Dependency analytics 1.0: AI coding with supply chain security

crashpn1 pts0 comments

Dependency analytics 1.0: AI coding with supply chain security | Red Hat Developer

Skip to main content

Search

Search

All Red Hat

Dependency analytics 1.0: AI coding with supply chain security

The code writes itself. The vulnerabilities do, too.

July 7, 2026

Petr Toman

Related topics:<br>Artificial intelligenceDeveloper toolsSecure coding

Related products:<br>Red Hat Advanced Developer Suite

Table of contents:

We're living in the golden age of vibe coding. Developers describe what they want in plain English, and AI agents—Claude Code, GitHub Copilot, Cursor—generate entire features in seconds. Productivity has never been higher. Developers using AI assistants produce commits at three to four times the rate of their peers.<br>But there's a catch nobody talks about at the standup. Those same AI-assisted developers introduce security findings at 10 times the rate. 45% of AI-generated code contains security flaws. 62% contain design flaws or vulnerabilities. And the problem isn't just the code itself—it's the dependencies the AI pulls in without a second thought.<br>When you ask an AI to "add JWT authentication to this Express app," it doesn't just write code. It picks packages. It chooses versions. And 58% of developers trust those outputs without testing.<br>That's where dependency analytics comes in.<br>What is the dependency analytics tool?<br>Dependency analytics is a free, open source extension for editors like VS Code, Cursor, and Windsurf extension. Now at its 1.0 release, it scans your project's dependencies for known security vulnerabilities in real time as you write code. No context switching. No separate security tool to remember to run. It just shows up, right in your editor, the moment you open a manifest file.<br>It supports the ecosystems developers actually use:<br>JavaScript/TypeScript: package.json (npm, pnpm, Yarn)<br>Python: requirements.txt, pyproject.toml (pip, Poetry, UV)<br>Java: pom.xml, build.gradle (Maven, Gradle)<br>Go: go.mod<br>Rust: Cargo.toml<br>Docker: Dockerfile image scanning<br>With more than three million installs, it's already one of the most widely adopted supply chain security tools in the VS Code ecosystem.<br>The problem: AI agents don't think about supply chain security<br>AI models learn from code that was written months or years ago. When they pick a dependency, they choose the version they saw most often during training—not the most current or most secure one. They're trained on patterns, not common vulnerabilities and exposures (CVE) databases.<br>Let's walk through three scenarios.<br>Scenario 1: The stale version from training data<br>You're building a Python microservice. You tell your AI coding agent:<br>Add a function that parses uploaded CSV files and validates email addresses in the second column.The agent generates clean, working code. It adds pandas==1.3.0 and email-validator==1.1.1 to your requirements.txt. Tests pass. The pull request (PR) looks good.<br>But pandas 1.3.0 has CVE-2023-39500, a path traversal vulnerability. And email-validator 1.1.1 has a known ReDoS vulnerability that can be exploited with a crafted email string—exactly the kind of input your function accepts.<br>With dependency analytics installed, the moment you open requirements.txt, both dependencies are underlined in red. Hover over pandas==1.3.0 and you see:<br>Known security vulnerabilities: 3 | Highest severity: HIGHRight-click, select Quick Fix , and the extension offers a recommended version that resolves the vulnerability. One click. Fixed before your code ever leaves your machine.<br>The same applies across ecosystems. Ask an AI to add JWT auth to a Node.js application and it might pick jsonwebtoken@8.5.1—a version with CVE-2022-23529, a critical flaw that lets attackers forge tokens. Dependency analytics catches it the moment it lands in your package.json.<br>Scenario 2: The transitive vulnerability<br>You add express@4.17.1 to your Node.js project. Express itself looks fine. But it pulls in qs@6.5.2, which has a prototype pollution vulnerability (CVE-2022-24999). You'd never see this by reading your own code.<br>Dependency analytics generates a full vulnerability report—including transitive dependencies—accessible from the pie-chart icon in your editor. One click shows you the complete dependency tree and every known CVE hiding in it.<br>Scenario 3: The license landmine<br>Your AI agent adds a GPL-3.0 licensed package to your Apache-2.0 project. Legally, that's a problem. Dependency analytics' license compatibility checking detects mismatches between your project's license and your dependencies' licenses, flagging restrictive licenses before they become a legal headache.<br>How it fits into vibe coding and agentic workflows<br>The beauty of the dependency analytics tool is that it works at the same speed as AI-generated code. There's no separate step. No "remember to run the security scan." The extension operates as a passive guardrail—always on, always scanning.<br>Here's what the workflow looks like in practice:<br>Your AI agent generates code and modifies...

code dependency analytics security coding vulnerability

Related Articles