NEW research from Sonatype finds that frontier AI models often generate faulty or fabricated recommendations for software dependencies, raising risks for organisations relying on AI for upgrades and patches. The study analysed 36,870 unique dependency upgrade recommendations across Maven Central, npm, PyPI and NuGet between June and August 2025, totalling 258,000 recommendations from seven AI models from Anthropic, OpenAI and Google.
It notes that GPT-5, highlighted in a February update as part of Sonatype’s 2026 State of the Software Supply Chain Report, frequently suggested versions, upgrade paths or security fixes that did not exist, with nearly 28% of recommended upgrades being hallucinations. Sonatype emphasised that the problem is not model scale but a lack of real-time ecosystem intelligence, meaning AI lacks live dependency, vulnerability, compatibility and policy context to make safe remediation decisions.
Grounding AI with live intelligence reduced critical and high-risk findings by almost 70%, and experiments with GPT-5 Nano using a function-calling tool backed by Sonatype Guide’s version recommendation API showed further reductions in vulnerabilities.