5 years if things are not updated will have vulnerabilities. It might be that framework updates will fix them, or code changes needed, or code changes because newer versions of libraries are not backward compatible. Getting old NPM projects updates is hellish. Breaking changes are very common.