Glossary · supply-chain
Deprecated
An official signal that a package is no longer recommended for new use, but still works.
A deprecated package is one that the maintainer no longer recommends for new projects, but the existing code still works. The deprecation is a warning, not a kill switch. Different ecosystems have different mechanisms: `npm deprecate <package> "message"`, the PyPI `Development Status :: 7 - Inactive` classifier, the RubyGems `is_outdated` flag, the Packagist `abandoned` flag, the Maven Central `deprecated` flag.
Deprecated is distinct from archived (read-only, end-of-life) and abandoned (no maintainer, but no explicit signal). The right response to a deprecation depends on context: if the package is a transitive dependency you don't use directly, ignore it. If it's a direct dependency, look for the recommended replacement — usually a fork or a rewrite by the same maintainers.
A deprecation that lasts more than a year without a clear replacement is a supply chain risk. The package may be removed from the registry (npm unpublishes are real, see the `left-pad` incident of 2016) or it may break with the next major version of its dependencies. Plan accordingly.
Related reading
Looking for the full vocabulary? Browse all 25+ terms in the BreakPoint glossary.