Using end-of-life packages is a risk to your organization. An end-of-life package by definition will not receive fixes or updates. Any vulnerability or critical bug in an end-of-life package will not be fixed, and you will have to attempt to find a workaround or move to a new package.
By proactively moving away from end-of-life packages, you can reduce your risk before it becomes a critical emergency. With the Tidelift Subscription, you can require the usage of stable releases by using the End-of-life packages standard.
How does Tidelift detect end-of-life packages?
Tidelift researches and pulls information on end-of-life packages from places such as upstream package managers, collection sites such as https://endoflife.date and foundation sites such as the Apache Attic. Tidelift also performs manual research as needed.
Note: this standard only covers where the package is entirely declared end-of-life. It does not check whether a specific release of an otherwise maintained package is no longer getting updates.
Managing overrides
While it is not recommended practice, you may need to allow something that the end-of-life packages standard has not allowed.
To do so, see Creating Overrides.