The hidden risk of unmaintained dependencies: lessons from Ingress NGINX

On March 24, 2026, kubernetes/ingress-nginx, used in roughly half of all Kubernetes clusters, was officially retired. No more security patches. The same pattern is playing out with MinIO, WordPress plugins, and npm packages. Here's what to watch for.

On March 24, 2026, kubernetes/ingress-nginx was officially retired. Best-effort maintenance ended. No more releases, no bugfixes, no security patches. Ever. The project that powered roughly half of all Kubernetes clusters, according to Datadog research cited by the Kubernetes Steering Committee, is done.

A week earlier, MinIO's GitHub repository was archived. The README now reads "THIS REPOSITORY IS NO LONGER MAINTAINED." The object storage layer that thousands of self-hosted setups depended on, effectively gone unless you want to pay $96,000/year for the commercial replacement.

Two major infrastructure projects. Same quarter. Same pattern.

TL;DR: Ingress NGINX's retirement and MinIO's archival follow the same arc: understaffed maintenance, ignored warning signs, then sudden unavailability. This isn't unique to Kubernetes. Nearly half of audited codebases contain components with no new development in two years. The risk applies equally to WordPress plugins, npm packages, and PHP libraries. The fix isn't avoiding open source. It's actively monitoring dependency health before a retirement announcement forces an emergency migration.

Table of contents

What happened with Ingress NGINX

The retirement wasn't sudden, at least not in hindsight. The warning signs accumulated over years: the project had "only one or two people doing development work, on their own time, after work hours, and on weekends." Maintainer James Strong pinned GitHub issue #13002 in March 2025, warning that version 1.13 would likely be the last minor release. An attempted successor called InGate failed to attract contributors and was itself retired.

Then came IngressNightmare. In March 2025, Wiz Research disclosed five CVEs including CVE-2025-1974, a CVSS 9.8 critical vulnerability enabling unauthenticated remote code execution and complete cluster takeover. 43% of cloud environments were vulnerable. Over 6,500 clusters had the vulnerable admission controller exposed to the public internet.

That CVE got patched. The fundamental design flaw didn't. The Snippets annotation system, which allows injecting arbitrary NGINX configuration, remained. The retirement announcement put it plainly: "Yesterday's flexibility has become today's insurmountable technical debt."

The Kubernetes Steering and Security Response Committees didn't mince words in January 2026: "We cannot overstate the severity of this situation or the importance of beginning migration to alternatives." If you're running ingress-nginx and need a practical migration path, I wrote a hands-on Gateway API migration guide earlier this year.

MinIO: same arc, different ecosystem

MinIO's trajectory is a case study in open source rug-pulls. The license changed from Apache 2.0 to AGPLv3 in 2021. The admin GUI was stripped from the community edition in early 2025, triggering a 180-comment Hacker News thread. Docker images and pre-built binaries stopped in October 2025. The repository entered "maintenance mode" in December, then was archived in February 2026.

GitHub issue #21714 tells the story: 57 "confused" reactions, 29 thumbs-down votes, a comment thread that was eventually locked. One response captured the mood: "Bait-and-switch, good job. Goodbye."

I helped a client through this migration recently. Their requirements were modest: S3-compatible object storage for application assets, nothing at petabyte scale. We evaluated the alternatives. Ceph was overkill for their setup (8–16 GB RAM per OSD, a dedicated operations team expected). SeaweedFS looked promising but wasn't mature enough for their comfort level. We landed on Garage: lightweight, Rust-based, around 50 MB RAM, designed for exactly the kind of small-to-medium self-hosted deployment they needed.

The migration worked. But it shouldn't have been an emergency.

Why this keeps happening

The numbers tell a structural story. Tidelift's 2024 maintainer survey found that 60% of open source maintainers are unpaid hobbyists, and 44% have quit or considered quitting due to burnout. Paid maintainers are 55% more likely to implement security practices than unpaid ones.

The Synopsys OSSRA 2024 report audited over 1,000 commercial codebases: 49% contained components with no new development in over two years. 91% had components ten or more versions behind. That code still works. Until a CVE drops and there's nobody left to patch it.

And when it does happen, downstream projects don't respond. An ICSE 2025 study on the npm ecosystem found that 15% of widely-used packages were abandoned within six years, and most downstream projects never removed or replaced the abandoned dependency.

Ingress-nginx maintainer Ricardo Katz summarized it: "Not having more maintainers ended up burning me out and burning James out."

This isn't just infrastructure

The same pattern plays out in WordPress. I wrote about the scale of WordPress plugin vulnerabilities recently: 331 new vulnerabilities disclosed in a single week, nearly all in plugins. But the abandoned plugin problem goes further. Patchstack's 2024 report documents over 1,600 plugins and themes removed from the WordPress repository for unpatched security issues. In 33% of cases, the vulnerability was never fixed before public disclosure.

The most dramatic example: Eval PHP, a plugin abandoned for over a decade. For ten years it averaged one download per day. Then in 2023, attackers started mass-installing it on compromised sites as a persistent backdoor. Downloads spiked to 7,000 per day. WordPress finally closed it. Ten years too late.

Or Kaswara Modern WPBakery Page Builder Addons: CVSS 10.0, unauthenticated file upload leading to remote code execution. The developer never responded. No patch was ever issued. By 2022, 440,000 daily attack attempts from 10,000 IP addresses were targeting 1.6 million sites.

npm has its own history. event-stream (2018): a maintainer transferred ownership to a stranger who injected bitcoin-stealing malware, undetected for 2.5 months. colors.js (2022): 3.3 billion lifetime downloads, sabotaged by its own maintainer in protest. And the XZ Utils backdoor (2024): two years of patient infiltration into a single-maintainer project that nearly compromised SSH on most Linux systems.

Different ecosystems. Same structural failure.

How to spot a dependency that's dying

Three states of decline, and they're worth distinguishing:

  • Deprecated: officially marked for future removal, still maintained during the transition. Kubernetes does this well: deprecated beta APIs continue to function for at least 9 months or 3 releases and emit machine-readable warnings.
  • Retired / end-of-life: maintenance has stopped. No more patches. Ingress NGINX post-March 2026 is retired. MinIO's community edition is retired.
  • Abandoned: no announcement, no formal transition. The maintainer just stopped showing up. This is the most dangerous state because you might not realize it happened.

Practical signals to watch for:

  • Commit frequency drops. Not to zero, but to sporadic. The project looks alive but can't keep up.
  • Issues pile up without response. Especially security-related ones.
  • One or two committers. A single-maintainer project has a 36% annual chance of losing its only contributor.
  • No foundation backing. CNCF, Apache, and Linux Foundation projects have organizational accountability. The irony of ingress-nginx is that even Kubernetes-adjacent projects can end up as volunteer side projects.
  • License changes. MinIO's journey from Apache 2.0 to AGPL to archived followed a predictable business model shift. A license change doesn't guarantee abandonment, but it signals a tension worth monitoring.

Tools that help: OpenSSF Scorecard automates project health checks across 21 security and maintenance criteria. For WordPress, Patchstack and WPScan maintain vulnerability databases that flag unmaintained plugins. For your entire stack, a Software Bill of Materials (SBOM) tells you within minutes whether a new CVE affects you instead of scrambling for days.

Key takeaways

  • Ingress NGINX's retirement and MinIO's archival are symptoms of the same problem: critical infrastructure maintained by a handful of volunteers with no sustainable funding.
  • The pattern repeats across every ecosystem. 49% of audited codebases contain components with no active development in over two years.
  • WordPress is particularly exposed: 1,600+ plugins were removed from the repository in 2024 for unpatched security issues, and abandoned plugins are actively weaponized by attackers.
  • Know what you depend on. An SBOM, OpenSSF Scorecard, or even a quarterly manual review of your dependency list beats finding out from a security advisory.
  • The goal isn't avoiding open source. It's monitoring it, the same way you'd monitor any other component in your infrastructure.

Recurring server or deployment issues?

I help teams make production reliable with CI/CD, Kubernetes, and cloud—so fixes stick and deploys stop being stressful.

Explore DevOps consultancy

  1. Kubernetes multi-tenant governance: managing multi-tenant Kubernetes clusters

    Kubernetes multi-tenancy can save costs, but it requires governance. This article goes deep on soft vs. hard multi-tenancy, risks (noisy neighbors, privilege escalation), and best practices such as RBAC, resource quotas, network isolation, policy-as-code and cost allocation.

    6595 words
  2. Bootstrapping Kubernetes namespaces with Kyverno

    If you manage a Kubernetes cluster with multiple applications or tenants, you likely understand the repetitive task of configuring each namespace with the appropriate defaults. This includes setting up network isolation, image pull credentials, and custom certificates. Essential but monotonous tasks. Kyverno is not only a policy enforcement engine but also a tool to automate the clean and declarative bootstrapping of these resources.

    1073 words
  3. The Kubernetes Node Readiness Controller: never schedule pods on half-ready nodes

    The Node Readiness Controller (NRR) stops Kubernetes from scheduling pods on nodes that are not truly ready by declaratively managing taints based on custom node conditions.

    1989 words