security-maintained forks · npm

Your dependencies were abandoned. Your risk doesn't have to be.

Keep LTS publishes drop-in forks of abandoned npm packages — same API, patched CVEs, regression-tested. Adopted with a one-line overrides entry. No code changes, no migration project, no vendor calls.

Browse the free catalogSee Pro coverage

$ npm install @keep-lts/xlsx — free & open source, today

zsh — ci
$ npm audit
xlsx  0.18.5 — 2 high severity
  no fix available — frozen upstream

$ npm pkg set overrides.xlsx="npm:@keep-lts/xlsx@^0.18.6"
$ npm install
+ @keep-lts/xlsx@0.18.6 · drop-in · advisory + tests inside

$ npm audit
found 0 vulnerabilities
10forks under active maintenance
14CVEs patched, advisories published
16,077,507weekly downloads covered
100%published open source

the problem

Abandonment is a security problem.

Thousands of packages with millions of weekly downloads have no maintainer left to ship a fix. The code still works — until an auditor, a CVE, or an attacker finds it.

No more patches

When a maintainer archives a repo, CVE reports stop turning into releases. The vulnerability stays put — only your exposure grows.

Frozen deep in your tree

Abandoned packages get pinned transitively, three levels down your lockfile. Migrating off them means rewriting code nobody wants to touch.

Audits don't care why

SOC 2, ISO 27001 and customer security reviews flag known CVEs regardless. "The package is dead" is not an accepted remediation.

how it works

Drop-in by design.

We pick up maintenance exactly where the upstream stopped — so your dependency tree resolves to a patched build and your own code is untouched.

upstream package final release · repo archived cve patchcve patchtoday @keep-lts fork — patches · tests · advisories
01 / fork

We fork at the last good release

When a package with real-world usage is abandoned, we take over its security maintenance — publicly, under the @keep-lts scope.

02 / maintain

We patch, test, and publish

We reproduce the CVE with a real proof-of-concept, write the smallest patch that fixes it, then add a regression test that fails on the original and passes on the fork. The public API never changes — only the patch version moves.

03 / override

You add one line

A single overrides entry in package.json resolves your whole tree to the patched build. Your code is untouched, and you can leave any time.

the catalog

A growing catalog of maintained forks.

We focus on the long tail — the small, widely-used packages that quietly fail an npm audit with no fix to upgrade to. Every fork is free, and published in the open: full source, tests and advisories, under its upstream licence.

xlsxmaintained
weekly downloads10,557,539
CVEs fixed2
drop-in0.18.6
html-minifiermaintained
weekly downloads3,322,664
CVEs fixed1
drop-in4.0.1
parse-git-configmaintained
weekly downloads1,053,903
CVEs fixed1
drop-in3.0.1
expr-evalmaintained
weekly downloads505,077
CVEs fixed2
drop-in2.0.3
url-regexmaintained
weekly downloads415,842
CVEs fixed1
drop-in5.0.1
utils-extendmaintained
weekly downloads72,170
CVEs fixed2
drop-in1.0.9
csvjsonmaintained
weekly downloads50,050
CVEs fixed1
drop-in5.1.1
apidoc-coremaintained
weekly downloads49,899
CVEs fixed2
drop-in0.15.1
defaults-deepmaintained
weekly downloads36,061
CVEs fixed1
drop-in0.2.5
deep-defaultsmaintained
weekly downloads14,302
CVEs fixed1
drop-in1.0.6
Request a package →Don't see yours? Enterprise coverage includes forks on request.

plans

Free to install. Pro when you need a vendor on the hook.

Identical engineering standard across every tier. Pro adds the guarantee — an SLA on future CVEs, compliance artefacts your auditor will accept, and a real vendor on a contract.

Team

Clear one audit

$400 /mo · cancel anytime

  • Up to 10 packages under SLA
  • Critical / High CVEs patched in 5 business days
  • SBOM & VEX compliance artefacts
  • Email support, one business-day reply
Start with Team
Most teams

Business

A guarantee on the packages you ship

$1,200 /mo · cancel anytime

  • Everything in Team
  • Up to 40 packages under SLA
  • Critical CVEs patched in 2 business days
  • Request-a-fork — 3 per quarter
  • Private Slack channel & named contact
Get Business coverage

Enterprise

Coverage shaped to your tree

Custom

  • Everything in Business
  • Unlimited packages & forks on request
  • Private registry / mirror
  • DPA / MSA support & optional indemnification
  • Written continuity terms
Talk to the maintainers

trust & verification

Built to pass your security review.

Every fix is auditable end to end — and every fork is structured so you are never locked in.

  • Reproduced & regression-testedEach fix ships a PoC for the real CVE and a test that fails on the original and passes on the patch.
  • Everything published in the openFull source, tests and advisories, under the upstream licence — read it before you adopt.
  • No lock-in, by constructionYou always retain the right to build it yourself. Pro contracts add written continuity terms.
  • Async-first supportEmail or a shared Slack channel — first reply within one business day. No vendor calls to sit through.
zsh — verify
$ npm pack @keep-lts/xlsx --dry-run
package: @keep-lts/xlsx@0.18.6
  xlsx.js        patched build
  SECURITY.md    CVE advisory + fix notes
  test/          regression tests

$ node --test
✔ CVE-2023-30533 · vulnerability no longer reproduces
✔ legitimate inputs round-trip unchanged

faq

Questions teams ask.

How is this different from the free packages?
Identical engineering standard. Pro adds the guarantee: an SLA on future CVEs, coverage for packages we haven't forked yet, the compliance docs, and a contract with a real vendor on the hook.
Do we have to get on a call?
No — not to buy, not to onboard, not for support. Everything runs async over email or a shared Slack channel. No vendor calls to schedule or sit through.
Do we have to change our code?
No. Same drop-in overrides model — your dependency tree resolves to the patched build and your own code is untouched.
What if you stop maintaining a package?
Every fork is published open-source with its full source, tests and advisory, under its upstream licence — you always retain the right to build it yourself. Pro contracts add written continuity terms.
Can you sign an NDA or security questionnaire?
Yes on Business and Enterprise. Enterprise includes DPA / MSA support and optional indemnification.

get coverage

Tell us what's flagging.

Send the npm audit output, the Dependabot alert, or just a package name. It goes straight to the maintainer — a real reply, usually within one business day. No call required.

or email hello@keep-lts.com directly

Goes straight to the maintainer — a real reply within one business day. No call required.