What is the primary purpose of this scanning tool?

The primary purpose of this scanning tool is to identify "end of life" (EOL) software packages within projects and provide users with detailed information and context to prioritize and address these issues. This helps organizations maintain compliance and mitigate security risks associated with outdated software components.

How can users initiate a scan, and what are the different methods available?

Users can initiate a scan manually through the command-line interface (CLI) or set it up to run in an automated fashion within their CI/CD pipeline. For manual scans, users can either navigate into the project directory and run a command or specify a file path directly in the command.

What happens during the scanning process if an SBOM is not found?

If an SBOM (Software Bill of Materials) is not found in the scanned directory, the system looks for manifests (like package-lock.json or pom.xml) that list the packages within the project. It then uses this manifest to create an SBOM locally on the device before querying the system to identify end-of-life packages.

Once a scan is complete, how can users view and analyze the results?

After a scan, users have two main options for consuming the results: Technical Consumption Route - Users can run additional commands to export the scan data in JSON format. This allows them to load the detailed payload into their preferred Business Intelligence (BI) tools (e.g., DOMO, Looker, Snowflake, Excel) and collate it with data from other security scanners for custom analysis. Visual Consumption Route - The system automatically generates a shareable URL to a web-based report. This report provides a visual summary and detailed breakdown of the scanned packages, highlighting end-of-life components, vulnerabilities, and other relevant information.

How does the tool provide context and help prioritize end-of-life packages?

The tool provides crucial context for end-of-life packages to aid in prioritization. For each EOL package, it shows: When it went end-of-life, the number of associated vulnerabilities (CVEs), the ecosystem it belongs to, the number of days it has been end-of-life (days eol), the next stable version to migrate to, and how many versions out the current package is (versions out). These data points, especially "days eol" and "versions out," are designed to indicate the potential number of breaking changes and the level of effort required for migration, helping users prioritize based on risk and development burden.

Find What’s End-of-Life.
Fix It In Minutes.
Never Run EOL Software Again.

Whether you need to resolve a specific CVE today or get ahead of EOL risk across your entire open source stack — HeroDevs has you covered.

FOR ENGINEERS & DEV OPS

I need a full EOL picture

Instantly find every end-of-life dependency across your full stack — direct, transitive, and across all your projects.

Get Started For Free

FOR SECURITY & COMPLIANCE LEADERS

Tired of EOL surprises at audit time?

EOL software is now a named finding in SOC 2, PCI-DSS, and HIPAA audits. Get a plan so your team is never caught off-guard again.

Book A Compliance Demo

TRUSTED BY SECURITY AND ENGINEERING TEAMS AT

PRODUCT DEMO

See How It Works

Step through each phase of a real dependency scan.

Step 1 - Connect

Choose Your Entry Point

Three ways to start — use one or all of them.

Upload an SBOM

Drop in a CycloneDX or SPDX file. Instant scan, no setup.

CycloneDX · SPDX

Scan a manifest

package.json, pom.xml, .csproj, requirements.txt, go.mod, Cargo.toml — any ecosystem.

npm · maven · pypi · nuget · go · cargo

CI/CD integration

Connect your pipeline for continuous, automated scanning on every build.

GitHub Actions · GitLab · Jenkins · Azure DevOps

Step 2 - Resolve

Full Tree Resolved

We resolve the complete dependency graph — direct deps, every transitive pull-in, and a clean split between production and dev/test.

Direct deps

What you declared

Transitive deps

What your deps pull in

1,161

Production

Surface area that matters

935

Dev / test only

lower priority, still tracked

312

93% of your risk lives in transitive deps. Most SCAs never look there.

Step 3 - Detect

EOL Findings Detected

Not just CVEs — we surface whether anyone is still maintaining the software. Results grouped by risk so you know exactly where to focus.

End-of-Life

No more patches. Ever. Top priority.

EOL Upcoming

Approaching end-of-support — plan now.

Vulns, not EOL

Still maintained but carrying active CVEs.

Unknown status

Unmaintained or abandoned — no clear EOL date.

Your SCA reported zero issues. We found 8 — because it tracks CVEs, not lifecycle.

Step 4 - Remediate

Every Finding Gets A Fix

Upgrade when a supported version exists. For deeply embedded frameworks, activate NES — drop-in security patches. Same package, same API, zero code changes.

6 of 8 findings fixable with NES today. Deploy in minutes.

Step 5 - Report

Fleet-wide Report

A single pane of glass across every project — per-project EOL risk, last scan time, and compliance posture mapped to PCI-DSS, SOC 2, and HIPAA.

Project-level risk

Findings, CVEs, and NES coverage per repo

Scan history

Last scan time and configurable cadence

Compliance per project

PCI, SOC 2, HIPAA — pass / warn / fail

Flexible export

PDF, CSV, Jira push, or API webhook

Audit-ready. Share with your security team, auditors, or leadership in one click.

1,700x

more EOL data than any other source

12M+ package versions tracked · every major registry · the data your scanner doesn't have

12M+

Package versions tracked

1,700+

more EOL data than any scanner

Every Major Ecosystem

Covered by NES

900+

Enterprise customers

Where Do You Want To Start?

FOR ENGINEERS & DEV OPS

I Need A Fix Now

See what's at risk. Get remediation paths — including NES patches you can deploy today.

Get Started For Free

FREE - NO CREDIT CARD - NO SETUP REQUIERED

FOR SECURITY & COMPLIANCE LEADERS

I Want To Get Ahead Of This

Walk through your full risk profile. Build a remediation plan. Get audit evidence.

Talk To Our Team

USUALLY WITHIN 24 HOURS

THE FULL PICTURE

Find It. Fix It. Stay Compliant.

The only platform that detects end-of-life risk and remediates it — without forcing a migration.

EOL DS Identifies

Unsupported frameworks in production

Abandoned dependencies with no maintainer

Software approaching EOL before your next release

Transitive deps your SCA doesn't track

Compliance gaps mapped to NIST, SOC 2, ISO 27001

NES Provides

Security patches for EOL frameworks — drop-in, zero code changes

Same package name, same API, deploys in minutes

Compliance continuity without forced migrations

AngularJS, Vue 2, .NET 6, Node 16, Spring 5, Java 8, and more

Modernize on your schedule — not someone else's deadline

Upgrade when you can.
NES when you can’t.

Learn About Never-Ending Support

VULNERABILITY DIRECTORY

1,078+ CVEs Patched Across EOL Packages

The most comprehensive public database of CVEs affecting end-of-life open source. Search by library, severity, or category.

Browse Full Directory

Subscribe to alerts

COMPLIANCE

EOL Software Is Now An Audit Finding In 12+ Jurisdictions.

Regulators aren't just asking if you track vulnerabilities — they're asking if you know what's still supported.

MANDATES IN FORCE

European Union

NIS2, CRA, DORA

United States (Federal)

EO 14028, SSDF, CISA SBMO, FedRAMP SA-22

United States (Financial)

PCI DSS 4.0

United States (Healthcare)

HIPAA §164.308

ADOPTED / IN TRANSITION

United Kingdom

CS&R Bill, Cyber Essentials

United States (Commercial)

NIST CSF 2.0, SOC 2 CC7

Australia

ASD ISM, Essential 8

Global Financial

PCI DSS §12.3.4

EMERGING GUIDANCE

India

CERT-In, SEBI

Cross-border

ISO/IEC 27001, GDPR (Art. 32)

Penalties range from €15M/2.5% global turnover (EU CRA) to loss of Federal contracts (FedRAMP) and payment card acceptance (PCI DSS)

* CRA in force Dec 2024; full obligations apply Dec 2027

*DORA applies to EU financial sector only

*CS&R Bill passing through UK Parliament

FREQUENTLY ASKED QUESTIONS

Questions From Enterprise Teams

Get answers to some of our most commonly asked questions.
Of course, if you can't find the answer you're looking for, feel free to contact us.

Run An EOL Scan For Free

Upload your dependency files or use our CLI to uncover unsupported, end-of-life open source software in minutes.  

No heavy setup. No new platform. Just end-of-life visibility.

Get Started For Free

Have questions about End of Life Open Source Software or securing legacy frameworks?

Our team works with engineering, security, and compliance leaders across regulated industries.

Request A Demo

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

Find What’s End-of-Life.Fix It In Minutes.Never Run EOL Software Again.

Whether you need to resolve a specific CVE today or get ahead of EOL risk across your entire open source stack — HeroDevs has you covered.

TRUSTED BY SECURITY AND ENGINEERING TEAMS AT

See How It Works

Choose Your Entry Point

Full Tree Resolved

EOL Findings Detected

Every Finding Gets A Fix

Fleet-wide Report

Where Do You Want To Start?

Find It. Fix It. Stay Compliant.

Upgrade when you can. NES when you can’t.

1,078+ CVEs Patched Across EOL Packages

EOL Software Is Now An Audit Finding In 12+ Jurisdictions.

Questions From Enterprise Teams

Find What’s End-of-Life.
Fix It In Minutes.
Never Run EOL Software Again.

Upgrade when you can.
NES when you can’t.

EOL Software Is Now An Audit Finding In 12+ Jurisdictions.