#✅ - Dangerous deprecated code in env setup

This is my first Kiro project. I'm a competent dev.

Using Kiro with Claude Sonnet 4.0 and Autopilot=on, on Windows. Running this task:

[-] 1. Set up project foundation and core infrastructure
  - Initialize Node.js/TypeScript project with proper folder structure
  - Configure database connection (PostgreSQL) with connection pooling
  - Set up basic Express.js server with middleware for CORS, JSON parsing, and error handling
  - Create environment configuration management for development and production
  - _Requirements: All requirements depend on this foundation_

Output shows deprecated warnings (edited format for brevity)

npm install
npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not us
e it. Check out lru-cache if you want a good and tested way to coalesce async requests by a k
ey value, which is much more comprehensive and powerful.
npm warn deprecated @humanwhocodes/[email protected]: Use @eslint/config-array instead
        deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
        deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
        deprecated [email protected]: Please upgrade to supertest v7.1.3+, see release notes ...
        deprecated [email protected]: Glob versions prior to v9 are no longer supported
        deprecated @humanwhocodes/[email protected]: Use @eslint/object-schema instead
        deprecated [email protected]: Please upgrade to superagent v10.2.2+, see release notes ...
        deprecated [email protected]: This version is no longer supported. Please see ...

Questions

1. How should I solve the deprecated package issue? Do I need to give some extra prompt to Kiro?

2. Why didn't Kiro spot this. There's a whole security concern attached to this - old software is often an attack vector so including anything that is deprecated should be an immediate red flag.

I recommend using context7 mcp to get updated code documentations for your project.

You mean this https://github.com/upstash/context7 ?

And thanks btw!

Hmmmm. Context7's github page has this as the first line in the disclaimer:

Context7 projects are community-contributed and while we strive to maintain high quality, we cannot guarantee the accuracy, completeness, or security of all library documentation.

It feels like there's an inference of a serious vulnerability in that statement.

Context7 is doing a great job, but without vouching for the security of its directives that leaves the field open for a black hat to drop in a hint to use a know-compromised package.

That's where you come in. AI generated codes still needs human review.

@paper idol Sure. I'm a capable dev. I'm here to see what it can do and I'm looking forward to AI doing the dull parts of the job. I'm not knocking it and I want it to succeed. However, Kiro's opening headline is 'The AI IDE for prototype to production'. If it's using vulnerable code then there' a problem.

Not only is dependency handling a painful drudge but it leaves the app wide open for attack.

Oh and plus if I try to fix the versions myself I don't know if the code Kiro made uses deprecated syntax.

You can also add context URLs to the file alongside with MCP servers. In the chat if you write # you can see all the options that you could use to improve the output.

Thanks @sleek bluff. I don't wish to sound disrespectful for your help but my feeling is that Kiro should spot this issue and act to avoid leaving a vulnerability. I know I can jump in and help, but that should not be the expectation.

I have noted the # feature for later investigation.

Maybe there is a 'steering' solution? Some way to tell Kiro to avoid deprecated packages in the scaffolding.

i got the same error with another ide - using Claude Sonnet 4.0

No worries at all. Your feedback is very valuable. 🙂 The generated code from the IDEs are generally around what they are trained on. However, here is a way to fix it. You can create a Agent Hook and tell it to check for warnings and vulnerabilities in the code after each iteration.

Yeah I just read about hooks. I'll look into that but would a novice bother? Won't the newbies come to these Ai IDE's with a mindset like 'I hear these Ai coding tools are amazing - I see those messages about something being deprecated but I'll assume thats all OK because the Ai must be right, and I don't know / don't have the time to learn about the problem.' It feels like maybe the genie is coming out of the bottle too soon.

And i've had similar experiences with Windsurf and Replit.

I think that is a problem with overall Large Language Models. They have to have cutoff dates to serve you better and faster. The (novice or non-programmer) people are building what they need because they do care about the result and that is okay.

There are solutions to alter the results by using MCP or creating RAG systems. But you are right, if you don't know what you are doing, you might not only see hallucinations but also some problematic parts. That is why in my personal opinion as Salih and not someone else or as AWS employee is a programmer is always going to be needed to deliver higher quality software. These tools are making us incredibly faster and we are in the verge of something incredible with tools like Kiro.

I share your personal opinion.

This has nothing to do with Kiro, it's a sonnet 4 problem

Just prompt it to use context7 heavily or add this to your steering docs

If you have Gemini Pro you can also ask gemini to conduct researchs and feed them to sonnet

@main marten I take your point but I think that's dodging some responsibility. And I think you are missing my point. Like if I have to intervene and the intervention will go stale and I'll have to do it again, or the intervention is itself vulnerable (read the disclaimer about context7 being community curated) then I'll have to intervene again periodically. And that erodes the benefit. Like if I can't trust the output of the process then why will I adopt it?

I think we should keep in mind that, this is a tool and we are the driver. But like @main marten said, it is unrelated to Kiro. It is a fundamental question for AI driven programming. We are not dodging this but what AI generates is not 100% reliable. We see the similar problems about it every day 🙂

I don't think you turn on your car and trust it to lead you where you want, same thing with Kiro you still need to drive and check the destination, it's the same with every tool actually. There's a reason why any package manager will mention the deprecated packages each time if you don't fix it, errors are meant to be fixed.

I am with you both, truly. For a tool to be adopted it has to reduce work effort or improve work product. That's not happening (yet).

Kiro isn't a replacement for humans, it's a coding assistant on steroids that's instructed and that needs instructions, actually no human intervention would be needed if you prompted it to check for these issues by itself.

The car metaphor is a bit off. If you sell me a self-driving car I'd expect to be able to trust it.

"if you prompted it to check for these issues by itself." What should the prompt be?

Well it does reduce work effort and improve work product by far, used correctly you'll get a very good quality of code with much less time.

@main marten Your enthusiasm is infectious 😉

You are sold an assistant, not a dev or a team of devs. I'm looking for the day we get fully autonomous assistants though.

I think this is a conversation for off-topic as it is more about AI programming than the help.

For the original question, I think you should rely on the Agent Hooks to make sure it checks these

"Make sure to use up-to-date technologies, always check documentation using context7" should be enough

Also Agent Hooks are generated through your prompts, so with this prompt, it will iterate it immediately.

I'll look at that in a sec.

(btw I love the conversation but my point was just for others checking this thread and seeing tens of messages)

Just for completeness I asked Kiro 'Can you give me three major risks of using deprecated packages?' and it said

Here are three major risks of using deprecated packages:

1. Security Vulnerabilities
Deprecated packages no longer receive security patches. As new vulnerabilities are discovered, they remain unpatched, leaving your application exposed to potential attacks. This is especially critical for packages that handle authentication, data processing, or network communications.

2. Memory Leaks and Performance Issues
As we saw with the inflight package warning, deprecated packages may have known performance problems like memory leaks that won't be fixed. These issues can cause your application to consume increasing amounts of memory over time, leading to crashes or degraded performance in production.

3. Breaking Changes in Dependencies
When other packages you depend on update to remove support for deprecated dependencies, your build can suddenly break. This creates a cascade effect where you're forced to update multiple packages at once, potentially requiring significant code changes to maintain compatibility.

The deprecation warnings we saw are actually helpful early warnings - they give us time to migrate to supported alternatives before these issues become critical problems in production.

So it (or Sonnet if you prefer) has a sensible answer.

I like the conversation too and it makes sense to me, but I'd never trust the result of an AI completely is my opinion, especially since they are not deterministic models by design.

I'm certainly not flying on an airliner that has fly-by-wire code written by Ai.

You'd get the same answer from any LLM but still it doesn't mean it'll check, funny enough if AIs can think then Sonnet 4 actually "thinks" it's using the best techs since it's technically the last versions it knows about, does it mean it's right? No, but it still needs to be corrected. If AIs are designed to mimic humans, then making errors has to be expected.

Moving toward a close of the conversation, I think the cause of the issue is the reliance on coding materials from the web, as has been said. Garbage in -> garbage out, simply because the sampled code was 'old'. It could be a day old and rely on a package that got deprecated an hour ago and we'll see node throwing out the message, so the occurance is totally unavoidable. The fix must involve some additional step / steering / hook in the npm -install step that manages the issue in a transparent and auditable way.
I'll look into hooks.

Great chat.

If I find a solution I'll write a blog post and retire on the advertising revenue 😉

Happy to chat with you all. Maybe an off-topic forum would be cool 😄 I will tell this to team.

✅ - Dangerous deprecated code in env setup

Answer by awsalih has been selected

Selected the hooks for people with similar problems.

1. Set up project foundation and core infrastructure
   Initialize Node.js/TypeScript project with proper folder structure, updating or replacing the following deprecated packages:
   inflight: Replace with a modern equivalent for handling asynchronous requests like lru-cache.
   @humanwhocodes/config-array: Replace with @eslint/config-array.
   rimraf: Update to a version that is actively supported (v4 or later).
   supertest: Upgrade to a more recent version (v7.1.3 or later).
   glob: Update to a supported version (v9 or later).
   @humanwhocodes/object-schema: Replace with @eslint/object-schema.
   superagent: Upgrade to a newer version (v10.2.2 or later).
   eslint: Update to a supported version (v9.0.0 or later).
   Configure database connection (PostgreSQL) with connection pooling.
   Set up basic Express.js server with middleware for CORS, JSON parsing, and error handling.
   Create environment configuration management for development and production.
   Requirements: All requirements depend on this foundation.

Where is that from?

gemini 2.5 pro

Did you post that as an instruction for me to carry out? Or did you ask gemini how to fix the issues and that's what it says? Interested to know.

How should I solve the deprecated package issue? What i need to do in MY PROMPT?
Just give me the updated MY PROMPT. Dont change the MY PROMPT style

ok thanks. Meanwhile I was asking Kiro 'How can i ensure that you take care of this as part of the npm install for my next project?', Then I asked it to put that prompt and its reply into a md file for future reference. Here is the result

I think you want the prompt to update the packages, it's this one.

I don't want to rely on context7, its not safe.

They put their message on their website to avoid legal issues, but the documentations are usually a copy pasta of official documentations.

ok.

Still not doing it. Not being awkward, but if we identify as professionals delivering robust, secure, capable software, we have to take a stand somewhere. That's my line in the sand. I can't hand-off this item of security to another party. I have to take responsibility.

FYI - I carried out Kiros recommendation #1 from the file I posted above. So that was setting up the package-management.md steering file. Just a cut & paste from the file and press the refine button. Kiro added a lot more stuff that I guess was probably defaulted in the background and now has to be explicit because the file is present.

Will report back on how it goes.

The 'feel' is that I might keep this steer as a standard for future projects.

just read in your free time. AI real value - https://claude.ai/share/709360ae-c3d1-414f-a181-5eaa77b7d043

Read it. Setting aside the mock humility that claude displays - the principle fact seems to be that it cannot run ESLint as it goes.

Enlightening and thank you for sharing. Was there a specific relevance to this case?

Update - after starting a new session (not deliberate, closed the first in error). I asked

Me: Can you see the deprecated-packages-guide.md file?
Kiro: [Long story short] - Yes
Me: Great that you can see that. The reason it exists is that those packages came up with deprecated errors in task 1. We need to fix that first. Can you run npm -audit?
Kiro: Absolutely! Let's run npm audit to see what security vulnerabilities and deprecated packages we need to address from task 1.

We then ran thru variations of npm audit, npm outdated, and npm install.

And eventually Kiro fixed all the deprecated issues. Phew.

Summary: Deprecated Package Issues Fixed
We've successfully addressed the deprecated package issues from task 1. Here's what was accomplished:

✅ Key Package Updates
ESLint: Updated from 8.56.0 → 9.31.0 (deprecated → current)
Supertest: Updated from 6.3.3 → 7.1.4 (deprecated → current)
TypeScript ESLint: Updated plugins from 6.15.0 → 8.38.0 (to match ESLint 9.x)
@types/supertest: Updated from 2.0.16 → 6.0.3 (to match Supertest 7.x)
✅ ESLint Configuration Migration
Migrated from legacy .eslintrc.js to modern eslint.config.js (flat config format)
Configured proper TypeScript parsing and rules
Set up separate configurations for main code and test files
Added support for underscore-prefixed unused parameters (_next)
✅ Verification Results
Security: npm audit shows 0 vulnerabilities
Deprecation: No deprecation warnings during install
Build: TypeScript compilation successful
Tests: All tests passing (3/3)
Linting: ESLint working with only minor any type warnings (acceptable)
✅ Package Management Standards Applied
Following the guidelines from your deprecated-packages-guide.md:

Used latest stable versions
Addressed deprecated packages immediately
Ran security audit (clean)
Maintained actively maintained packages
Used modern package defaults
The project foundation is now solid and follows current best practices. We're ready to proceed with task 2 (implementing core data models and database schema) without any deprecated package issues holding us back.

Would you like to move on to task 2 now, or do you have any questions about the package updates we made?

So the solution appears to be:

1. Set up the /steering/package-management.md file with the npm instructions
2. Ask Kiro to check via npm audit and npm outdated.

I would still have liked that to be the default behaviour of Kiro. Maybe it could have reported the issues and asked if I wanted to solve them at that point, but it certainly should not have ignored them.