End-of-life Font Awesome 5 / `fontawesome-svg-core@~1.2.30`
The Font Awesome 5 line (`@fortawesome/fontawesome-svg-core@~1.2.30` together with `free-*-svg-icons@^5.14.0`) is no longer the supported major; FA6 and FA7 are the maintained lines.
"@fortawesome/fontawesome-svg-core": "~1.2.30",
"@fortawesome/free-brands-svg-icons": "^5.14.0",
"@fortawesome/free-regular-svg-icons": "^5.14.0",
"@fortawesome/free-solid-svg-icons": "^5.14.0",@fortawesome/fontawesome-svg-core@1.2.30 was published in 2020 and pairs with Font Awesome 5. FA5 reached end of active support several years ago — security and compatibility fixes flow to the FA6+ packages (free-*-svg-icons@^6 / ^7 with the matching fontawesome-svg-core@^6). This is exactly the abandoned-major-line pattern that npm audit and SCA tools flag.
npm outdated @fortawesome/fontawesome-svg-core @fortawesome/free-solid-svg-icons— confirm the major delta.- Migrate to FA6/FA7; the import surface is largely unchanged.
No fresh CVE channel for the FA5 line. A future vulnerability disclosure in FA5 will not be patched upstream and will require either a fork or a forced major upgrade under time pressure.
The pinned @fortawesome/fontawesome-svg-core@~1.2.30 and free-*-svg-icons@^5.14.0 are indeed on an unsupported FA5 major line, but the detector explicitly admits "No fresh CVE channel for the FA5 line" — there is no known vulnerability and no exploit chain. Font Awesome icons consume developer-authored definitions, not untrusted input, so no attacker-controlled path is articulated. This is a hygiene/maintenance issue framed as future risk, not a confirmed exploitable security bug.
- CWE-1104