
The Ghost in the Dependency Tree: Navigating Open Source End-of-Life with HeroDevs
What's in the SOSS? An OpenSSF Podcast
In this episode of What’s in the SOSS, host CRob sits down with Isaac Wuest, Product Line Leader at HeroDevs, to explore the critical and often overlooked "gray area" of the software supply chain: End-of-Life (EOL) software. While the industry heavily relies on CVEs to track vulnerabilities, Isaac explains how maintainer abandonment creates a vacuum where risks are present but remain undiscovered and unreported. From the origins of HeroDevs supporting AngularJS to the nuances of the EU Cyber Resilience Act (CRA), this conversation provides a practical framework for distinguishing between inherent hazards and actual risk in your dependency tree.
Chapters:
00:04 - CRob welcomes Isaac Wuest from HeroDevs
00:45 - The HeroDevs origin story: How Google sunsetting AngularJS created a need for secure drop-in replacements.
02:44 - Isaac’s path to open source: Transitioning from product management to supporting maintainers.
04:06 - Exploring the "Gap" in CVEs: Why dictionary-based vulnerability tracking misses EOL and malicious packages.
07:03 - The challenge of "Maintainer Attestation": Why most open source projects lack a formal EOL calendar.
09:52 - Compliance and Risks: How EOL dependencies create blank spots for security professionals and auditors.
11:27 - The Shark in the Tank: Using a food regulation analogy to differentiate between hazard and risk.
13:22 - Navigating the EU Cyber Resilience Act: Preparing for increased manufacturer accountability in software.
14:08 - Maintainer Abandonment: Identifying the moment a project stops receiving patches without formal notice.
16:14 - Scanning for Gaps: Why standard industry tools currently struggle to provide a complete EOL picture.
18:49 - Practical Remediation: Recommendations for researching upgrade paths using tools like endoflife.date.
20:49 - Analyzing SBOMs: How engineers can leverage free datasets to identify and fix deep dependency risks.
23:00 - Rapid Fire: Coffee, Star Wars, spicy food, and the favorite apocalyptic robot.
25:01 - Final Thoughts: A call to action for educating yourself on your application's EOL exposure.
Episode links:
- Isaac Wuest’s LinkedIn pageHeroDevsFree Tool: End of Life Data SetCommunity Resource: endoflife.dateGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn