Last year, a security audit uncovered a vulnerability in our production environment. The finding: we were using Node.js 21, a version that had been nearing its end of life for several months. No active exploits, no incidents, but a growing list of unpatched CVE vulnerabilities, still open and with no planned fix. The kind of problem that goes unnoticed until it becomes obvious.

The most frustrating part wasn't the discovery itself, but realizing that no one on the team had been informed about the impending end of life of Node.js 16. No alerts, no reminders, nothing. Yet, we needed to be aware. And apparently, we weren't.

I looked for a simple tool that would allow me to declare my technology stack and be notified when a version is approaching its end of life or when a new critical CVE vulnerability is detected. I couldn't find exactly what I was looking for: most tools required connecting to a GitHub repository, installing an agent, or charged for basic alerts.

So, I created it. EOLCanary tracks end-of-life (EOL) dates and CVEs for 459 technologies: Node.js, Redis, PHP, PostgreSQL, Ubuntu, Kubernetes, and more. No agent or repository connection is required. You simply check your stack.

Regarding data sources: complete transparency

The end-of-life date data comes from endoflife.date, an excellent open-source project I wanted to mention. If you simply want to check a date, go to endoflife.date: it's a fantastic tool.

I also wanted to add two features missing from endoflife.date:

CVE tracking by version. Data is extracted daily from the NVD, including EPSS scores and CISA KEV indicators. The EPSS score indicates the likelihood of a CVE being exploited within the next 30 days: far more actionable information than a simple CVSS score. The KEV list includes confirmed active exploits. If your stack has one of these vulnerabilities, the risk is no longer theoretical.

Alerts and a dashboard dedicated to your stack are also available. Here's what I'm currently developing. The principle is simple: you create an account, declare your infrastructure (Node 20, Redis 7, Ubuntu 22.04, etc.), and EOLCanary monitors it for you. You are notified when a version reaches its end of life, when a new CVE vulnerability is detected in a component you use, or when a dependency is added to the CISA Key Vulnerabilities (KEV) list. Notifications are initially sent via email, then later via Slack and webhooks.

No GitHub repository to connect. No installation required. Just a list of your applications and important alerts.

Would this be useful to you? I'm trying to determine if the alert system solves a real problem or if most users simply check manually from time to time. If you manage a production infrastructure and this seems relevant (or if you think the approach is flawed), please leave a comment.

Viewing the site is free today. Stack monitoring and alerts will be available in the coming weeks.

eolcanary.com Feel free to ask me your questions: about the stack (Nuxt 3 + Supabase), the difficulties related to the NVD API, or why I think declarative stack monitoring is an underestimated concept.

Thx