"AI that recommends dependency upgrades without checking actual sources creates a dangerous situation. New research shows that 27.76 percent of recommendations refer to versions that do not even exist. This means a lot of fictitious versions that cost developers valuable time. This is according to figures from Sonatype. The problem goes beyond mere hallucinations. AI can also recommend existing but dangerous versions. Think of vulnerable software, malware, or packages that fall outside company policy."
"Registries such as Maven Central, PyPI, npm, and NuGet currently process 9.8 trillion downloads per year. The top three cloud providers generate more than 108 billion requests on Maven Central alone. Attackers take advantage of vulnerabilities In 2025, 454,648 new malicious packages were logged worldwide. The total since 2019 is now over 1.233 million. According to Sonatype, this shows continued pressure on ecosystems that were originally designed to be open and accessible."
27.76 percent of AI-generated dependency-upgrade recommendations point to non-existent package versions, causing wasted developer time and broken pipelines. AI can also suggest existing but unsafe versions, including vulnerable software, malware, or packages that violate company policy. Major registries (Maven Central, PyPI, npm, NuGet) handle trillions of downloads and billions of requests, exposing large attack surfaces. In 2025, 454,648 new malicious packages were recorded, bringing the total since 2019 to over 1.233 million. Sixty-five percent of open-source CVEs lack NVD-assigned CVSS scores, complicating risk prioritization, slowing upgrades, and increasing uncertainty for teams.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]