We're living in the golden age of vibe coding. Developers describe what they want in plain English, and AI agents—Claude Code, GitHub Copilot, Cursor—generate entire features in seconds. Productivity has never been higher. Developers using AI assistants produce commits at three to four times the rate of their peers.
But there's a catch nobody talks about at the standup. Those same AI-assisted developers introduce security findings at 10 times the rate. 45% of AI-generated code contains security flaws. 62% contain design flaws or vulnerabilities. And the problem isn't just the code itself—it's the dependencies the AI pulls in without a second thought.
When you ask an AI to "add JWT authentication to this Express app," it doesn't just write code. It picks packages. It chooses versions. And 58% of developers trust those outputs without testing.
That's where dependency analytics comes in.
What is the dependency analytics tool?
Dependency analytics is a free, open source extension for editors like VS Code, Cursor, and Windsurf extension. Now at its 1.0 release, it scans your project's dependencies for known security vulnerabilities in real time as you write code. No context switching. No separate security tool to remember to run. It just shows up, right in your editor, the moment you open a manifest file.
It supports the ecosystems developers actually use:
- JavaScript/TypeScript:
package.json(npm, pnpm, Yarn) - Python:
requirements.txt,pyproject.toml(pip, Poetry, UV) - Java:
pom.xml,build.gradle(Maven, Gradle) - Go:
go.mod - Rust:
Cargo.toml - Docker: Dockerfile image scanning
With more than three million installs, it's already one of the most widely adopted supply chain security tools in the VS Code ecosystem.
The problem: AI agents don't think about supply chain security
AI models learn from code that was written months or years ago. When they pick a dependency, they choose the version they saw most often during training—not the most current or most secure one. They're trained on patterns, not common vulnerabilities and exposures (CVE) databases.
Let's walk through three scenarios.
Scenario 1: The stale version from training data
You're building a Python microservice. You tell your AI coding agent:
Add a function that parses uploaded CSV files and validates email addresses in the second column.The agent generates clean, working code. It adds pandas==1.3.0 and email-validator==1.1.1 to your requirements.txt. Tests pass. The pull request (PR) looks good.
But pandas 1.3.0 has CVE-2023-39500, a path traversal vulnerability. And email-validator 1.1.1 has a known ReDoS vulnerability that can be exploited with a crafted email string—exactly the kind of input your function accepts.
With dependency analytics installed, the moment you open requirements.txt, both dependencies are underlined in red. Hover over pandas==1.3.0 and you see:
Known security vulnerabilities: 3 | Highest severity: HIGHRight-click, select Quick Fix, and the extension offers a recommended version that resolves the vulnerability. One click. Fixed before your code ever leaves your machine.
The same applies across ecosystems. Ask an AI to add JWT auth to a Node.js application and it might pick jsonwebtoken@8.5.1—a version with CVE-2022-23529, a critical flaw that lets attackers forge tokens. Dependency analytics catches it the moment it lands in your package.json.
Scenario 2: The transitive vulnerability
You add express@4.17.1 to your Node.js project. Express itself looks fine. But it pulls in qs@6.5.2, which has a prototype pollution vulnerability (CVE-2022-24999). You'd never see this by reading your own code.
Dependency analytics generates a full vulnerability report—including transitive dependencies—accessible from the pie-chart icon in your editor. One click shows you the complete dependency tree and every known CVE hiding in it.
Scenario 3: The license landmine
Your AI agent adds a GPL-3.0 licensed package to your Apache-2.0 project. Legally, that's a problem. Dependency analytics' license compatibility checking detects mismatches between your project's license and your dependencies' licenses, flagging restrictive licenses before they become a legal headache.
How it fits into vibe coding and agentic workflows
The beauty of the dependency analytics tool is that it works at the same speed as AI-generated code. There's no separate step. No "remember to run the security scan." The extension operates as a passive guardrail—always on, always scanning.
Here's what the workflow looks like in practice:
- Your AI agent generates code and modifies
package.json,requirements.txt, orpom.xml. - You open the manifest file (or it's already open)—the scan triggers automatically.
- Vulnerable dependencies light up red with inline diagnostics.
- You hover to see the vulnerability count and severity.
- You select Quick Fix to jump to a safe, Red Hat-recommended version.
- You generate a software bill of materials (SBOM) with the
RHDA: Generate SBOMcommand for your compliance pipeline.
This takes seconds. It happens before git add. Before the PR. Before the code review. Before production.
For teams using monorepos, the batch workspace analysis feature scans every package in your JavaScript/TypeScript monorepo or Cargo workspace in parallel—so even large codebases get coverage without manual effort.
Beyond scanning: SBOM generation and Docker security
Dependency analytics 1.0 operates as a supply chain security toolkit rather than a simple scanner. The tool features CycloneDX SBOM generation to produce a standards-compliant software bill of materials from any supported manifest, preparing your project for compliance audits and regulatory requirements. It also includes Dockerfile scanning to analyze container base images for known vulnerabilities, providing direct links to Red Hat's Ecosystem Catalog for hardened alternatives. Additinoally, you can use selective exclusion to mark specific dependencies to skip with exhortignore comments, while development or test dependencies are automatically excluded from analysis.
Getting started in 60 seconds
- Open VS Code.
- Search for "Red Hat Dependency Analytics" in the Extensions Marketplace.
- Select Install.
- Open any supported manifest file in your project.
That's it. No configuration required. No accounts to create. No tokens to manage.
For advanced setups (including custom backend URLs, proxy configuration, Python virtual environments, Maven/Gradle wrapper preferences), check the extension documentation.
The bottom line
AI coding tools are here to stay. 42% of all code is now AI-generated or AI-assisted, and that number is only going up. The productivity gains are real. But so are the risks.
The answer isn't to stop using AI. It's to add guardrails that work at AI speed.
Dependency analytics 1.0 is that guardrail. It sits in the one place every developer already looks—the editor—and helps catch the vulnerabilities that AI tools introduce before they ever reach production.
Install it now and let your AI agent vibe. Safely.
Dependency analytics is open source under the Apache 2.0 license. Report issues or contribute at github.com/fabric8-analytics/fabric8-analytics-vscode-extension.