Stay Supported, Stay Secure

Never-Ending Support from HeroDevs keeps your open source software secure after end-of-life — without migrating.

TRUSTED BY ENTERPRISE

Google logoMicrosoft logoFinra logoBank Santander Logo
Hitachi LogoWorkday logoDropbox logo

How It Works

Security Patches

A new NES release every time we find, validate, and fix a CVE that affects your version. Continuous coverage — not a one-time backport, not a deadline.

Same-day response for critical issues

Security and application-breaking issues are top priority.

On-Demand EOL Risk Assessment

81,000+ packages have known CVEs and zero fix path. Your SCA flags the vulnerabilities, but our EOL Dataset (EOL DS) tells you which software is dead.
Try it Now →

Drop-In Compatibility

Point your registry at us, rebuild, ship. No migrations. No find-and-replace.

Point your package manager at the NES registry and rebuild

A few lines of config. Your existing pipeline, your existing tooling — nothing else changes.

Works with your existing infrastructure

Your build process, your pipeline, your tooling — nothing changes on your end.

Support Commitment

Engineered with the contractual and compliance commitments enterprise procurement teams require.

SLA Compliance

HeroDevs provides SLAs that ensure compliance by providing incident response and remediation in accordance with industry-standard regulations, including SOC 2, FedRAMP, PCI, and HIPAA.
Learn More →

Commercial Contract Assurances

OSS NES is not only secure and compatible, but is offered with industry-standard commercial assurances for the use of HeroDevs Services.
Learn More →

Ensuring Full Compliance and Security

Never-Ending Support ensures your end-of-life open-source software stays fully compliant with regulations like SOC 2, FedRAMP, PCI, HIPAA, DORA, and CRA. With ongoing security updates and a commitment to audit readiness, you can rest easy knowing your systems remain compliant, secure, and ready for any inspection.

DSS Compliance badgeGDPR badgeHIPAA Compliant badgeSOC 2 TYPE 1 badgeFedRAMP badge
Statista logo

“Beyond the technical benefits, HeroDevs' solution delivered significant business value. We maintained our security posture without compromising our strategic roadmap, all while achieving substantial cost savings compared to a full migration”

Markus Wolf, Architect @ Statista

Trusted by security and engineering teams at 1000+ companies
Google logo
Microsoft logo
Santander logo
Dropbox logo
Hitachi Logo
Finra logo
General Electric logo
NHS logo
Lilly logo
box logo
Abbot logo
Workday logo
Schneider Electric Logo
Chevron logo

Supported Technologies

Search

Category

Filtering by:
Severity
=
Text for Severity
Close icon
Clear Filters
Product
Category
Versions Covered
Links

Angular

JavaScript

v4 - v19

AngularJS

JavaScript

1.4.x, 1.5.x, 1.8.x

Apache Grails

Java

6.2, 7

Apache Solr & Lucene

Java

8.11.x

Struts

Java

Various versions

Apache Tapestry

Java

4.1.x

Tomcat logo

Apache Tomcat

Java

8.5

Bootstrap

JavaScript

2 - 4

CometD

Java

5, 6, 7

Django

Python

3.2, 4.2

Drupal 7

PHP

7.x

ESLint

JavaScript

8.x

Express

JavaScript

3.x

Fastify

JavaScript

3.x

Grunt

JavaScript

v0.4 - 1.5

200+ CVEs Remediated

Switch to NES in minutes to fix these vulnerabilities immediately.
Severity
CVE
Category
Version(s) Affected
Published Date
Medium
Improper Input Validation (4.16)
>=0.16.0 <2.0.10 >=3.0.0 <3.0.6 >=4.0.0 <4.1.0
Jul 14, 2026
Medium
Denial of Service
<20.20.2 >=22.0.0 <22.22.2 >=24.0.0 <24.14.1 >=25.0.0 <25.8.2
Apr 13, 2026
High
Uncontrolled Resource Consumption
v4 < v20.20.0, v22 < v22.22.0, v24 < v24.13.0, v25 < v25.3.0
Jan 13, 2026
High
Path Traversal
4.0 < 20.19.4, 22 < 22.17.1, 24 < 24.4.1
Jul 15, 2025
Medium
HTTP Request Smuggling
4.0 < 20.19.1
May 14, 2025
High
Cryptographic Weakness
4.0 < 20.19.1, 22 < 22.15.0, 24 < 24.0.1
May 14, 2025
Medium
Denial of Service
4.0 < 18.20.6, 20 < 20.18.2
Feb 7, 2025
Medium
Path Traversal
4.0 < 18.20.6, 20 < 20.18.2
Jan 28, 2025
High
Command Injection
4.0 <= 18.20.2, 20 < 20.12.2
Jan 9, 2025
High
HTTP Request Smuggling
>=16.0.0 <16.20.1, >=18.0.0 <18.16.1, >=20.0.0 <20.3.1
Oct 16, 2024
Low
Information Exposure
>=16.0.0 <=16.20.2
Oct 15, 2024
Medium
Denial of Service
>=14.0.0 <=14.21.3, >=16.0.0 <=16.20.2
Oct 15, 2024
Medium
Cryptographic Weakness
4.0 < 18.19.1, 20 < 20.11.1
Sep 7, 2024
High
Command Injection
4.0 < 18.20.4, 20.0 < 20.15.1, 22.0< 22.4.1
Sep 7, 2024
Medium
HTTP Request Smuggling
4.0 < 18.20.1, 20 < 20.12.1
May 7, 2024
Medium
HTTP Request Smuggling
<21.7.2, <20.12.1, <v18.20.1, <= 16.20.2, <=v14.21.3, <= v12.22.12
May 1, 2024
High
Uncontrolled Resource Consumption
4 <= 18.20.0, 20 <= 20.12.0
Apr 9, 2024
High
Privilege Escalation
4.0 < 18.19.1, 20 < 20.11.1
Feb 20, 2024
Medium
Denial of Service
<21.6.2, <20.11.1, <v18.19.1, <= 16.20.2
Feb 14, 2024
High
Denial of Service
<21.6.2, <20.11.1, <v18.19.1, <= 16.20.2, <=v14.21.3, <= v12.22.12
Feb 14, 2024
Medium
Cryptographic Weakness
4.0 < 16.20.1, 18 < 18.16.1, 20 < 20.3.1
Nov 28, 2023
Medium
Insufficient Verification of Data Authenticity
4.0 <= 18.18.1, 20 < 20.8.1
Oct 18, 2023
Medium
Privilege Escalation
4 <= 16.20.1, 0 <= 18.17.0, 0 <= 20.5.0
Aug 24, 2023
Medium
HTTP Request Smuggling
4.0 < 16.20.1, 18 < 18.16.1, 20 < 20.3.1
Jun 30, 2023
Medium
HTTP Request Smuggling
4.0 < 14.20.1, 16 < 16.17.1, 18 < 18.9.1
Dec 5, 2022
High
Resource Injection
4.0 < 14.20.0, 16 < 16.20.0, 18 < 18.5.0
Jul 14, 2022
Medium
HTTP Request Smuggling
4.0 < 14.20.1, 16 < 16.17.1, 18 < 18.9.1
Jul 14, 2022
High
Authorization Bypass
4.0 < 14.20.1, 16 < 16.17.1, 18 < 18.9.1
Jul 14, 2022
Medium
HTTP Request Smuggling
4.0 < 14.20.0, 16 < 16.20.0, 18 < 18.5.0
Jul 14, 2022
Medium
HTTP Request Smuggling
4.0 < 14.20.1, 16 < 16.17.1, 18 < 18.9.1
Jul 14, 2022
Filtering by:
Severity
=
Text for Severity
Close icon
Clear Filters
Severity
ID
Technology
Category
Version(s) Affected
Published Date
High

Jetty

Authorization Bypass
>=9.4.0 <9.4.63, >=10.0.0 <10.0.31, >=11.0.0 <11.0.31, >=12.0.0 <12.0.36, >=12.1.0 <12.1.10
Jul 16, 2026
Medium

Jetty

HTTP Request Smuggling
>=9.4.0 <9.4.61, >=10.0.0 <10.0.29, >=11.0.0 <11.0.29, >=12.0.0 <12.0.35, >=12.1.0 <12.1.9
Jul 16, 2026
Low
Tomcat logo

Apache Tomcat

Authorization Bypass
>=8.5.0 <=8.5.100, >=9.0.0.M1 <9.0.120, >=10.1.0-M1 <10.1.57, >=11.0.0-M1 <11.0.24
Jul 16, 2026
Medium

Node.js

Improper Input Validation (4.16)
>=0.16.0 <2.0.10 >=3.0.0 <3.0.6 >=4.0.0 <4.1.0
Jul 14, 2026
High

Protocol Buffers

Denial of Service
<3.25.5, >=4.0.0-RC1 <4.27.5, >=4.28.0-RC1 <4.28.2
Jul 9, 2026
High

Angular

Cross-Site Scripting
>= 22.0.0-next.0 < 22.0.1 >= 21.0.0-next.0 < 21.2.17 >= 20.0.0-next.0 < 20.3.25 <= 19.2.25
Jul 9, 2026
High

Angular

Denial of Service
>= 22.0.0-next.0 < 22.0.1 >= 21.0.0-next.0 < 21.2.17 >= 20.0.0-next.0 < 20.3.25 <= 19.2.25
Jul 9, 2026
High

Angular

Resource Injection
>= 22.0.0-next.0 < 22.0.1 >= 21.0.0-next.0 < 21.2.17 >= 20.0.0-next.0 < 20.3.25 <= 19.2.25
Jul 9, 2026
Medium

Angular

Cross-Site Scripting
>= 22.0.0-next.0 < 22.0.1 >= 21.0.0-next.0 < 21.2.17 >= 20.0.0-next.0 < 20.3.25 <= 19.2.25
Jul 8, 2026
High

Angular

Information Exposure
>= 22.0.0-next.0 < 22.0.1 >= 21.0.0-next.0 < 21.2.17 >= 20.0.0-next.0 < 20.3.25 <= 19.2.25
Jul 8, 2026
High

Apache Kafka

Remote Code Execution
>=2.3.0 <3.9.1
Jul 1, 2026
High

Apache Kafka

Remote Code Execution
>=2.0.0 <3.9.1
Jul 1, 2026

We Partner With Core Contributors

We collaborate with open source maintainers to ensure NES is the same quality you expect. By involving core maintainers, we set a new standard for sunsetted open source to make NES as dependable as the original.

OpenJS Foundation logoVue LogoAngular LogoDrupal Association logoNuxt LogoProtractor logo
User icon wiht computer

We Give Back to Open Source

When you choose HeroDevs, a portion of every sale goes directly back to the authors and maintainers who built the software your business depends on. We partner with the open source community — not as outsiders, but as original contributors and long-term stewards.

Sponsor long-term maintainers of major frameworks

Patch CVEs for abandoned open source projects upstream

Provide end-of-life intelligence to support a safer software ecosystem

$20M Open Source Sustainability Fund

Frequently Asked Questions

Does HeroDevs share CVE resolution details with security scanning vendors to prevent false positives?
Does HeroDevs provide ongoing support for project dependencies and non-CVE issues?
How does HeroDevs compare to alternatives like Tanzu or OpenLogic?
Can I try HeroDevs NES before committing?
How quickly does HeroDevs release patches for new vulnerabilities?
What is included in a HeroDevs NES subscription?
Is HeroDevs compliant with major regulations?
How does HeroDevs keep my software secure?
How can NES help me maintain security and compliance while I plan my migration?
What does HeroDevs offer for end-of-life (EOL) software?

Got an EOL open source package not listed yet?

Request early access in the form, or scan for EOL you might not know about in your tech stack.

Request Early Support

By submitting the form I acknowledge receipt of our Privacy Policy.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.