Use of Unmaintained Third Party Components
The product relies on third-party components that are no longer being maintained by the original developer or by the open source community.
Without ongoing maintenance, newly discovered vulnerabilities in these components will not be patched. This creates an increasing risk as time passes and vulnerabilities are discovered.
普遍性
中
覆盖 2 种语言
影响
中
建议审查
预防
已记录
5 个修复示例
2 预防
2 预防
如何修复此漏洞
基于 5 条 Shoulder 检测规则的 Use of Unmaintained Third Party 预防策略。
Docker
查看全部 Docker 详情 →
Docker Base Image Security
MEDIUM
Pin base images to specific version tags or SHA digests for reproducible builds
- FROM node:latest - WORKDIR /app - COPY . . - RUN npm install + FROM node:24-alpine + WORKDIR /app + COPY package*.json ./ + RUN npm ci + COPY . .
Use npm ci for Reproducible Builds
LOW
Use npm ci instead of npm install for deterministic, reproducible Docker builds
FROM node:24-alpine WORKDIR /app COPY package*.json ./ - RUN npm install + RUN npm ci --omit=dev COPY . .
Dockerfile Uses Outdated Node.js Version
MEDIUM
Update FROM to a supported Node.js LTS version (24-alpine or 22-alpine)
- FROM node:16-alpine + FROM node:24-alpine WORKDIR /app COPY . . RUN npm ci
JavaScript
查看全部 JavaScript 详情 →
.nvmrc Specifies Outdated Node.js Version
MEDIUM
Update .nvmrc to a supported Node.js LTS version (22 or 20)
- 16 + 22
Node.js Version Mismatch Between Configuration Files
MEDIUM
Align Node.js versions across .nvmrc, Dockerfile, and package.json to the same LTS version
- # .nvmrc says 18, Dockerfile says 22 - # .nvmrc - 18 - # Dockerfile - FROM node:22-alpine + # .nvmrc + 22 + # Dockerfile + FROM node:22-alpine + # package.json engines + { "engines": { "node": ">=22.0.0" } }
3 检测
3 检测
查找代码中的漏洞
使用Shoulder扫描代码中的Use of Unmaintained Third Party Components模式。 5 规则.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=1104 # Or scan entire project npx @shoulderdev/cli trust .
检测规则 (5)
🐳
Dockerfile
4 rules
Docker Base Image Security
MEDIUM
Detects base images using "latest" tag or missing version tags.
Use npm ci for Reproducible Builds
LOW
Detects Dockerfiles using `npm install` instead of `npm ci` for production builds.
Dockerfile Uses Outdated Node.js Version
MEDIUM
Detects Dockerfiles using outdated or end-of-life Node.js versions.
Node.js Version Mismatch Between Configuration Files
MEDIUM
Detects inconsistent Node.js versions across project configuration files.
When .nvmrc specifies one Node.js version but Dockerfile uses a different
version, it causes environment drift:
- "Works on my machine" bugs (code works locally but fails in production)
- Security inconsistencies (development may use patched version while
production uses vulnerable version)
- Dependency incompatibilities (npm packages may behave differently)
- Debugging difficulties (hard to reproduce production issues
🟨
Javascript
2 rules
.nvmrc Specifies Outdated Node.js Version
MEDIUM
Detects .nvmrc files specifying outdated or end-of-life (EOL) Node.js versions.
The .nvmrc file is used by Node Version Manager (nvm) to automatically switch
to the correct Node.js version for a project. When this file specifies an
outdated version, developers may be running insecure or incompatible Node.js
versions in their development environments.
Node.js version lifecycle (as of 2025):
- Node 14.x: EOL April 2023
- Node 16.x: EOL September 2023
- Node 18.x: EOL April 2025
- Node 20.x: Main
Node.js Version Mismatch Between Configuration Files
MEDIUM
Detects inconsistent Node.js versions across project configuration files.
When .nvmrc specifies one Node.js version but Dockerfile uses a different
version, it causes environment drift:
- "Works on my machine" bugs (code works locally but fails in production)
- Security inconsistencies (development may use patched version while
production uses vulnerable version)
- Dependency incompatibilities (npm packages may behave differently)
- Debugging difficulties (hard to reproduce production issues
4 警告信号
4 警告信号
代码审查中需要关注的内容
这些模式表明潜在的Use of Unmaintained Third Party Components漏洞。在代码审查和安全审计中注意查找。
Dockerfile uses ...: ...
docker-base-image-security
base images using "latest" tag or missing version tags
docker-base-image-security
Dockerfile uses ... which is end-of-life or outdated. IMPORTANT: Update to node:24-alpine (Active LTS) or node:22-alpine
docker-outdated-node-version
Dockerfiles using outdated or end-of-life Node
docker-outdated-node-version
.nvmrc specifies ...
nodejs-outdated-nvmrc-version
Node.js versions are inconsistent across configuration files. Check the docker-image-outdated finding for the latest rec
nodejs-version-mismatch
inconsistent Node
nodejs-version-mismatch
Dockerfile uses 'npm install' - consider 'npm ci' for reproducible builds.
docker-nodejs-npm-ci
扫描你的代码库: Use of Unmaintained Third Party Components
Shoulder CLI 在整个代码库中找到易受攻击的模式。