A study has found that leaving software dependency-related decisions to AI models can be risky.

In software development, a dependency refers to using external libraries or packages required for a program to run.

Dark Reading reported on March 26 that DevSecOps company Sonatype analysed 36,870 dependency upgrade recommendations generated from June to August 2025 across four package repositories including Maven Central, npm, PyPI and NuGet. It also reviewed a total of 258,000 recommendations produced by seven AI models from Anthropic, OpenAI and Google.

In a first study announced by Sonatype in February, nearly 28 percent of the dependency upgrades recommended by OpenAI GPT-5 were confirmed as hallucinations that suggested versions or upgrade paths that do not exist.

In a second study released this week, Sonatype analysed the latest models with enhanced reasoning capabilities. The targets were GPT-5.2, Anthropic Claude Sonnet 3.7 and 4.5, Claude Opus 4.6, and Google Gemini 2.5 Pro and 3 Pro. They improved on earlier models, but hallucinations and erroneous recommendations still occurred in a significant number of cases.

Sonatype pointed out that "these errors waste AI spending, waste developer time, leave vulnerabilities unaddressed, and create technical debt before code reaches production."

The problem is not model reasoning capability but the lack of real-time data. Sonatype said, "AI models do not have the real-time dependency, vulnerability, compatibility and corporate policy information needed to make safe patch decisions." Sonatype co-founder and Chief Technology Officer Brian Fox said, "The most dangerous case is not when the model gives an obviously wrong answer, but when it gives an answer that looks plausible yet carries risk and misses a better upgrade path."