The Truth About npm Deprecated Packages

Aqua Nautilus research shows a large portion of the most-downloaded npm packages are deprecated or effectively unmaintained (8.2% by npm definition, up to ~21% using extended criteria), creating widespread supply-chain risk—potentially affecting 2.1 billion weekly downloads. The blog describes how maintainers sometimes archive or deprecate packages instead of fixing security issues or obtaining CVEs, demonstrates dependency analysis of the top 50K npm packages, and releases an open-source Dependency Deprecation Checker to help organizations identify direct and transitive deprecated dependencies, concluding with recommended organizational mitigations and policies.