Package health
For every package in your tech stack, AlertaVuln queries the ecosystem’s public registry and records what it reports:
- the latest published version
- the last publish date
- any deprecation or abandonment flag, including the maintainer’s message and suggested replacement where the registry provides one
- the licence (SPDX where available, best-effort elsewhere)
A CVE tells you a package is vulnerable; package health tells you it is quietly rotting - deprecated, unmaintained, or long overdue an update - before a CVE ever lands.

The Package Health page flags deprecated, unmaintained and stale packages, and the versions available upstream. Demo data.
Maintenance statuses
Section titled “Maintenance statuses”Each package resolves to one status:
| Status | Meaning |
|---|---|
| Deprecated | The registry reports the package as officially deprecated by its maintainers. |
| Unmaintained | The registry signals abandonment (for example Packagist’s abandoned flag or PyPI’s Inactive classifier). |
| Stale | No release within the project’s stale threshold - 90 days by default, configurable per project. |
| Healthy | A recent release exists and no negative signal was found. |
| Unknown | The registry returned no usable data. |
Registry signals by ecosystem
Section titled “Registry signals by ecosystem”| Ecosystem | Registry queried | Deprecation / abandonment signal |
|---|---|---|
| npm | registry.npmjs.org | deprecated field on the latest version |
| PyPI | pypi.org | Development Status :: 7 - Inactive (or 1 - Planning) classifier |
| NuGet | api.nuget.org | Catalog deprecation entry, including the suggested alternate package |
| crates.io | crates.io | - (version, recency and licence only) |
| RubyGems | rubygems.org | - (version, recency and licence only) |
| Maven | Maven Central (search.maven.org) | - (version and recency only) |
| Go | proxy.golang.org | - (version and recency only) |
| Packagist | repo.packagist.org | abandoned flag, including the suggested replacement |
When checks run
Section titled “When checks run”- On change - when a package is added manually or a repository rescan lands new packages, its health is checked within seconds.
- Background sweep - every 6 hours, any package not checked in the last 6 hours is re-checked. Already-flagged packages are swept first so deprecation and staleness signals stay fresh.
- On demand - Refresh All on the Package Health page queues a sweep of the selected project.
Updates available
Section titled “Updates available”The latest registry version is recorded alongside the version your project declares, and the Package Health page surfaces every package with a newer version available upstream, with a link to its registry listing.
Notifications
Section titled “Notifications”When a package newly flips to Deprecated or Unmaintained during any check, a deprecation notification is dispatched to the project’s configured webhook channels - the same five channels used for CVE alerts.
Licence capture
Section titled “Licence capture”The licence recorded from registry metadata complements the CLI’s licence
scan: registry metadata covers what the package declares, while
av sast scan finds licence files present in the
actual scanned tree.
See also
Section titled “See also”- Dependencies (SCA) - how the tech stack is derived and matched against CVEs
- Coverage overview - everything AlertaVuln watches
av sast scan- licence findings in the scanned tree