TL;DR We’ve partnered with TuxCare so you can fix vulnerabilities in legacy dependencies instantly, without rewrites or risky upgrades. Stay secure, compliant, and keep building without trade-offs. Read on for the full launch, or check out our docs to go deeper.
As engineering teams scale, managing vulnerabilities in third-party libraries becomes one of the biggest blockers to shipping safely and quickly. When popular open-source packages reach end-of-life (EOL), security and development teams often find themselves at odds: security teams push for immediate upgrades to address CVEs, while developers face breaking changes that can slow delivery for weeks or months.
Upgrading core dependencies isn’t just about version bumps; it can mean deep refactors, application rewrites, and extensive retesting. For many organizations, this trade-off between security and velocity creates operational gridlock.
The power of the Aikido and TuxCare partnership
To solve this, Aikido and TuxCare have joined forces to offer Extended Lifecycle Support (ELS) directly through Aikido’s Autofix. This partnership combines Aikido’s automated remediation workflows with TuxCare’s expertise in providing hardened, continuously patched packages for EOL libraries.
TuxCare has already resolved over 5,000 CVEs in open-source software, making them a trusted partner in post-EOL security. By integrating ELS packages directly into Autofix, Aikido helps teams secure legacy dependencies and keep moving forward without big version changes or disruptive rewrites.
.png)
How it works
When Aikido scans your application, it identifies outdated dependencies and surfaces known vulnerabilities. Instead of requiring you to upgrade to the latest (and potentially breaking) major version, Aikido now suggests a secure ELS package maintained by TuxCare.
These ELS packages are drop-in replacements. For example, teams using the unmaintained v1 of SnakeYAML can move to 1.33.tuxcare.1 to patch critical CVEs without migrating to 2.x. The same principle applies to other widely used packages like log4j 1.x, which has been out of maintenance since 2015 but remains common in enterprise codebases.
Aikido Autofix generates a ready-to-merge pull request that updates your dependency to the ELS version and includes any repository configuration needed. Teams can resolve security issues immediately, without introducing instability or delaying feature work.
.png)
Removing friction between security and dev teams
Bridging the gap between security and development requires solutions that respect both priorities: strong security posture and continuous delivery. Aikido and TuxCare’s integrated approach enables teams to:
- Avoid disruptive upgrades: Secure dependencies without major refactors or breaking changes.
- Accelerate CVE resolution: Patch vulnerabilities in days instead of weeks or months.
- Maintain compliance: Address EOL package risks to meet regulatory requirements and pass audits.
- Reduce engineering overhead: Free up team capacity to focus on product improvements, not firefighting dependency updates.
Sample use case: Securing Java projects with ELS
In a typical Java project, updating a critical dependency like SnakeYAML or log4j to a new major version can take weeks of engineering time, extensive testing, and risky production deployments.
With ELS, teams can adopt a hardened version (for example, log4j 1.2.17.tuxcare.1) that patches known CVEs, all without changing application logic. This means security issues are resolved faster, engineering effort is minimized, and releases stay on track.
The future of secure, legacy code
At Aikido, we believe developers shouldn’t have to choose between speed and security. Our partnership with TuxCare is a major step forward in making post-EOL security practical and scalable, so you can stay focused on building.
This is just the start. ELS support is currently live for Java, with additional languages including JavaScript, Python, .NET, PHP, and Ruby coming soon.
Learn more about how Aikido and TuxCare can help you secure your legacy code without slowing down your roadmap. Get started here →
.avif)
