MB-R061 — Abandoned on Packagist

C10 Abandoned Extensions Removal High

Extensions marked as “abandoned” on Packagist or Composer metadata should be immediately flagged. Abandoned modules no longer receive updates or security patches, leaving them permanently vulnerable. Replace such modules with maintained alternatives to reduce long-term security exposure.

Why it Matters

Packagist allows vendors to mark packages as abandoned. This means the package is no longer maintained and will never receive updates or security patches. Stores that continue to use abandoned extensions face permanent risk of vulnerabilities and compatibility problems as Magento and PHP evolve.

Detecting abandoned packages early allows teams to plan migration to supported alternatives before attackers exploit unpatched weaknesses.

Verification Steps

Composer check

# Check if installed extension is abandoned
composer show vendor/extension -a

# Example output:
abandoned: This package is abandoned and no longer maintained.

Automation

# Use composer outdated --direct to review active support
composer outdated --direct

Remediation / Fix Guidance

Identify all abandoned packages via Composer audit.
Replace abandoned extensions with maintained alternatives recommended by the community or vendor.
If no replacement exists, fork the code internally and take ownership of patching/security fixes.
Update procurement policies to forbid new dependencies that are already marked abandoned.

Examples

Fail Example

$ composer show vendor/module -a
name     : vendor/module
versions : * 1.2.3
abandoned: This package is abandoned and no longer maintained.
# Still used in production → FAIL

Pass Example

$ composer remove vendor/module
# Migrated to a supported alternative extension
# No abandoned packages remain → PASS