Track and Update Components on Purpose
In the hyper-speed world that is DevOps (or even agile), old code is, at best, a ticking time bomb. At worst, it's the sort of digital "hack me" sign that criminals love to see in an application.
Statements about how updates should be managed should be part of every open source policy document. According to an article on the AltexSoft blog, "Any time a bug is found and fixed in an open source project, it's a race against time to ensure you apply the relevant updates to all applications that use libraries or frameworks from those projects."
One of the keys to keeping components updated is understanding which components are part of the application. A number of tools are available for scanning and enumerating the components in a project. Coverity Scan, for example, is used within many larger open source projects and enterprises. But regardless of the tool used, it's important the technology support a policy of consistently monitoring and updating named components and their various software dependencies.
(Image: ra2 studio VIA Adobe Stock)