Is Your OSS Package End of Life? A Practical Guide to Checking Support Status

One of the most common searches developers run when evaluating a dependency isn't about a bug — it's a lifecycle question. 'Is lodash still maintained?' 'Is Spring 4 EOL?' 'What's the current AngularJS support status?' If you've searched one of these and found conflicting or outdated information, you're not alone.

OSS support status is genuinely difficult to track down. The information is scattered across GitHub discussions, official project pages, Stack Overflow threads, blog posts, and release notes — often inconsistently written, frequently out of date, and sometimes contradicting each other.

The fastest way to get a reliable answer across your entire dependency tree is to use a free lifecycle intelligence tool like HeroDevs EOL DS at eoldataset.com. But this guide also walks through the manual methods for when you need to dig into a specific package.

‍

Method 1: Check Official Project Documentation

For major frameworks and runtimes, the most reliable source is the project's own published lifecycle documentation. Several ecosystems maintain excellent resources: Node.js at nodejs.org/en/about/previous-releases, .NET at dotnet.microsoft.com/platform/support/policy, Python at devguide.python.org/versions, the Spring Framework via their project metadata and release blogs, and Java (Oracle JDK) at oracle.com/java/technologies/java-se-support-roadmap.html. For packages at this tier, official documentation is always your first stop.

‍

Method 2: Check endoflife.date

The community-maintained endoflife.date aggregates lifecycle information for hundreds of software products in a standardized format. It covers everything from major runtimes to databases, operating systems, and popular frameworks. Its coverage has limitations for the long tail of npm, PyPI, Maven, and NuGet packages — it doesn't track individual libraries at that granularity — but for anything at the framework or runtime level, it's a solid reference.

‍

Method 3: Read Repository Behavioral Signals

For the vast majority of open source packages — particularly in the JavaScript ecosystem — there is no official EOL announcement. Maintainer abandonment simply sets in: maintainers stop responding, stop releasing, and stop engaging. In these cases, you need to read behavioral signals.

Look at the last commit date — a repository with no commits in 18-24 months is exhibiting strong abandonment signals, even without an official declaration. Check issue responsiveness and pull request activity to see whether community contributions are being reviewed and merged, or sitting unacknowledged. Also look for maintainer statements in README banners or GitHub Discussions that sometimes contain explicit 'no longer maintaining' statements that don't show up in official release notes.

‍

Method 4: Use a Free Lifecycle Intelligence Tool

Manual research doesn't scale across a full dependency tree. HeroDevs EOL DS automates this process across all major ecosystems and is free to use at eoldataset.com. Scan a manifest or SBOM and get clear EOL status — including behavioral signals for packages that have never made official announcements — across every dependency in a single pass.

‍

A Real-World Scenario: Three Packages, Three Different Answers

Scenario: The Dependency Audit

‍A developer is auditing the dependencies of a legacy application before a planned infrastructure modernization. She has three packages to investigate: an AngularJS frontend, a lodash utility dependency, and a Spring 4 backend service.AngularJS: Official EOL December 31, 2021 — confirmed immediately. Clear answer. Spring 4: Official EOL December 2020 — confirmed from Spring's project page. Clear answer. Lodash: No official EOL declaration, but the GitHub repository shows the last major release was in 2021, issue response time has dropped sharply, and several open security-related issues have gone unanswered. Ambiguous — not officially EOL, but exhibiting strong maintainer abandonment signals.

‍

The Packages Developers Ask About Most

Is AngularJS still supported?

AngularJS (Angular 1.x) reached official end-of-life on December 31, 2021. If you're running AngularJS, you're running software in a state of full maintainer abandonment with no CVE reporting and no future security patches from the original maintainer. This is not the same as Angular 2+, which is actively maintained under a separate development path.

Is lodash deprecated?

Lodash has not made an official deprecation or EOL declaration, but its maintenance posture has changed significantly. Development activity has slowed substantially, major releases have become infrequent, and many of its utility functions are now available natively in modern JavaScript environments. It's not officially abandoned, but it's exhibiting early signals of maintainer abandonment rather than the active, sustained maintenance of a fully supported package.

Spring Framework 4 EOL

Spring Framework 4.x reached end-of-life in December 2020. Teams requiring ongoing security support should evaluate migration to Spring 6, which is the current actively maintained major version. Running Spring 4 means running outside the supported lifecycle with no security patch coverage from the Spring team.

‍

Why This Research Shouldn't Have to Be Manual

The root problem is that OSS support status information is fragmented and inconsistently maintained. There's no standard mechanism for package registries to surface lifecycle status at the package level. Your package.json tells you what versions you're using. Nothing in your standard toolchain tells you which of those have experienced maintainer abandonment. HeroDevs EOL DS is free and closes that gap — start at eoldataset.com.

‍

Frequently Asked Questions

Q: Is there a free tool to check if my packages are end of life?

Yes. HeroDevs EOL DS is free and checks EOL status across your entire dependency tree in one scan. Try it at eoldataset.com instead of researching packages one by one.

Q: Is AngularJS still supported?

No. AngularJS (Angular 1.x) officially reached end-of-life on December 31, 2021. There are no more security patches, no CVE disclosures, and no support of any kind from the Angular team. If you're running it, you're running fully abandoned software.

Q: Is Spring Framework 4 end of life?

Yes. Spring Framework 4.x reached end-of-life in December 2020. Running Spring 4 means running outside the supported lifecycle with no security patch coverage from the Spring team. Spring 6 is the current actively maintained major version.

Q: Is lodash abandoned?

Lodash hasn't made an official EOL declaration, but its maintenance posture has changed significantly. Development activity has slowed, major releases have become infrequent, and open security issues have gone unanswered. It's exhibiting strong maintainer abandonment signals even without a formal announcement.

‍

The Bottom Line

EOL status shouldn't require a research project. The information exists — it's just scattered, inconsistent, and often missing entirely for packages that go quiet without making any announcement. That's the problem HeroDevs EOL DS was built to solve. Instead of hunting down lifecycle information package by package, you get a complete, automated picture of what's still supported and what isn't — across your entire dependency tree, for free. See what's in your stack at eoldataset.com.