The use of deprecated tools that not have any public vulnerability is considered a vulnerability? If so, which finding is it? I think F0011 is discarded.
Is there any security reason associated with the deprecation of the tool?
Is the tool on a public repository, where it is about to leave? If the tool wasn’t in the repository anymore, would the application crash?
Can the reason for deprecation cause a security breach? How?
It’s a public npm, not sure why is deprecated but there is another version of it with another name; they suggest changing the package since is deprecated and ‘may contain bugs and security issues’ but I had not found any public confirmed vulnerability.
How about FIN.H.0070 or FIN.H.0079?
I would pick for the first (as I think the requirement fits better). It would be an hygiene finding, anyway.
After some research,
I have found that your suggestion for FIN.H.0070 is the best match, since its CWE equivalent 398 has as member CWE-477: Use of Obsolete Function that exactly match the scenario.