Deprecated/abandoned package
Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 2 points from that category, once per scan, no matter how many places it turns up.
What it detects
A dependency with well-known deprecation/abandonment status was found (curated list).
Why it matters
A deprecated package stops receiving fixes, so any bug or vulnerability found in it stays there for as long as you ship it. The ones this rule flags (request, moment, left-pad, node-uuid) all have direct, well-supported replacements, and some print deprecation warnings on every install. Migrating now is far cheaper than migrating after a CVE forces the issue.
How to fix it
Replace request with native fetch (built into Node 18+) or got/axios if you need retries and hooks. Replace moment with day.js (near drop-in API) or date-fns/luxon; replace left-pad with the built-in String.prototype.padStart; replace node-uuid with the uuid package or crypto.randomUUID(). Migrate call sites one package at a time, then npm uninstall the old package and confirm your tests still pass.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo