images using "latest" tag or missing version tags docker-base-image-security

🟡

Dockerfile uses ... which is end-of-life or outdated. IMPORTANT: Update to node:24-alpine (Active LTS) or node:22-alpine docker-outdated-node-version

🟡

Dockerfiles using outdated or end-of-life Node docker-outdated-node-version

🟡

.nvmrc specifies ... nodejs-outdated-nvmrc-version

🟡

Node.js versions are inconsistent across configuration files. Check the docker-image-outdated finding for the latest rec nodejs-version-mismatch

🟡

inconsistent Node nodejs-version-mismatch

🔵

Dockerfile uses 'npm install' - consider 'npm ci' for reproducible builds. docker-nodejs-npm-ci

🔍

Scan your codebase for Use of Unmaintained Third Party Components

Shoulder CLI finds vulnerable patterns across your entire codebase.

npx shoulder trust Browse all rules