You asked Claude or Cursor for a library recommendation, it confidently suggested something like moment or node-sass, you installed it, and now your build is throwing deprecation warnings. Sound familiar? You're not alone — this is the default failure mode of AI-assisted dependency work.
Why AI Agents Keep Recommending Dead Packages
An LLM's package knowledge is frozen at its training cutoff, typically 6 to 18 months stale by the time you're using it. In that window, a library gets deprecated, hands off maintenance, archives on GitHub, or picks up a critical CVE — and the model has no way to know. A newer or bigger model doesn't fix this; it just moves the stale cutoff forward a few months. According to Sonatype's 2026 analysis, LLM dependency-upgrade hallucination rates hit around 27% across tens of thousands of enterprise upgrades. The only real fix is a live lookup at recommendation time — not after your build breaks in CI.
The Dead Package Tables You Need
One developer (going by freshdepsdev on DEV.to) built FreshDeps to solve exactly this problem. It starts with hand-verified tables of the packages AI agents recommend most often that are actually dead, deprecated, or archived — no inferred or AI-guessed replacements. On the npm side, some of the biggest offenders include request (fully deprecated since 2020), moment (in maintenance mode), node-sass (replaced by Dart Sass), colors (sabotaged in 2022), and faker (also sabotaged). The table also covers react-scripts, enzyme, protractor, karma, tslint, and a dozen others — each with the exact replacement package and the one-line change needed to migrate. For Python developers, the PyPI equivalents include nose and nose2 (both dead), pycrypto (unpatched CVEs from 2014), mysql-python (Python 2 only), sklearn (now errors on install — you need scikit-learn), and flask-restful (dormant). The tables also cover renamed packages like jade → pug, coffee-script → coffeescript, and pep8 → pycodestyle.
Live MCP Server for Real-Time Package Checks
Reading a table after the build breaks is the slow path. The fast path is having your agent check package freshness before it recommends anything. FreshDeps exposes both a JSON API and an MCP server you can drop into Claude Desktop, Cursor, or any other MCP-compatible client. The free JSON API requires no account: GET https://freshdeps.vercel.app/api/verdict?ecosystem=npm&package=node-sass returns live verdicts from npm/PyPI registry + GitHub API + OSV.dev. For agent integration, add this to your MCP client config — no key, no signup required: {"mcpServers":{"freshdeps":{"command":"npx","args":["-y","github:SolvoHQ/freshdeps-mcp"]}}}
How to Actually Use This in Your Workflow
The real power comes from project rules that enforce the check. Something like "before recommending or adding any npm/PyPI dependency, call check_dependency_freshness and don't recommend anything that comes back abandoned." With that rule active, this table stops being something you ever need to open manually.
Key Takeaways
- AI coding assistants hallucinate dead package recommendations roughly 27% of the time in enterprise environments — this is not an edge case
- The fix isn't better prompts; it's live registry checks at recommendation time
- FreshDeps provides free MCP and JSON API access to a hand-verified corpus of deprecated packages for both npm and PyPI
- Currently covers npm + PyPI only; JavaScript ecosystem devs get the most value first