AI Suggested a Stale Dependency: Fix It Fast

An AI agent recommended an abandoned npm/PyPI package. Triage it in 3 seconds with npm view, swap it for the modern replacement, and stop it recurring.

You ask Claude Code, Cursor, or Codex to “add a library for X,” it confidently gives you a name, you npm install, and then notice the GitHub repo hasn’t shipped in three years, there are 200 open issues, and the last release was 2021. The AI isn’t lying. At its training cutoff the package was still alive, and by default it doesn’t reach out to the registry to check current status, so it answers from memory.

Fastest fix: before you install anything an AI suggests, run npm view <pkg> time.modified deprecated (one line). If the last publish is over a year old or the deprecated field returns a string, it is stale. Check the swap table below for the modern replacement, or re-prompt the agent with web search turned on. Each piece is expanded below.

Which bucket are you in

Five distinct causes feed this problem. Match your symptom to a row, then jump to the matching fix.

Symptom you’re seeingLikely causeGo to
Suggested package’s last release is years oldTraining cutoff (recall, not lookup)Cause 1 / Step 1
Answer has no npm link, downloads, or release dateNo registry check was requestedCause 2 / Step 2
AI insists on the “classic” lib over a known modern forkOver-trained on old blog postsCause 3 / Step 4
import works but the API is wrong for the installed versionSame-name major-version skewCause 4 / Step 3
It installed a polyfill for something now built into the runtimeCapability folded into platformCause 5 / Step 4

Common causes

Ordered by hit rate, highest first.

1. Model training data is frozen at a cutoff date

Every model has a knowledge cutoff. npm releases, deprecation notices, and maintainer changes after that date are invisible to it. Claude, GPT, and Gemini frequently recommend what was mainstream 1-2 years ago even though a fork has since taken over. Classic case:

You: add a React drag-and-drop library
AI: use react-beautiful-dnd
Reality: Atlassian archived the repo on 2025-08-18 and the npm package
         is deprecated (it prints a console warning on install). The
         community moved to @dnd-kit; Atlassian's own successor is
         Pragmatic drag-and-drop (@atlaskit/pragmatic-drag-and-drop).

How to spot it: paste the package name into https://www.npmjs.com/package/<name> and check “Last publish” (more than 12 months old is a red flag, as of June 2026) and whether the README has a “DEPRECATED / archived” banner. The npm page also surfaces a yellow deprecation banner above the install command when the maintainer has marked it dead.

2. You didn’t tell it to check the registry

A default prompt like “recommend a library for X” triggers memory recall, not a tool call. Cursor and Claude Code can both search the web, but won’t unless web access is enabled or you explicitly ask (in Cursor, the @Web tool; in Claude Code, the WebSearch/WebFetch tools must be available in the session). A bare LLM with no tools reasons fully offline.

How to spot it: scan the answer for an npm URL, a last-release date, or weekly downloads. None of them present means it answered from memory.

3. Stale Stack Overflow / blog posts got over-trained

Popular libraries get cited in old blog posts repeatedly, outweighing their newer replacements. Even when the new fork is the de-facto standard (node-fetch → native fetch, momentdayjs / date-fns), the AI still surfaces the old one.

How to spot it: search <old-lib> alternative 2026 or <old-lib> deprecated. If the first page is migration threads on reddit / GitHub discussions, you’re in this trap.

4. Similar package names cause cross-recommendation

request was fully deprecated back in 2020 but still gets recommended; crypto is built into Node but the AI suggests crypto-js; the uuid package (current major 14.x as of June 2026) changed its API several majors ago but the AI writes v3-style uuid.v4() import code that no longer matches. Major-version skew in same-named packages is a frequent gotcha.

How to spot it: ask the AI to give the import statement and the package.json version at the same time. If it pins ^1.x or ^2.x but the current major is several versions ahead, there’s almost certainly a breaking change. Confirm with npm view <pkg> version (latest) versus what it wrote.

5. Recommends a capability that’s been folded into the platform

Node 18+ ships native fetch, structuredClone, and a test runner; modern browsers have crypto.randomUUID(). The AI may still install node-fetch, uuid, or lodash.clonedeep — one more dependency, one more audit surface.

How to spot it: after a runtime upgrade, review the AI-added deps and ask “does Node / the browser / the framework already have this built in?”

Shortest path to fix

Ordered by ROI. The first three usually solve the “AI recommended a dead lib” problem.

Step 1: Use npm view to triage in three seconds

For any package name the AI gives you, run:

npm view react-beautiful-dnd time.modified
npm view react-beautiful-dnd deprecated
npm view react-beautiful-dnd maintainers
  • time.modified is the last-change timestamp on the package document — more than 12 months old is a yellow flag
  • deprecated returning a string means the maintainer formally marked it dead (empty output means it is not deprecated)
  • maintainers shrinking to one personal GitHub account is a long-term risk

Want the whole tree checked at once instead of one package at a time? Run npx npm-deprecated-check to scan every dependency in your lockfile for deprecation notices in a single pass.

For Python: pip index versions <pkg> to see released versions, or check the “Last release” date on the PyPI page (https://pypi.org/project/<pkg>/).

Step 2: Re-prompt with evidence required

Force a tool call or an explicit “I don’t know” instead of free recall:

I need a React drag-and-drop library. Please:
1. List 3 candidates that have shipped a release on npm in the last 12 months
2. For each: weekly downloads, last release date, GitHub stars, recent issue activity
3. Do not recommend anything that is archived or deprecated
If you cannot access npm, say "I cannot verify, please double-check manually"
rather than answering from memory.

In Claude Code, enable web search; in Cursor, prefix with @Web to force a live lookup; with a bare LLM and no tools, require it to explicitly say “I cannot verify.”

Step 3: Use npm-check-updates to fix AI-pinned old versions

The AI often hard-codes version numbers from its training snapshot. Sweep them in one pass:

npx npm-check-updates -u           # bump every package.json range to latest
npm install
npm test

If only minor / patch changes are needed, lock with ~; for major bumps, walk each changelog. Python equivalent: pip list --outdated + pip-review --auto.

Step 4: Common “AI-loves-but-stale” swap table

Direct replacements, so you don’t have to re-research every time:

AI often suggests (stale)Modern replacement (June 2026)Status note
requestnative fetch (Node 18+) / undicirequest deprecated since 2020
momentdate-fns v4 / dayjs / Temporalmoment in maintenance mode since 2020
node-fetchnative fetchglobal fetch stable in Node 18+
full lodashlodash-es cherry-pick / native EStree-shaking matters
uuid v3 API codecrypto.randomUUID() (Node 19+/LTS 20+/browser)uuid pkg still maintained at 14.x; only the v3 API code is stale
react-beautiful-dnd@dnd-kit/core, or @atlaskit/pragmatic-drag-and-drop, or fork @hello-pangea/dndrepo archived 2025-08-18, npm deprecated
enzyme@testing-library/reactenzyme unmaintained, no React 18/19 adapter
tslinteslint + @typescript-eslinttslint deprecated since 2019
node-sasssass (Dart Sass)node-sass deprecated
formikreact-hook-formformik unmaintained; maintainer points to RHF

Note on Temporal: the API reached TC39 Stage 4 in March 2026 and ships natively in Chrome 144+ and Firefox 139+ (behind a flag in Node v24), but broad runtime support is not there yet. For production today use date-fns or dayjs; reach for Temporal with a polyfill only if you specifically want the new standard.

Step 5: Write the “always check the registry” rule into the AI’s standing instructions

Add a hard rule to CLAUDE.md / .cursorrules / AGENTS.md:

Before recommending any third-party dependency you MUST:
- Check the last publish date on npm/PyPI (require ≤ 12 months)
- Check the deprecated field on the package
- If you have no network tools, explicitly tell the user "I cannot verify
  current status" instead of answering from training memory
- Prefer runtime built-ins (Node fetch, crypto.randomUUID, etc.)

How to confirm it’s fixed

After swapping or upgrading, verify rather than assume:

  1. npm view <new-pkg> deprecated returns nothing (not deprecated).
  2. npm ls <old-pkg> shows the old package is gone from the tree (no transitive copy still pulling it in).
  3. npm install runs with no deprecation warnings printed for that package.
  4. npm test (or your build) passes against the new API.
  5. npm audit --audit-level=high reports no high/critical advisories tied to the removed package.

FAQ

Why does the AI keep recommending the same dead library even after I correct it? Within a single chat it will usually take the correction, but a fresh session starts from training memory again. The durable fix is the standing-instruction rule in Step 5 (CLAUDE.md / .cursorrules / AGENTS.md), which is loaded into every session.

Is a package with no commits for a year automatically bad? No. Small, “finished” utilities (for example leftpad-style single-purpose libs) can be stable and complete. Treat 12-plus months as a prompt to check three things: an explicit deprecated flag, open security advisories (npm audit), and whether the capability is now a runtime built-in. Old plus deprecated plus replaceable is the bad combination, not age alone.

How do I know an AI actually checked npm instead of guessing? Ask it to include, for each candidate, the last release date and weekly download count, and to cite the npm URL. If those numbers are absent or obviously wrong against https://www.npmjs.com/package/<name>, it answered from memory. In Cursor, @Web forces a live lookup; in Claude Code, the web tools must be enabled in the session.

The uuid package is at v14 and maintained, so why is it in the swap table? The package is fine. The stale part is the v3-era code AIs often emit (const uuid = require('uuid'); uuid.v4()), which breaks against modern majors. For new code on Node 19+ / LTS 20+ you usually don’t need the dependency at all: crypto.randomUUID() is built in.

Does this only apply to npm? No. The same pattern hits PyPI (pip index versions <pkg>, check “Last release”), Cargo (cargo search, crates.io status), and Go modules. The triage idea is identical: confirm the latest version and maintenance status from the registry before trusting an AI’s recall.

Prevention

  • Run npm view <pkg> time.modified deprecated for every AI-suggested dependency before installing
  • In CLAUDE.md / .cursorrules, require “any dependency recommendation must include the last release date”
  • Add npm audit --audit-level=high and npx depcheck to CI to catch abandoned packages
  • Quarterly, run npx npm-check-updates -u plus the test suite to proactively retire old deps
  • Prefer runtime built-ins (native fetch, crypto.randomUUID, structuredClone); one less package is one less risk
  • Pin critical deps exactly (no ^) in package.json; let Renovate / Dependabot drive upgrades, not the AI freestyling

External references:

Tags: #AI coding #Debug #Troubleshooting