A06 Vulnerable Components
What this means
SiteShadow flagged dependency hygiene risks (outdated packages, missing inventory, weak pinning, or lack of vulnerability visibility).
Why it matters
Outdated or unpinned dependencies can include known vulnerabilities.
- Known exploits exist for many old versions, and scanners actively look for them.
- Transitive deps bite: you can be vulnerable without importing a library directly.
- Build drift: without pins/lockfiles you may ship different code than you tested.
Safer examples
1) Keep dependencies reproducible
- Pin versions and commit lockfiles (see
DEP01).
2) Add automated dependency alerts
Use Renovate/Dependabot + CI, and review updates regularly.
3) Inventory what you ship
Generate SBOMs for releases (see SBOM01).
How SiteShadow detects it (high level)
- Looks for missing lockfiles, overly broad version ranges, and "latest/*" usage.
- Flags dependency and build patterns that make vulnerabilities harder to track or fix.
References
- OWASP Top 10: https://owasp.org/Top10/
---