Dependency risk: the package the AI invented
Modern apps lean on dozens of third-party packages, and the AI suggests them freely. Two risks ride along.
First, typosquatting and hallucinated packages. Attackers publish malicious packages with names a hair off the real ones (reqeusts instead of requests), betting on a typo. The AI sometimes confidently imports a that doesn't exist — and an attacker who notices that habit can register that exact name with malware inside. Before installing anything the AI suggests, glance at it: does it actually exist, does it have real download numbers and a repo, is the name spelled the way you'd expect?
Second, unvetted dependencies in general. Every package you add is code running with your app's full access. More dependencies means more surface area for both bugs and supply-chain attacks. Prefer fewer, well-known libraries over a long tail of obscure ones, and ask "do we actually need a package for this, or is it ten lines?" before adding one.
Run your ecosystem's audit tool periodically (npm audit, pip-audit, and friends) — it flags known vulnerabilities in what you've already installed, and the AI is good at fixing what it reports.