Prod deps left outdated

Modern software ships with borrowed code, and many companies are running that code in production months behind the latest safe versions. Datadog’s 2026 State of DevSecOps report found 87% of organizations had at least one known exploitable vulnerability in production services. (datadoghq.com) A dependency is a third-party library a service pulls in to do common jobs like logging in users, parsing files, or talking to databases. Datadog said the median dependency in production was 278 days behind the latest major version in 2026, up from 215 days a year earlier. (datadoghq.com) The lag was worse in some ecosystems. Datadog reported median dependency age at 492 days for Java and 357 days for Ruby, and said 10% of services globally were built on at least one end-of-life language or runtime version. (datadoghq.com) Security teams have two separate problems to manage: stale packages inside the app, and weak links in the assembly line that builds it. The Open Worldwide Application Security Project’s open-source software top 10 lists both outdated or unmaintained components and compromised legitimate packages as core risks in modern software supply chains. (owasp.org) That assembly line is the continuous integration and continuous delivery pipeline, the automated system that tests code and pushes releases. Datadog found only 4% of organizations pin all public GitHub Actions to specific commit hashes, a control meant to stop workflows from silently pulling changed code later. (nasdaq.com) Boost Security released an open-source framework called SmokedMeat in April 2026 to let defenders rehearse attacks against those pipelines. The project’s GitHub page describes it as a CI/CD red-team framework for authorized testing, and Boost said it can scan workflows, simulate exploitation paths, and show post-compromise movement inside build systems. (github.com; labs.boostsecurity.io) Boost tied the release to recent software supply-chain incidents and argued that build systems are still under-defended compared with application code. In its launch post, the company said teams often see a static warning in a workflow file but do not see how that can turn into cloud credentials or access to private repositories during a live attack chain. (labs.boostsecurity.io) Datadog’s report also showed why patching is not just a matter of updating everything immediately. It said half of organizations adopt new library versions within 24 hours of release, while older libraries still accumulate known flaws, leaving teams to balance breakage risk from upgrades against exposure from delay. (nasdaq.com) The current advice from researchers and practitioners is to treat dependency hygiene and pipeline hardening as one job, not two separate backlogs. The picture in 2026 is that production systems are still carrying old packages, while the systems that build and ship them often trust too much by default. (datadoghq.com; owasp.org; github.com)