Nobody Had A Complete Map Of Dead Open Source Software. So We Built One.
We watched hundreds of enterprises discover EOL risk at the 11th hour — during audits, after breaches, too late to act. The data simply didn't exist.
Today, the HeroDevs EOL Data Set tracks lifecycle status for 12M+ package versions across every major registry. The next closest source covers ~7,000.
900+
enterprise customers
12M+
package versions analyzed
1078+
CVEs remediated
3000+
enterprise SBOMs studied
There's Nothing Else Like It
Existing sources track a fraction of the ecosystem. We track all of it.
HeroDevs EOL Data Set
12,000,000+
12,000,000+ package versions with known lifecycle status
Registries: npm · PyPI · Maven · NuGet · RubyGems · Go · Packagist · crates.io
endoflife.date
~350
products tracked (not package versions)
NVD / CVE Databases
~7,000
CVE records referencing EOL — no structured lifecycle data
That's a 1,700x difference in coverage.
Why Didn't This Data Exist Before?
Most packages don't announce end-of-life. Maintainers just stop committing. Nobody declares it dead — it just stops.
No standard
There's no standard for reporting 'this is dead.' EOL information isn't part of package metadata.
Maintainer abandonment
Most maintainers don't post announcements. They move on. The package stays on the registry forever.
SCA doesn't look
Vulnerability scanners ask 'is there a CVE?' They don't ask 'will there ever be a fix?'
How We Build It
Two sources of truth. One comprehensive dataset.
MAINTAINER-ATTESTED
Official EOL declarations
Every official end-of-life announcement, support policy change, and maintenance status update from package maintainers and foundations.
Official project announcements
Support policy documentation
Foundation lifecycle statements
Release schedule commitments
.svg)
MACHINE LEARNING
Abandoned package detection
Not every maintainer announces EOL. Our ML analyzes commit velocity, release cadence, issue response time, and download trends to detect maintainer abandonment.
Commit & release frequency analysis
Issue response pattern detection
Download trend modeling
Maintainer activity signals
CONTINUOUS ENRICHMENT
CVE and risk correlation
Every EOL record is enriched with vulnerability data, migration paths, and ecosystem context — updated continuously as new CVEs are disclosed.
CVE-to-package mapping
CVSS scoring integration
Migration path availability
Ecosystem health indicators
Learn more about our methodology
EOL Software Is Not An Edge Case
Key findings from 3,000+ enterprise SBOMs. Published with Sonatype, 2026.
81,000+
package versions with known CVEs are both EOL and unpatchable.
HeroDevs estimates this number may actually be 400,000+ across all registries.
400K+
EOL with unpatched CVEs
Estimated total across all registries
81K+
Confirmed unpatchable
Known CVEs on EOL packages, verified
5–15%
Of enterprise deps are EOL
Consistent across every ecosystem
12M+
Versions tracked
Most comprehensive EOL dataset in existence
9.8T
OSS downloads in 2025
1.2M+
Malicious packages logged
65%+
Of new vulns unscored
41 days
Median NVD time-to-score
PROOF POINT: LOG4SHELL
Everyone Patched Log4Shell. The Affected Packages Kept Dying.
14%
of Log4Shell artifacts now EOL
619M
downloads of EOL Log4j in 2025
3,000+
SBOMs analyzed for this finding
Built For Integration
Security platforms, SCA vendors, and enterprise teams use this data.
Data Partners
SCA tools & security platforms
Embed EOL lifecycle data into your product. Enrich vulnerability findings with support status and remediation context.
Enterprise Security
AppSec, Platform Eng, Compliance
Scan your dependency graph for EOL exposure. Prioritize by risk. Generate audit-ready reports.
Researchers
Supply chain intelligence
The most comprehensive EOL dataset for research, benchmarking, and ecosystem health analysis.
Every Registry. Every Ecosystem.
We analyzed every major package registry. The result: no ecosystem is immune. npm leads at 25.7%, but the problem spans every language and every runtime.
Percentage of packages classified as EOL by registry:
npm
25.7%
NuGet
18.5%
Cargo
13.4%
PyPI
11.6%
Maven Central
10.5%
Source: Sonatype × HeroDevs — 2026 State of the Software Supply Chain Report, Figure 3.4
Detect. Prioritize. Remediate.
From blind spot to board report in minutes.
DETECT
Find Every EOL Dependency
Scan your full dependency tree — including transitive deps — in CI/CD or CLI.
SBOM & manifest scanning
Transitive dependency coverage
Approaching-EOL early warnings
CI/CD gate enforcement
PRIORITIZE
Focus On What Actually Matters
.svg)
Sort by CVSS, EOL age, versions behind, and migration complexity.
Risk scoring: CVSS + EOL context
Migration effort estimates
Team-level breakdowns
Export to Jira / ServiceNow / BI
REMEDIATE
Fix It, Plan It, Or Protect It
.svg)
Compliance reports. Migration tickets. Or instant NES protection — zero code changes.
SOC 2, PCI-DSS, FedRAMP reports
NES drop-in replacements
Zero code changes required
Audit-ready evidence
Not A Replacement. A Missing Layer.
Works alongside Snyk, Mend, Anchore, Checkmarx, or any SCA.
CAPABILITY
YOUR SCA
Known CVE Detection
End-of-Life Detection
Days Since EOL
Versions Behind Current
Upcoming EOL Alerts
Abandoned Package Detection
Migration Effort Scoring
NES Remediation Path
EOL DATASET
%201.svg)
FREQUENTLY ASKED QUESTIONS
Questions Engineers Ask
Get answers to some of our most commonly asked questions.
Of course, if you can't find the answer you're looking for, feel free to contact us.
Of course, if you can't find the answer you're looking for, feel free to contact us.
How do you define 'end-of-life'?
How accurate is the ML detection?
How often is it updated?
How is this different from endoflife.date?
Can I integrate this into my SCA?
How do I become a data partner?
The Data Exists Now
Explore the dataset, integrate it into your platform, or scan your own stack.
API & CLI access
SCA-complementary
SOC 2 compliant
Request A Demo
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.