Skip to content

Package health

For every package in your tech stack, AlertaVuln queries the ecosystem’s public registry and records what it reports:

  • the latest published version
  • the last publish date
  • any deprecation or abandonment flag, including the maintainer’s message and suggested replacement where the registry provides one
  • the licence (SPDX where available, best-effort elsewhere)

A CVE tells you a package is vulnerable; package health tells you it is quietly rotting - deprecated, unmaintained, or long overdue an update - before a CVE ever lands.

The Package Health page listing packages with their maintenance status, last publish date and newer versions available upstream

The Package Health page flags deprecated, unmaintained and stale packages, and the versions available upstream. Demo data.

Each package resolves to one status:

Status Meaning
Deprecated The registry reports the package as officially deprecated by its maintainers.
Unmaintained The registry signals abandonment (for example Packagist’s abandoned flag or PyPI’s Inactive classifier).
Stale No release within the project’s stale threshold - 90 days by default, configurable per project.
Healthy A recent release exists and no negative signal was found.
Unknown The registry returned no usable data.
Ecosystem Registry queried Deprecation / abandonment signal
npm registry.npmjs.org deprecated field on the latest version
PyPI pypi.org Development Status :: 7 - Inactive (or 1 - Planning) classifier
NuGet api.nuget.org Catalog deprecation entry, including the suggested alternate package
crates.io crates.io - (version, recency and licence only)
RubyGems rubygems.org - (version, recency and licence only)
Maven Maven Central (search.maven.org) - (version and recency only)
Go proxy.golang.org - (version and recency only)
Packagist repo.packagist.org abandoned flag, including the suggested replacement
  • On change - when a package is added manually or a repository rescan lands new packages, its health is checked within seconds.
  • Background sweep - every 6 hours, any package not checked in the last 6 hours is re-checked. Already-flagged packages are swept first so deprecation and staleness signals stay fresh.
  • On demand - Refresh All on the Package Health page queues a sweep of the selected project.

The latest registry version is recorded alongside the version your project declares, and the Package Health page surfaces every package with a newer version available upstream, with a link to its registry listing.

When a package newly flips to Deprecated or Unmaintained during any check, a deprecation notification is dispatched to the project’s configured webhook channels - the same five channels used for CVE alerts.

The licence recorded from registry metadata complements the CLI’s licence scan: registry metadata covers what the package declares, while av sast scan finds licence files present in the actual scanned tree.