You ask Claude Code / Cursor / Codex “add a library for X,” it confidently gives you a name, you npm install, and then notice the GitHub repo hasn’t shipped in three years, there are 200 open issues, and the last release was 2021. The AI isn’t lying — at its training cutoff the package was still alive, and it doesn’t reach out to the registry to check current status. This page shows how to stop the agent from recommending archaeological dependencies, and how to swap them out when it slips through.
Common causes
Ordered by hit rate, highest first.
1. Model training data is frozen at a cutoff date
Every model has a knowledge cutoff. npm releases, deprecation notices, and maintainer changes after that date are invisible to it. Claude / GPT / Gemini frequently recommend what was mainstream 1-2 years ago even though a fork has since taken over. Classic case:
You: add a React drag-and-drop library
AI: use react-beautiful-dnd
Reality: Atlassian archived it in 2024, the community moved to @dnd-kitHow to spot it: paste the package name into https://www.npmjs.com/package/<name> and check “Last publish” (> 12 months is a red flag) and whether the README has a “DEPRECATED / archived” banner.
2. You didn’t tell it to check the registry
A default prompt like “recommend a library for X” triggers memory recall, not a tool call. Cursor and Claude Code have web search available but won’t use it unless you explicitly ask. Aider and bare Codex reason fully offline.
How to spot it: scan the answer for an npm URL, a last-release date, or weekly downloads. None of them present = pure recall.
3. Stale Stack Overflow / blog posts got over-trained
Popular libraries get cited in old blog posts repeatedly, outweighing their newer replacements. Even when the new fork is the de-facto standard (node-fetch → native fetch, moment → dayjs / date-fns), the AI still surfaces the old one.
How to spot it: search <old-lib> alternative 2026 or <old-lib> deprecated. If the first page is migration threads on reddit / GitHub discussions, you’re in this trap.
4. Similar package names cause cross-recommendation
request is deprecated but still gets recommended; crypto is built into Node but the AI suggests crypto-js; uuid v9 changed its API but the AI writes v3-style code. Major-version skew in same-named packages is a frequent gotcha.
How to spot it: ask the AI to give the import statement and the package.json version at the same time. If it pins ^1.x or ^2.x but the current major is 9.x, there’s almost certainly a breaking change.
5. Recommends a capability that’s been folded into the platform
Node 18+ ships native fetch, structuredClone, and a test runner; modern browsers have crypto.randomUUID(). The AI may still install node-fetch, uuid, or lodash.clonedeep — one more dependency, one more audit surface.
How to spot it: after a runtime upgrade, review the AI-added deps and ask “does Node / the browser / the framework already have this built in?”
Shortest path to fix
Ordered by ROI. The first three usually solve the “AI recommended a dead lib” problem.
Step 1: Use npm view to triage in three seconds
For any package name the AI gives you, run:
npm view react-beautiful-dnd time.modified
npm view react-beautiful-dnd deprecated
npm view react-beautiful-dnd maintainerstime.modifiedis the last publish date — > 12 months is a yellow flagdeprecatedreturning a string means the maintainer formally marked it deadmaintainersshrinking to one personal GitHub account is a long-term risk
For Python: pip index versions <pkg> or check the “Last release” line on the PyPI page.
Step 2: Re-prompt with evidence required
Force a tool call or an explicit “I don’t know” instead of free recall:
I need a React drag-and-drop library. Please:
1. List 3 candidates that have shipped a release on npm in the last 12 months
2. For each: weekly downloads, last release date, GitHub stars, recent issue activity
3. Do not recommend anything that is archived or deprecated
If you cannot access npm, say "I cannot verify, please double-check manually"
rather than answering from memory.In Claude Code, enable web search; in Cursor, prefix with @Web to force a live lookup; with a bare LLM and no tools, require it to explicitly say “I cannot verify.”
Step 3: Use npm-check-updates to fix AI-pinned old versions
The AI often hard-codes version numbers from its training snapshot. Sweep them in one pass:
npx npm-check-updates -u # bump every package.json range to latest
npm install
npm testIf only minor / patch changes are needed, lock with ~; for major bumps, walk each changelog. Python equivalent: pip list --outdated + pip-review --auto.
Step 4: Common “AI-loves-but-stale” swap table
Direct replacements, so you don’t have to re-research every time:
| AI often suggests (stale) | Modern replacement |
|---|---|
request | native fetch (Node 18+) / undici |
moment | date-fns / dayjs / Temporal polyfill |
node-fetch | native fetch |
full lodash | lodash-es cherry-pick / native ES |
uuid v3 API | crypto.randomUUID() (Node 19+ / browser) |
react-beautiful-dnd | @dnd-kit/core |
enzyme | @testing-library/react |
tslint | eslint + @typescript-eslint |
node-sass | sass (Dart Sass) |
formik | react-hook-form |
Step 5: Write the “always check the registry” rule into the AI’s standing instructions
Add a hard rule to CLAUDE.md / .cursorrules / AGENTS.md:
Before recommending any third-party dependency you MUST:
- Check the last publish date on npm/PyPI (require ≤ 12 months)
- Check the deprecated field on the package
- If you have no network tools, explicitly tell the user "I cannot verify
current status" instead of answering from training memory
- Prefer runtime built-ins (Node fetch, crypto.randomUUID, etc.)Prevention
- Run
npm view <pkg> time deprecatedfor every AI-suggested dependency before installing - In
CLAUDE.md/.cursorrules, require “any dependency recommendation must include the last release date” - Add
npm audit --audit-level=highandnpx depcheckto CI to catch abandoned packages - Quarterly, run
npx npm-check-updates -uplus the test suite to proactively retire old deps - Prefer runtime built-ins (native fetch, crypto.randomUUID, structuredClone) — one less package is one less risk
- Pin critical deps exactly (no
^) inpackage.json; let Renovate / Dependabot drive upgrades, not the AI freestyling
Related
- AI tests pass but feature broken
- Package lock conflicts
- AI hallucinated file
- AI dependency upgrade workflow
- AI pre-commit review workflow
Tags: #AI coding #Debug #Troubleshooting