Your dependencies are 48% unmaintained — and SCA tools…
    Neura MarketNeura Market/Stable Diffusion
    ChatGPTChatGPTClaudeClaudeGeminiGeminiCursorCursorGrokGrokPerplexityPerplexityStable DiffusionStable Diffusion
    DeepSeekDeepSeekCoPilotCoPilotMidjourneyMidjourney
    View All Directories
    OverviewPromptsBlogVideosGuidesCoursesCommunityModelsLoRAsComfyUI WorkflowsTrending
    Stable DiffusionBlogYour dependencies are 48% unmaintained — and SCA tools can't see it
    Back to Blog
    Your dependencies are 48% unmaintained — and SCA tools can't see it
    security

    Your dependencies are 48% unmaintained — and SCA tools can't see it

    kotakanbe April 16, 2026
    0 views

    I analyzed 16,000 production packages. Half have lifecycle risk your scanner can't see. Here's uzomuzo — the open-source tool I built to find and fix it.


    title: "Your dependencies are 48% unmaintained — and SCA tools can't see it" published: true description: "I analyzed 16,000 production packages. Half have lifecycle risk your scanner can't see. Here's uzomuzo — the open-source tool I built to find and fix it." cover_image: "https://dev-to-uploads.s3.amazonaws.com/uploads/articles/30j6dljugztycg0zn8ih.png" tags: security, opensource, supplychain, devops

    I just presented this at VulnCon 2026 (slides). Here's the tool and the data.


    The blind spot

    Your vulnerability scanner is excellent at finding CVEs. Trivy, Snyk, Grype — they do their job well.

    But there's a category of risk they cannot see: packages that are no longer maintained.

    No maintainer means no security patches. No bug fixes. No one watching. And because no one is looking — no CVEs get filed. Your scanner reports zero vulnerabilities, and you assume it's safe.

    It's not safe. It's invisible.

    I analyzed 16,000 packages across ~100 organizations running in production (published in Nikkei — Japan's largest business newspaper — March 2026):

    Status%Meaning
    🟢 Active40.6%Someone is working on it
    🔵 Legacy-Safe10.9%Dormant but stable
    🟡 Stalled34.6%Activity declining
    🔴 EOL13.9%End of life

    48.5% of production dependencies have lifecycle risk. Most of it is invisible.

    What does this look like in practice?

    I scanned HashiCorp Vault — the tool you trust with your secrets. 209 dependencies.

    $ uzomuzo scan --file vault-go.mod
    
    STATUS      PURL                                    LIFECYCLE
    ✅ ok        cloud.google.com/go/[email protected]     Active
    ✅ ok        Azure/azure-sdk-for-go/sdk/azcore       Active
    🔴 replace   aws/[email protected]                  EOL-Confirmed
    🔴 replace   mitchellh/[email protected]          EOL-Confirmed
         ... (209 deps total)
    ── Summary ──────────────────────────────────
    │ 209 deps | ✅ 186 ok | ⚠️ 11 caution | 🔴 11 replace
    

    11 packages are EOL. In a secrets management tool. Most have zero CVEs.

    The scary one: copystructure

    Mitchell Hashimoto — Vault's creator — left HashiCorp in 2023. He publicly announced: "I very rarely write Go anymore." He archived 15 libraries at once, including copystructure.

    Unlike mapstructure (which has a community fork), copystructure has no successor. Nobody picked it up.

    Where is it used? vault/acl.go — the access control layer. It deep-copies the deny rules for each security check.

    If this package were compromised — deny rules silently disappear. No error. No log. No crash. Your scanner will never find this because there is no CVE to find.

    The risk is not a bug. It's being abandoned.

    From detection to analysis — with an LLM

    Finding the EOL package is step one. But what exactly happens if it's compromised? I used an LLM to trace the data flow and build the attack scenario:

    mitchellh/copystructure — Risk: CRITICAL
    Lifecycle: Archived. Maintainer left HashiCorp in 2023. CVEs: 0
    
    Data flow:
      IN:  ACL DeniedParameters, MFA methods, ClientToken
      OUT: Deep-copied structs for per-request isolation
    
    Attack scenario:
      1. acl.go: deny rules silently disappear
      2. request.go: ClientToken shared across requests
      3. policy.go: MFA bypass via shared ControlGroup
      → NO errors. NO logs. NO crashes.
    

    Verdict: CRITICAL. Action: self-implement with ~100 lines of reflect-based code, replacing the ~500-line archived dependency.

    This analysis — tracing what data flows through a package, constructing attack scenarios, assessing severity — takes weeks to do manually across 209 dependencies. With uzomuzo + LLM, it takes minutes. I automated this as the /diet-assess-risk skill.

    How I built a tool to find this

    I built uzomuzo — an open-source tool that detects unmaintained packages that SCA tools miss. The name comes from a Buddhist concept: uzōmuzō (有象無象) — "the visible and the invisible." That's exactly what your dependency tree is.

    What makes it different

    1. Seven lifecycle stages, not binary.

    Other tools give you "maintained or not." uzomuzo gives you a spectrum:

    #SignalResult
    1Archived / Disabled?Yes → 🔴 EOL-Confirmed
    2Registry EOL? (npm deprecated, PyPI inactive)Yes → 🔴 EOL-Confirmed
    3EOL announced?Yes → 🟠 EOL-Scheduled
    4No recent human commits + HIGH/CRITICAL advisory?⚫ EOL-Effective
    No recent human commits + LOW/MEDIUM advisory?🟡 Stalled
    No recent human commits + no advisory?🔵 Legacy-Safe
    5Recent human commits + recent publish or VCS-direct?🟢 Active
    Recent human commits + no publish + low Scorecard?🟡 Stalled

    Each check is evaluated top to bottom — first match wins. "Stalled" and "dead" require different responses. Stalled — you watch. EOL — you replace.

    2. Multiple signal sources.

    It combines data from deps.dev (Scorecard, releases, advisories), GitHub API (archive status, commit history), and registry heuristics (PyPI classifiers, npm deprecated flag, Packagist abandoned).

    The judgment is ecosystem-aware. Go delivers via git — commits are releases. npm requires a registry publish. Same commits, different verdict.

    3. Two-axis evaluation: lifecycle × build integrity.

    Lifecycle alone isn't enough. A package can be actively maintained but have no signed releases, no reproducible builds, no provenance. uzomuzo evaluates both axes — so you can distinguish "healthy and well-built" from "active but risky."

    4. Not just detection — all the way to removal.

    This is the big one. Every other tool stops at detection. Scorecard gives you a score. Trivy gives you a CVE. Then you're on your own.

    uzomuzo goes from detect → prioritize → remove:

    • uzomuzo scan — find EOL packages (every CI build)
    • uzomuzo diet — rank by removal priority: graph impact × health risk × coupling effort
    • /diet-* Claude Code skills — assess risk, evaluate removal, execute safely

    Try it now (30 seconds)

    Install

    go install github.com/future-architect/uzomuzo-oss/cmd/uzomuzo@latest
    

    Or download a binary from GitHub Releases.

    Scan your project

    # Go project
    uzomuzo scan --file go.mod
    
    # Any language (via SBOM)
    trivy fs . --format cyclonedx | uzomuzo scan --sbom -
    
    # GitHub Actions
    uzomuzo scan --file .github/workflows/ci.yml
    
    # Single package
    uzomuzo scan pkg:npm/[email protected]
    

    CI gate

    # Fail the build if any EOL dependency is found
    trivy fs . --format cyclonedx \
      | uzomuzo scan --sbom - --fail-on eol-confirmed
    

    That's it. One pipeline command.

    I used it on my own project

    I ran uzomuzo on my own project — vuls, an open-source vulnerability scanner with 391 dependencies. Then I removed what I found.

    Binary size: 106.6 MB → 34.1 MB (-68%). Dependencies: 352 → 144 (-59%). I reported my findings upstream — Grafana's maintainer closed the community PR and committed to replacing the archived Action internally using their own shared-workflows.

    The full story of how I did it — in a follow-up post.

    The blind spot is bigger than you think

    I cross-checked SCA results against lifecycle status on real-world projects. The overlap was almost zero — most EOL packages had no CVEs at all. They are completely invisible to SCA tools.

    "No CVE" doesn't mean "no vulnerability." It often means "no one is looking."

    Full methodology and data — in a follow-up post.

    Start today

    1. 30 seconds: uzomuzo scan --file go.mod or uzomuzo scan https://github.com/your/repo
    2. 5 minutes: Add --fail-on eol-confirmed to your CI pipeline
    3. Quarterly: Run uzomuzo diet for a prioritized removal plan

    You will be surprised what you find.


    ⭐ github.com/future-architect/uzomuzo-oss — Apache 2.0

    Kota Kanbe — Creator of vuls (12K+ ⭐), presented at VulnCon 2026

    Tags

    securityopensourcesupplychaindevops

    Comments

    More Blog

    View all
    Context bankruptcy: The case for strategic forgetting for AI Agentsai

    Context bankruptcy: The case for strategic forgetting for AI Agents

    Most of us have seen a coding agent fail to complete a task we know it can do. We just don't...

    J
    James O'Reilly
    Parallel Compliance Engine: Drive-to-Sheets Multi-Agent Orchestrationgooglecloud

    Parallel Compliance Engine: Drive-to-Sheets Multi-Agent Orchestration

    When building Generative AI applications, developers often encounter a massive bottleneck: sequential...

    A
    Aryan Irani
    Is It Ethical to Post and Ask About Circuits on Dev.to?discuss

    Is It Ethical to Post and Ask About Circuits on Dev.to?

    I’ve been thinking about sharing some electronic circuit posts on Dev.to — small circuits, DIY...

    C
    codebunny20
    The One-Click Exporter: AI Studio Antigravity, Probed to Its Limitsagents

    The One-Click Exporter: AI Studio Antigravity, Probed to Its Limits

    What nobody tells you about exporting your multi-agent prototype to a local workspace. Every...

    L
    leslysandra
    Guarding the till while autonomous data agents do the diggingagenticarchitect

    Guarding the till while autonomous data agents do the digging

    Autonomous agents are genuinely good at answering messy business questions. Give one an LLM and a set...

    S
    Sireesha Pulipati
    Return on Attention: Why AI Code Reviews Are Wearing Us Outai

    Return on Attention: Why AI Code Reviews Are Wearing Us Out

    PR volume went up, ticket quality didn't, and the gap got filled with LLMs on both sides of the review: bots reviewing, bots replying, bots occasionally arguing with bots about priorities that only existed in a teammate's head. Our CEO named the actual problem, and it's bigger than code review.

    C
    christine

    Stay up to date

    Get the latest Stable Diffusion prompts, rules, and resources delivered to your inbox weekly.

    Neura Market LogoNeura Market

    Discover the best AI prompts, plugins, and resources for Stable Diffusion and more.

    Content Types

    • Rules
    • Prompts
    • MCPs
    • Agents
    • Guides

    Platforms

    • ChatGPT Directory
    • Claude Directory
    • Gemini Directory
    • Cursor Directory
    • Grok Directory
    • Perplexity Directory
    • DeepSeek Directory
    • CoPilot Directory
    • Stable Diffusion Directory
    • Midjourney Directory
    • All Directories

    Resources

    • Blog
    • Documentation
    • Help Center
    • Marketplace

    Legal

    • Privacy Policy
    • Terms of Service

    © 2026 Neura Market. All rights reserved.

    |

    Not affiliated with any AI platform vendors.

    Ready-made automations for this

    Workflows from the Neura Market marketplace related to this Stable Diffusion resource

    • Production KPI Dashboard Workflow for Enhanced Manufacturing Insightsn8n · $16.91 · Related topic
    • Solar Output Forecaster: Predicting Solar Energy Productionn8n · $4.61 · Related topic
    • Automate AI Video Production & Distribution with Veo3, YouTube & Google Suiten8n · $24.99 · Related topic
    • AI Chatbot Taxi Booking Worker - Production-Readyn8n · $24.99 · Related topic
    Browse all workflows