Legacy Web Dependencies And Platform-Level Dependency Management

Issue 40 Edition 2026-02-09 8 min read

Not accepted General

Sources: 1 • Confidence: Low • Updated: 2026-02-09 16:45

Key takeaways

Lea Verou contends that incremental improvements will not fix web dependency management and calls for a radical solution involving browser vendors, standards groups, and developers.
Some people are developing parasocial relationships with their AIs, becoming heavily addicted, and forming communities that reinforce unhealthy behavior.
AI coding agents may recommend compromised or vulnerable dependencies because their recommendations can come from stale training data that lags vulnerability disclosures.
Dan Abramov describes the AT Protocol as effectively functioning like a 'social file system' rather than a hypothetical idea.
Ethan McQ claims a set of Postgres practices has been 'life altering' for him and coworkers, including UUID primary keys, timestamps, restrict-on-delete, schemas, enum tables, soft deletes, status logs, system IDs, and sparing use of views and JSON queries.

Lea Verou contends that incremental improvements will not fix web dependency management and calls for a radical solution involving browser vendors, standards groups, and developers.
jQuery 4.0 was released as a new major version after nearly 10 years without a major release.
jQuery still runs on about 71% of all websites.
Lea Verou argues that the web platform has a dependency management problem because it outsources fundamental dependency functionality to third-party tooling, creating unnecessary trade-offs in code reuse.

Some people are developing parasocial relationships with their AIs, becoming heavily addicted, and forming communities that reinforce unhealthy behavior.
AI coding agents can drive addictive usage patterns where developers barely sleep and feel highly productive until human collaboration reveals quality or social costs.
Maintainers are seeing a massive degradation in the quality of issue reports and pull requests, with many PRs feeling like an insult to reviewers' time.
When maintainers push back on low-quality contributions, some contributors become agitated because they do not perceive what they did wrong and believe they helped.

AI coding agents may recommend compromised or vulnerable dependencies because their recommendations can come from stale training data that lags vulnerability disclosures.
Sonotype Guide is presented as an MCP server that integrates with AI coding assistants to provide dependency recommendations based on live component intelligence rather than frozen training data.

Dan Abramov describes the AT Protocol as effectively functioning like a 'social file system' rather than a hypothetical idea.
Dan Abramov argues that file formats enable many-to-many interoperability between apps because apps can work together without knowing about each other.

Ethan McQ claims a set of Postgres practices has been 'life altering' for him and coworkers, including UUID primary keys, timestamps, restrict-on-delete, schemas, enum tables, soft deletes, status logs, system IDs, and sparing use of views and JSON queries.

Some people are developing parasocial relationships with their AIs, becoming heavily addicted, and forming communities that reinforce unhealthy behavior.

What is the source and current validity of the claim that jQuery runs on about 71% of websites, and how is 'runs on' defined?
What breaking changes or migration costs (if any) does jQuery 4.0 introduce for common production setups?
Across representative open-source repositories, how have PR/issue quality metrics changed over time, and what fraction of low-quality submissions are AI-generated or AI-assisted?
How common are the described AI-agent-driven addictive usage patterns, and what organizational conditions (role, incentives, review rigor) correlate with them?
What is the observed rate at which AI coding agents recommend dependencies that are later found vulnerable, and how often is stale training data the cause versus other factors?

Platform level web dependency management could become a standards and browser priority, potentially reducing reliance on legacy libraries and altering tooling ecosystems. Read through to browser vendors, standards bodies, and dependency tooling vendors, but the summary provides no concrete proposal or alignment evidence.
AI agent use may increase open source maintainer load and degrade contribution quality, potentially shifting budgets toward code review automation, governance tooling, and enterprise controls for AI assisted development. The summary offers plausible metrics but no prevalence data.
AI coding agents may elevate software supply chain risk by recommending vulnerable dependencies due to stale training data, supporting demand for real time component intelligence integrated into developer workflows. The mitigation concept is described, but validation, error rates, and costs are unknown.

Public movement by browser vendors or standards groups toward a native web dependency mechanism, such as drafts, prototypes, or cross vendor commitments, plus developer tooling alignment and timelines.
Repository level data showing worsening PR acceptance rate, higher rework, longer time to close, or increased maintainer conflict correlated with AI assisted submissions across representative projects.
Measured instances where AI agents recommend dependencies later found vulnerable, with attribution to training data staleness, plus adoption of live component intelligence services and integration into common agent frameworks.

Standards and browser stakeholders explicitly reject or deprioritize platform level dependency management, and developers continue to rely on tooling based dependency workflows without major friction signals.
Large scale analyses show no material change in PR and issue quality metrics over time or no meaningful correlation with AI assistance, reducing the case for new governance and review tooling demand.
Empirical testing shows agent recommended dependency vulnerability rates are low or mainly driven by factors other than stale data, and live component intelligence integrations fail to improve outcomes or are too costly to adopt.