HeroDevs and Deprecated Open-Source Libraries
Overview
Mend SCA offers an alternative mitigation solution for vulnerabilities in deprecated open-source libraries by providing a suggested upgrade path to an available commercial version by HeroDevs, where applicable.
HeroDevs provides extended support, security updates and bug fixes for framework/library versions that are no longer supported by their owner.
The inclusion of HeroDevs enriches the SCA information provided by the Mend AppSec Platform.
End-of-life or deprecated open-source libraries are not necessarily a dead-end for SCA users anymore, as they may still be maintained by HeroDevs under a commercial license, providing you with new upgrade paths and expanding your arsenal for dealing with vulnerabilities in your application’s dependencies.
Mend SCA does the following:
Automatically suggests remediation for vulnerabilities in open-source libraries currently maintained commercially by HeroDevs.
Automatically identifies and flags commercial libraries by HeroDevs in your inventory.
Getting it done
Remediation Suggestions for Libraries Maintained by HeroDevs
To review a vulnerability, follow these steps:
Navigate to your Application or Project.
Navigate to the selected application or project’s Dependencies.
Go to the Findings tab.
Click the vulnerability you wish to review.

When a HeroDevs remediation option is available, this will be denoted in the Security Overview section of the Overview tab, as depicted above. That is the default view for any vulnerability.
Additional details about the remediation suggestion are available under the Remediation tab.

Clicking the Learn More button on the right will take you to https://www.mend.io/herodevs-integration-lp/, for additional information about HeroDevs on the Mend.io website.
HeroDevs Libraries in your Inventory
Note: This feature requires a HeroDevs license, which can be acquired via HeroDevs.
To see the identified commercial libraries maintained by HeroDevs, follow these steps:
Navigate to your application or project.
Select SBOM from the left panel.
Go to the Commercial tab.

HeroDevs will be displayed under the License Alias column.
A link to https://herodevs.com will be displayed under the Home Page column.
Limitations
As of April 2025, only npm and Maven packages are supported. This means that libraries maintained by HeroDevs will only be identified as such in the Mend AppSec Platform if they are listed in the npm registry or Maven Central.