What is End-Of-Life

Understanding how end-of-life is determined

How does HeroDevs determine end-of-life status?

HeroDevs uses a series of metadata points about each open-source package version scanned to determine its end-of-life (EOL) status. When you run a scan and view the report, we provide a boolean (true/false) determination of whether the version is considered EOL or not, along with specific EOL reasons. The culmination of the information the report provides helps to give insights toward making informed decisions about your application and the packages in use.

There are many reasons why a given package version may be regarded as EOL. Below is a detailed review of “EOL Reason” for any package version marked EOL:

Maintainer Attested: The maintainers have explicitly stated this version is end-of-life. This is the most explicit indicator and is the least likely to change in the future.
Release Line Deprecated: The major version line is deprecated, which influences the EOL status of all minor and patch versions within that release line.
Unpatched CVE in Version: There is an unpatched CVE in the exact package version scanned; it is likely end-of-life. In this context, “unpatched” means there is no version within that release line you could upgrade to that contains the patch for the given CVE.
Unpatched CVE in Release Line: A CVE is present, not in your specific package version, but within that release line. This indicates the line is unsupported and EOL.
Stale Release Line: No new releases in the past 365 days for that release line, while newer release lines remain active and have releases within the last 365 days.

Below is a detailed review of “EOL Reason” for any package version marked Not EOL:

Maintainer Attested (Not EOL): Maintainers confirm the version is still supported.
Version Passes All Checks: The version passes all criteria and is not considered end-of-life.

Does a package's version EOL status change?

Yes, the end-of-life status does change over time. However, there is no reliable timeline for when a package version’s EOL state changes. As a result, we recommend setting up regular, automated rescans within your CI/CD pipeline to catch when an OSS package version goes end-of-life.

Why do I see more EOL OSS usage using HeroDev’s scan than in my SCA tool?

Most SCA tools are scraping publicly available data from sites like endoflife.date. While tools like these are a great start, they only represent a small fraction of OSS that is EOL. Our system gathers and analyzes a myriad of additional data points about every package version (down to the patch versions) before calculating a determination for millions of packages and versions.

If you prefer to review only package versions with an explicit “maintainer attested” EOL determination (as available on sites like endoflife.date), we recommend filtering your EOL report data based on “EOL_reason contains maintainer_attested”. This truncated dataset is likely to align more closely with the limited view that most SCA tools can provide.

Getting Started

Run the CLI to scan and interpret end-of-life results

What are "Unknown Packages"?

Unknown package versions are any packages present within the SBOM scanned, for which we have not yet made an EOL determination. There are several reasons for unknown packages, and options are available to ensure they are not end-of-life.

On This Page

Submit a Request

Learn More

Talk to an Expert

Learn about personalized End-of-Life Support options and pricing for your organization

Contact Sales