DepAudit
Back to blog
AI Code Security

Why AI-Generated Code Has a Dependency Problem

Vibe coding with Claude, Cursor, or Copilot is fast — dangerously fast. AI tools ship entire apps in minutes, but the dependency choices they make can leave your project riddled with hallucinated packages, unvetted libraries, and known CVEs. Here's what's actually happening under the hood.

March 25, 2026
7 min readBy DepAudit Team

The Rise of Vibe Coding — and Its Hidden Cost

Vibe coding — the practice of prompting an AI to write entire features or apps from a description — has exploded in 2025 and 2026. Founders are shipping MVPs without writing a single line of code themselves. Solo developers build SaaS products in a weekend. This is genuinely exciting.

But every app needs dependencies. And AI code generators have a serious, underappreciated problem with the packages they choose.

The Scope of the Problem

In our analysis of AI-generated codebases, over 23% of package.json files contained at least one dependency issue — whether a hallucinated package, a known vulnerability, or a deprecated library that no longer receives security patches.

Three Ways AI Gets Dependencies Wrong

1. Hallucinated Packages

Large language models don't have live access to the npm registry. They predict package names based on patterns in their training data. The result: confident suggestions for packages that don't exist.

This isn't a minor annoyance — it's a supply chain attack vector. When developers (or their AI tools) attempt to install a hallucinated package name, bad actors who have pre-registered that name on npm can deliver malicious code directly into your project. This attack pattern is called dependency confusion or namespace confusion.

# Common hallucinated package patterns seen in AI-generated code
react-auth-flow — doesn't exist
express-api-router-utils — doesn't exist
next-middleware-helpers — doesn't exist
prisma-query-builder — doesn't exist
supabase-auth-utils — doesn't exist

2. Outdated and Vulnerable Dependencies

AI models have a training cutoff. A model trained through late 2024 may confidently suggest a specific version of a library that has since received critical CVE patches. The AI doesn't know that jsonwebtoken@8.5.1 has a critical authentication bypass vulnerability, or that axios@0.21.1 is vulnerable to SSRF attacks.

When you trust AI-generated code verbatim — especially pinned versions in package.json — you may be shipping known vulnerabilities to production without realising it.

3. Abandoned and Unmaintained Libraries

The npm ecosystem moves fast. Packages that were popular in the AI's training data may now be abandoned — no longer receiving security updates, deprecated by their authors, or superseded by better alternatives. Your AI doesn't know the difference between an actively maintained library and one that hasn't been touched in three years.

No Security Patches

Unmaintained packages won't receive fixes when new vulnerabilities are discovered — leaving your app permanently exposed.

Abandoned Ownership

Dormant npm accounts can be taken over, allowing malicious actors to publish compromised updates to your existing dependencies.

Why Traditional Auditing Isn't Enough

You might think: "I run npm audit already. I'm covered." Unfortunately, npm audit has significant blind spots when it comes to AI-generated code:

  • npm audit only checks installed packages — it won't catch packages listed in package.json that don't resolve to real registry entries.
  • It doesn't flag abandonment — a package with no vulnerabilities but no maintenance is still a liability.
  • It doesn't understand AI hallucination patterns — it has no awareness of which packages are commonly invented by LLMs.

What a Proper AI-Aware Dependency Audit Looks Like

Auditing AI-generated code requires a different approach. Here's what to check:

Registry Existence Check

Every package listed in your package.json should be verified against the live npm registry before installation. Don't assume AI-suggested packages exist.

CVE and Vulnerability Scanning

Cross-reference every dependency (and all transitive dependencies) against known vulnerability databases including OSV, NVD, and GitHub Advisories.

Maintenance Status Check

Check the last publish date, open issue count, and whether the package has been officially deprecated. Anything with no updates in 12+ months warrants scrutiny.

Typosquatting Detection

Check for packages with names suspiciously similar to popular libraries — a common vector for supply chain attacks that AI code is particularly vulnerable to.

Building a Safe AI-Assisted Development Workflow

The goal isn't to stop using AI tools — they're genuinely transformative for developer productivity. The goal is to layer in the right safeguards so that AI's speed doesn't come at the cost of security.

A practical workflow for teams using vibe coding:

  1. 1Generate code with AI — use your preferred tool (Claude, Cursor, Copilot, Gemini).
  2. 2Audit before installing — run a dependency scan on the package.json before running npm install.
  3. 3Review flagged packages — investigate anything non-existent, vulnerable, or abandoned before proceeding.
  4. 4Add CI/CD gating — include dependency auditing in your pipeline so nothing slips through on future updates.

The Bottom Line

AI code generators are remarkable tools, but they weren't designed with npm security as a primary concern. They hallucinate packages. They suggest outdated versions. They don't track which libraries have gone unmaintained. In a world where vibe coding is becoming the norm, dependency auditing isn't optional — it's your last line of defence.

The developers who will build successfully with AI are the ones who understand where AI falls short and have the tools to compensate. Dependency security is one of those areas — and it's fixable with the right workflow.

Audit Your AI-Generated Dependencies Free

Paste your package.json and DepAudit will instantly check for hallucinated packages, known CVEs, deprecated libraries, and typosquatting risks.

Start Free Scan