HeroDevs

🚨 TinyMCE 6 is end-of-life — and unpatched XSS vulnerabilities are already in play. Teams still running older TinyMCE 6 versions are exposed to known XSS vulnerabilities like CVE-2024-29203 and CVE-2024-29881, and with v6 now EOL, no further patches will be issued for future discoveries. For teams still running TinyMCE 6, that creates a tough choice: migrate immediately… or operate with known exposure. There’s a third option. HeroDevs provides Never-Ending Support for TinyMCE 6, offering a secure, drop-in replacement that patches known vulnerabilities without requiring a migration to v7 or v8. With HeroDevs NES, you get: ✔️ Ongoing CVE patches delivered as secure drop-in replacements ✔️ No license change — stay on the MIT-licensed v6 codebase ✔️ No migration burden — keep your existing config, plugins, and integrations ✔️ Compliance-ready security with VEX statements and audit documentation ✔️ Continued updates as new vulnerabilities are discovered NES is built for teams that need time to migrate — or that can’t migrate yet — without accepting ongoing risk. Because running EOL software shouldn’t mean running vulnerable software. #OpenSource #AppSec #EOL #TinyMCE #SoftwareSecurity #DevSecOps #HeroDevs

Learn more 🔗 herodevs.com/blog-posts/her…

🚨 Angular 19 is reaching end of life — but your support doesn’t have to. HeroDevs Never-Ending Support (NES) for Angular 19 is designed to bridge the gap between EOL deadlines and real-world migration timelines. When Angular 19 hits EOL, official patching stops. NES steps in to provide: ✔️ Ongoing vulnerability discovery and CVE monitoring ✔️ Continuous security fixes released through a secure private registry ✔️ Expert-backed remediation from open source core contributors ✔️ A true drop-in path to stay secure without immediate migration Building on support for Angular 4 through 18, NES for Angular 19 ensures teams continue receiving fixes for newly identified vulnerabilities — even after the community moves on. Because security gaps don’t wait for your roadmap. #Angular #OpenSource #EOL #AppSec #DevSecOps #SoftwareSecurity #HeroDevs

We’re at JavaOne 2026 — and the conversations are exactly where they need to be. ☕ From Java runtime evolution to Spring ecosystems and everything in between, it’s clear: modernization is top of mind, but so is maintaining stability in the systems that power today’s businesses. If you’re here, come find us. Let’s talk about what your Java stack is really up against. #JavaOne #Java #Spring #OpenSource #SoftwareSecurity #DevSecOps #HeroDevs

🔗 herodevs.com/blog-posts/pyt…

Python versions don’t just “get old” — they follow a strict lifecycle. And once they hit end-of-life, the rules change. → No more security patches → No more bug fixes → No guarantee the ecosystem will support you Most Python releases follow a predictable pattern: a few years of active support, followed by security-only updates — and then nothing. Right now: → Python 3.10 support ends in 2026 → Python 3.11 in 2027 → Python 3.12 in 2028 → Older versions like 3.9 and below are already EOL The takeaway isn’t just dates — it’s planning. If Python is part of your production stack (and it probably is), your upgrade timeline isn’t optional. It’s part of your security posture. Because when Python reaches EOL, vulnerabilities don’t stop — the fixes do. #Python #OpenSource #EOL #SoftwareSecurity #DevSecOps #HeroDevs

🚨 New CVE Alert: CVE-2026-32635 (High Severity XSS in Angular) A newly disclosed vulnerability affects how Angular handles i18n attribute bindings. When security-sensitive attributes like href, src, or action are marked with i18n- for translation, Angular’s internationalization pipeline can bypass the framework’s built-in sanitization — allowing attacker-controlled input to execute JavaScript in a user’s browser. Why this matters: → Low complexity exploit with passive user interaction → Potential for session hijacking, credential theft, and data exfiltration → Triggered by a pattern many Angular apps legitimately use for localization Patch status: ✔️ Fixed in Angular 19.2.20, 20.3.18, and 21.2.4 ✔️ Angular 17 and 18 are EOL and will not receive a community fix If you’re running Angular 17 or 18, the exposure is real and there’s no upstream remediation path. HeroDevs Never-Ending Support (NES) for Angular provides patched, drop-in replacements for EOL Angular versions — including fixes for vulnerabilities like CVE-2026-32635 — so teams can stay secure while planning their migration. #Angular #CVE #AppSec #OpenSourceSecurity #DevSecOps #HeroDevs

Your vulnerability scanner won’t tell you this: A package can be end-of-life and still show zero CVEs. No alerts. No warnings. Just silent exposure sitting in your stack. 🤫 Stop reacting. Start seeing your real risk. 🔗 eoldataset.com/?utm_campaign=… #OpenSource #AppSec #EOL #DevSecOps #SoftwareSecurity

AI models are getting faster. Smarter. Newer. But even models trained just months ago can recommend outdated or vulnerable dependencies. That’s the hidden risk open source contributors should be thinking about. It’s not uncommon for AI tools to suggest framework versions that are already out of date — or worse, contain known security vulnerabilities. If you’re using AI to scaffold projects or populate dependencies, pause and verify: ✔️ Is this the latest supported version? ✔️ Has it been patched? ✔️ Is it approaching end-of-life? AI can accelerate development. It can also accelerate risk — if you’re not paying attention. #OpenSource #AI #AppSec #SoftwareSecurity #DevSecOps

Your scanner finds vulnerabilities. But most scanners don’t tell you when those vulnerabilities will never be fixed. That’s the silent risk hidden in end-of-life software. When a dependency reaches EOL: → Security patches stop → Bug fixes stop → Maintainer support stops → Yet your tools may keep scanning it like nothing’s wrong That means CVEs can linger forever — and most teams don’t realize it until something breaks. Dead software isn’t just outdated — it’s a permanent exposure sitting in your dependency tree. Tools like EOL DS surface that risk by showing you every component that’s past or approaching end-of-life — the dependencies your scanner never flags because it’s not about “vulnerable today,” it’s about “unsupported forever.” Security doesn’t have to wait for rewrite timelines. ⏳ Visibility comes first. #OpenSource #AppSec #EOL #DevSecOps #SecurityRisk #SoftwareEngineering

⏰ Spring Boot 3.5 EOL is coming — do you know how long your migration will take? Upgrading to Spring Boot 4 isn’t just a version bump. It can mean: → Dependency and Jakarta namespace shifts → Breaking API changes → Plugin and build pipeline updates → Retesting across large, interconnected services For enterprise systems, that’s not a quick sprint — it’s a coordinated migration effort. Before the deadline sneaks up on you, estimate your timeline and understand the real scope of work. And if you’re tracking multiple framework EOL dates this year, the HeroDevs EOL Calendar helps you see what’s coming before it becomes urgent. Plan early. Migrate strategically. 🔗 herodevs.com/blog-posts/spr… #SpringBoot #Migration #EOL #SoftwareEngineering #DevOps #HeroDevs #TechLeadership

Day 2 at Devnexus and the conversations are leveling up. ⚔️ One message keeps resonating → EOL? Not in my JVM. Because when critical Java frameworks and runtimes hit end-of-life, the risk doesn’t disappear — it compounds. And for enterprise teams, waiting isn’t a strategy. If you’re here, stop by and let’s talk about keeping your stack secure long after upstream support ends. #Devnexus #HeroDevs #Java #JVM #OpenSource #EOL #AppSec #DevSecOps

🚨 New CVE Alert: CVE-2026-27970 — High-Severity XSS in Angular i18n A Cross-Site Scripting vulnerability has been identified in Angular’s internationalization (i18n) pipeline, where HTML inside translated ICU messages isn’t properly sanitized — allowing attacker-controlled JavaScript to execute in the application’s origin. This affects versions of @angular/core prior to the latest patched releases (including 19.2.19, 20.3.17, 21.1.6, and 21.2.0). In real-world terms: → If an attacker can compromise a translation file (like .xlf or .xtb), they can inject malicious attributes into ICU messages → When rendered, those attributes may execute arbitrary JavaScript in users’ browsers → This can lead to credential theft, session hijacking, or page manipulation If you’re maintaining Angular apps that use i18n, make sure you’re on a patched version today. And if you’re running Angular versions that have passed official support — or can’t upgrade right away — consider HeroDevs Never-Ending Support (NES) for Angular to receive ongoing security patches and compliance-ready fixes beyond upstream EOL. 🔗 herodevs.com/support/nes-an… #Angular #CVE #XSS #AppSec #OpenSourceSecurity #DevSecOps #HeroDevs

🔗herodevs.com/support/nes-an…

🚨 New CVE Alert: CVE-2026-27739 (CVSS 9.2 – Critical) A critical SSRF and header injection vulnerability has been disclosed in Angular’s Server-Side Rendering (SSR) pipeline — and it’s more serious than it looks. The issue stems from Angular trusting user-controlled Host and X-Forwarded-* headers when reconstructing request URLs. An attacker can manipulate those headers to: • Redirect server-side API calls to attacker-controlled domains • Exfiltrate Authorization headers, API keys, or session cookies • Probe internal network resources (including cloud metadata endpoints) • Turn your SSR server into an open proxy This affects @angular/ssr versions prior to 19.2.21, 20.3.17, and 21.1.5. Angular 18 and below? No community patch available. If you’re running Angular SSR: ✔️ Patch immediately if you’re on a supported version ✔️ Implement strict header validation if you can’t upgrade ✔️ Or use HeroDevs Never-Ending Support (NES) for patched drop-in replacements on EOL versions This isn’t a misconfiguration. It’s a framework-level flaw in how SSR reconstructs request origins. If you are running Angular SSR on an end-of-life version (18.x and below), you need to act now. #Angular #CVE #AppSec #OpenSourceSecurity #SSRF #DevSecOps #HeroDevs

We’re at Devnexus — and the energy is real. 🐉 HeroDevs is here connecting with developers, security leaders, and open source advocates across the ecosystem — talking supply chain risk, runtime EOL, and what it really takes to keep production systems secure. Because in modern software, security can’t be a side quest — it has to be part of the main storyline. If you’re here, come say hello. If you’re following along from afar, we’ll be sharing insights from the floor all week. #Devnexus #HeroDevs #OpenSource #AppSec #DevSecOps #SoftwareSecurity #DeveloperCommunity

🚨 Node.js reaching End of Life isn’t just a version milestone — it’s a security turning point. When a widely used runtime like Node.js stops receiving official patches, every new vulnerability becomes permanent exposure unless there’s a mitigation plan in place. Here’s the reality teams need to face: → Unsupported runtimes stop getting security and maintenance fixes → Vulnerability scanners still flag CVEs — but there’s no official patch to apply → Compliance frameworks increasingly require active support lifecycles → Production risk rises the moment EOL is reached Security doesn’t wait for migration timelines, and it certainly doesn’t pause because a release line has reached end of life. Understanding the when and what to do next is critical — because this isn’t theoretical risk. It’s real exposure affecting real systems. #NodeJS #OpenSource #EOL #Security #SoftwareRisk #DevOps

Open source maintainers are evolving how they use AI. While many still rely on tools like Copilot or Claude, there’s a growing shift toward open source models — Llama, PyTorch-based ecosystems, and locally hosted LLMs. Why? Because maintainers value: → Greater control over how models are tuned → The ability to run models locally with added project context → Reduced legal and security concerns tied to proprietary AI tools → Deeper customization aligned to their specific codebases Maintainers are builders. Tinkerers. They don’t just use tools — they adapt them. 🔧 #OpenSource #OSS #AI #LLMs #SoftwareDevelopment #HeroDevs

For years, we’ve been provided security patches for software long after the original maintainers stopped. And we kept seeing the same pattern: Teams didn’t realize they were running end-of-life dependencies until something broke. Their scanners flagged CVEs. They didn’t flag the condition that makes those CVEs permanent — no one is providing fixes anymore. Today, we’re launching EOL DS — the End-of-Life Detection Scanner. Connect your repo. Scan your full dependency tree. See every component that’s past — or approaching — end-of-life. No agents. No complex setup. Results in seconds. In one scan: 2,738 packages analyzed. 272 end-of-life. 15 with active, unpatched vulnerabilities. Because you can’t fix what you can’t see. #opensource #appsec #softwaredevelopment #EOL #devsecops

R is for Repositories. The home base of every open-source project — where commits tell stories, pull requests spark debates, and collaboration scales beyond borders. Repositories aren’t just storage. They’re living records of experimentation, iteration, and innovation. They hold the roadmap, the history, and sometimes… the 3:00 a.m. commit messages we don’t talk about. 🤐 Platforms like GitHub and GitLab turned “send me the zip file” into global collaboration in minutes — making transparency and shared knowledge the backbone of modern software. Full Episode 🔗 youtube.com/watch?v=QpJ1qf… #OpenSource #OSS #GitHub #SoftwareDevelopment #ABCsOfOSS #HeroDevs