You ask Claude Code, Cursor, or Codex to “add a library for X,” it confidently gives you a name, you npm install, and then notice the GitHub repo hasn’t shipped in three years, there are 200 open issues, and the last release was 2021. The AI isn’t lying. At its training cutoff the package was still alive, and by default it doesn’t reach out to the registry to check current status, so it answers from memory.
Fastest fix: before you install anything an AI suggests, run npm view <pkg> time.modified deprecated (one line). If the last publish is over a year old or the deprecated field returns a string, it is stale. Check the swap table below for the modern replacement, or re-prompt the agent with web search turned on. Each piece is expanded below.
Which bucket are you in
Five distinct causes feed this problem. Match your symptom to a row, then jump to the matching fix.
| Symptom you’re seeing | Likely cause | Go to |
|---|---|---|
| Suggested package’s last release is years old | Training cutoff (recall, not lookup) | Cause 1 / Step 1 |
| Answer has no npm link, downloads, or release date | No registry check was requested | Cause 2 / Step 2 |
| AI insists on the “classic” lib over a known modern fork | Over-trained on old blog posts | Cause 3 / Step 4 |
import works but the API is wrong for the installed version | Same-name major-version skew | Cause 4 / Step 3 |
| It installed a polyfill for something now built into the runtime | Capability folded into platform | Cause 5 / Step 4 |
Common causes
Ordered by hit rate, highest first.
1. Model training data is frozen at a cutoff date
Every model has a knowledge cutoff. npm releases, deprecation notices, and maintainer changes after that date are invisible to it. Claude, GPT, and Gemini frequently recommend what was mainstream 1-2 years ago even though a fork has since taken over. Classic case:
You: add a React drag-and-drop library
AI: use react-beautiful-dnd
Reality: Atlassian archived the repo on 2025-08-18 and the npm package
is deprecated (it prints a console warning on install). The
community moved to @dnd-kit; Atlassian's own successor is
Pragmatic drag-and-drop (@atlaskit/pragmatic-drag-and-drop).
How to spot it: paste the package name into https://www.npmjs.com/package/<name> and check “Last publish” (more than 12 months old is a red flag, as of June 2026) and whether the README has a “DEPRECATED / archived” banner. The npm page also surfaces a yellow deprecation banner above the install command when the maintainer has marked it dead.
2. You didn’t tell it to check the registry
A default prompt like “recommend a library for X” triggers memory recall, not a tool call. Cursor and Claude Code can both search the web, but won’t unless web access is enabled or you explicitly ask (in Cursor, the @Web tool; in Claude Code, the WebSearch/WebFetch tools must be available in the session). A bare LLM with no tools reasons fully offline.
How to spot it: scan the answer for an npm URL, a last-release date, or weekly downloads. None of them present means it answered from memory.
3. Stale Stack Overflow / blog posts got over-trained
Popular libraries get cited in old blog posts repeatedly, outweighing their newer replacements. Even when the new fork is the de-facto standard (node-fetch → native fetch, moment → dayjs / date-fns), the AI still surfaces the old one.
How to spot it: search <old-lib> alternative 2026 or <old-lib> deprecated. If the first page is migration threads on reddit / GitHub discussions, you’re in this trap.
4. Similar package names cause cross-recommendation
request was fully deprecated back in 2020 but still gets recommended; crypto is built into Node but the AI suggests crypto-js; the uuid package (current major 14.x as of June 2026) changed its API several majors ago but the AI writes v3-style uuid.v4() import code that no longer matches. Major-version skew in same-named packages is a frequent gotcha.
How to spot it: ask the AI to give the import statement and the package.json version at the same time. If it pins ^1.x or ^2.x but the current major is several versions ahead, there’s almost certainly a breaking change. Confirm with npm view <pkg> version (latest) versus what it wrote.
5. Recommends a capability that’s been folded into the platform
Node 18+ ships native fetch, structuredClone, and a test runner; modern browsers have crypto.randomUUID(). The AI may still install node-fetch, uuid, or lodash.clonedeep — one more dependency, one more audit surface.
How to spot it: after a runtime upgrade, review the AI-added deps and ask “does Node / the browser / the framework already have this built in?”
Shortest path to fix
Ordered by ROI. The first three usually solve the “AI recommended a dead lib” problem.
Step 1: Use npm view to triage in three seconds
For any package name the AI gives you, run:
npm view react-beautiful-dnd time.modified
npm view react-beautiful-dnd deprecated
npm view react-beautiful-dnd maintainers
time.modifiedis the last-change timestamp on the package document — more than 12 months old is a yellow flagdeprecatedreturning a string means the maintainer formally marked it dead (empty output means it is not deprecated)maintainersshrinking to one personal GitHub account is a long-term risk
Want the whole tree checked at once instead of one package at a time? Run npx npm-deprecated-check to scan every dependency in your lockfile for deprecation notices in a single pass.
For Python: pip index versions <pkg> to see released versions, or check the “Last release” date on the PyPI page (https://pypi.org/project/<pkg>/).
Step 2: Re-prompt with evidence required
Force a tool call or an explicit “I don’t know” instead of free recall:
I need a React drag-and-drop library. Please:
1. List 3 candidates that have shipped a release on npm in the last 12 months
2. For each: weekly downloads, last release date, GitHub stars, recent issue activity
3. Do not recommend anything that is archived or deprecated
If you cannot access npm, say "I cannot verify, please double-check manually"
rather than answering from memory.
In Claude Code, enable web search; in Cursor, prefix with @Web to force a live lookup; with a bare LLM and no tools, require it to explicitly say “I cannot verify.”
Step 3: Use npm-check-updates to fix AI-pinned old versions
The AI often hard-codes version numbers from its training snapshot. Sweep them in one pass:
npx npm-check-updates -u # bump every package.json range to latest
npm install
npm test
If only minor / patch changes are needed, lock with ~; for major bumps, walk each changelog. Python equivalent: pip list --outdated + pip-review --auto.
Step 4: Common “AI-loves-but-stale” swap table
Direct replacements, so you don’t have to re-research every time:
| AI often suggests (stale) | Modern replacement (June 2026) | Status note |
|---|---|---|
request | native fetch (Node 18+) / undici | request deprecated since 2020 |
moment | date-fns v4 / dayjs / Temporal | moment in maintenance mode since 2020 |
node-fetch | native fetch | global fetch stable in Node 18+ |
full lodash | lodash-es cherry-pick / native ES | tree-shaking matters |
uuid v3 API code | crypto.randomUUID() (Node 19+/LTS 20+/browser) | uuid pkg still maintained at 14.x; only the v3 API code is stale |
react-beautiful-dnd | @dnd-kit/core, or @atlaskit/pragmatic-drag-and-drop, or fork @hello-pangea/dnd | repo archived 2025-08-18, npm deprecated |
enzyme | @testing-library/react | enzyme unmaintained, no React 18/19 adapter |
tslint | eslint + @typescript-eslint | tslint deprecated since 2019 |
node-sass | sass (Dart Sass) | node-sass deprecated |
formik | react-hook-form | formik unmaintained; maintainer points to RHF |
Note on Temporal: the API reached TC39 Stage 4 in March 2026 and ships natively in Chrome 144+ and Firefox 139+ (behind a flag in Node v24), but broad runtime support is not there yet. For production today use date-fns or dayjs; reach for Temporal with a polyfill only if you specifically want the new standard.
Step 5: Write the “always check the registry” rule into the AI’s standing instructions
Add a hard rule to CLAUDE.md / .cursorrules / AGENTS.md:
Before recommending any third-party dependency you MUST:
- Check the last publish date on npm/PyPI (require ≤ 12 months)
- Check the deprecated field on the package
- If you have no network tools, explicitly tell the user "I cannot verify
current status" instead of answering from training memory
- Prefer runtime built-ins (Node fetch, crypto.randomUUID, etc.)
How to confirm it’s fixed
After swapping or upgrading, verify rather than assume:
npm view <new-pkg> deprecatedreturns nothing (not deprecated).npm ls <old-pkg>shows the old package is gone from the tree (no transitive copy still pulling it in).npm installruns with no deprecation warnings printed for that package.npm test(or your build) passes against the new API.npm audit --audit-level=highreports no high/critical advisories tied to the removed package.
FAQ
Why does the AI keep recommending the same dead library even after I correct it?
Within a single chat it will usually take the correction, but a fresh session starts from training memory again. The durable fix is the standing-instruction rule in Step 5 (CLAUDE.md / .cursorrules / AGENTS.md), which is loaded into every session.
Is a package with no commits for a year automatically bad?
No. Small, “finished” utilities (for example leftpad-style single-purpose libs) can be stable and complete. Treat 12-plus months as a prompt to check three things: an explicit deprecated flag, open security advisories (npm audit), and whether the capability is now a runtime built-in. Old plus deprecated plus replaceable is the bad combination, not age alone.
How do I know an AI actually checked npm instead of guessing?
Ask it to include, for each candidate, the last release date and weekly download count, and to cite the npm URL. If those numbers are absent or obviously wrong against https://www.npmjs.com/package/<name>, it answered from memory. In Cursor, @Web forces a live lookup; in Claude Code, the web tools must be enabled in the session.
The uuid package is at v14 and maintained, so why is it in the swap table?
The package is fine. The stale part is the v3-era code AIs often emit (const uuid = require('uuid'); uuid.v4()), which breaks against modern majors. For new code on Node 19+ / LTS 20+ you usually don’t need the dependency at all: crypto.randomUUID() is built in.
Does this only apply to npm?
No. The same pattern hits PyPI (pip index versions <pkg>, check “Last release”), Cargo (cargo search, crates.io status), and Go modules. The triage idea is identical: confirm the latest version and maintenance status from the registry before trusting an AI’s recall.
Prevention
- Run
npm view <pkg> time.modified deprecatedfor every AI-suggested dependency before installing - In
CLAUDE.md/.cursorrules, require “any dependency recommendation must include the last release date” - Add
npm audit --audit-level=highandnpx depcheckto CI to catch abandoned packages - Quarterly, run
npx npm-check-updates -uplus the test suite to proactively retire old deps - Prefer runtime built-ins (native fetch, crypto.randomUUID, structuredClone); one less package is one less risk
- Pin critical deps exactly (no
^) inpackage.json; let Renovate / Dependabot drive upgrades, not the AI freestyling
Related
- AI tests pass but feature broken
- Package lock conflicts
- AI hallucinated file
- AI dependency upgrade workflow
- AI pre-commit review workflow
External references:
Tags: #AI coding #Debug #Troubleshooting