—

Why it Matters

On GitHub and other platforms, vendors can mark repositories as archived. An archived repo is read-only — no new issues, no pull requests, and most importantly, no further updates or security patches. Continuing to depend on archived repositories is risky because any new vulnerability discovered will never be fixed.

Detecting archived repositories helps teams identify extensions that have effectively reached end-of-life, even if they still function today. Migrating away from archived code avoids long-term security debt.

Verification Steps

# Visit repository page
# Archived repositories display a banner "This repository has been archived by the owner"

# GitHub API check
curl https://api.github.com/repos/vendor/extension | grep archived
# Expected: "archived": false

# Look at the source URL in composer.json
# If it points to an archived repo, flag it

Remediation / Fix Guidance

1. Audit all extensions and check if their repositories are archived.
2. If an extension is archived:
   • Replace it with a supported alternative.
   • If business-critical, fork the repository and maintain it internally.
   • Document the fork and take ownership of applying security patches going forward.
3. Update procurement policies to forbid dependencies tied to archived repositories.

Examples

# GitHub repo shows banner:
"This repository has been archived by the owner. It is now read-only."
# Extension still used in production → FAIL

# Vendor migrated to a new active repository
# Store upgraded to maintained fork → PASS

References

• OWASP Top 10 — A06: Vulnerable and Outdated Components
• GitHub Docs — Archiving repositories