Dependency Churn in AI-Assisted Projects

Traditional projects acquire dependencies deliberately: a developer identifies a need, evaluates options, chooses a package, and adds it to the dependency manifest. Each addition is a conscious decision with at least some evaluation of the package.

In vibe-coded projects, dependencies arrive as outputs of code generation. An AI that generates a feature will also generate the import statements and sometimes directly modify the package manifest. The developer may not register which new packages were added as a side effect of asking the AI to "add file upload support" or "implement rate limiting."

Dependency velocity in AI-assisted projects is 3-5Γ— higher than in traditionally developed projects of similar size, based on analysis of open-source projects with high AI contribution rates. More dependencies per unit of time means more surface area, more CVEs, and more supply chain risk β€” with proportionally less scrutiny per dependency.

Where the Trust Model Breaks

Traditional supply chain security is built on the assumption that a developer chose each dependency. That assumption gives us useful heuristics: a senior developer who has used a package for years is unlikely to add a malicious version of it by accident.

Vibe coding breaks this assumption in several ways:

  • No package familiarity β€” developers using AI-generated code may have no prior knowledge of the packages being added to their project
  • No evaluation step β€” the decision flow goes from "tell AI what I want" to "merge the PR" without a distinct evaluation step for new dependencies
  • Context collapse β€” a developer reviewing a 500-line AI-generated PR may not notice three new entries in package.json that weren't there before
  • Velocity pressure β€” the value proposition of vibe coding is speed; pausing to evaluate each new dependency slows down the workflow that makes AI coding attractive

Agentic Tools and Autonomous Installs

Agentic coding tools that can execute shell commands create a critical escalation: the AI can install packages directly, without any human approval step. An agent tasked with "implement this feature" may run npm install or pip install as part of its implementation β€” potentially adding packages that were never reviewed by a human.

agentic install riskText
User: "Add email validation to the signup form"

Agent actions:
1. Reads current form code
2. Decides email-validator package would help
3. Runs: npm install email-validator-extended  ← not reviewed
4. Writes new form code using the installed package
5. Reports: "Done! I added email validation using email-validator-extended"

# email-validator-extended doesn't exist officially
# An attacker registered it with a credential-stealing payload
# The agent just installed malware autonomously

Agentic coding tools should never have permission to install packages directly. All package installation should require human approval, even in highly automated development workflows. The performance cost of this gate is worth the security benefit.

Transitive Dependency Explosion

AI coding tools are not sensitive to the difference between a package with 5 transitive dependencies and one with 500. They optimise for feature completeness and API ergonomics β€” not minimal dependency footprint.

A vibe-coded project that uses AI-suggested libraries may end up with significantly deeper and wider dependency trees than a project where a developer made explicit choices about dependency weight. Each transitive dependency is supply chain exposure β€” a potential CVE, a potential compromise, a package that could be typosquatted at a higher version.

Security teams scanning AI-assisted projects often find the dependency count has grown dramatically compared to similar traditionally-coded projects, increasing the continuous monitoring burden proportionally.

SCA Gaps in Vibe Coding Workflows

Traditional SCA tooling was designed for a world where dependency changes are deliberate and infrequent. In vibe coding workflows:

  • Alert fatigue β€” high dependency churn generates more SCA alerts; security teams may start tuning out or auto-dismissing alerts that arrive too frequently
  • Lock file verification gaps β€” if agentic tools can modify lock files without going through PR review, lock file integrity is compromised
  • SBOM staleness β€” SBOMs generated at release time may not reflect the current dependency state of rapidly iterated vibe-coded projects
  • Provenance tracking gaps β€” knowing why a dependency was added (which developer, which PR, for what reason) becomes harder when AI agents add them autonomously

Adapted Security Controls for Vibe Coding Projects

  • Block agent package installs β€” configure agentic tools so they can suggest package additions but cannot install them directly; all installs require human approval
  • New dependency alert on every PR β€” automatically flag any PR that adds new packages (direct or transitive) for security review, with metadata on the package's age, download count, and provenance
  • Dependency allowlist enforcement β€” AI-assisted projects benefit most from strict allowlisting; packages not on the list cannot be added without security team approval
  • Continuous SCA with real-time alerts β€” don't wait for CI; scan for new CVEs in your dependency tree continuously and alert within hours of disclosure
  • Minimal footprint prompting β€” include instructions in AI system prompts to prefer packages already in use over new dependencies, and to avoid packages with large transitive dependency trees

The organisational shift: In vibe coding organisations, SCA becomes a real-time operational function β€” not a periodic audit. Dependencies change daily. Vulnerabilities are disclosed daily. The security team needs tooling and processes designed for continuous monitoring, not quarterly reviews.