38.5 Security gates and dependency scanning

Dependency Hallucination

Models love to import packages that don't exist ("package hallucination").

Gate: If the agent adds a new line to `package.json`, verify that the package exists on npm and has > 1000 downloads. Do not install obscure packages automatically.

Code Injection

Scan the generated code for dangerous patterns: - `eval()` - `exec()` - Hardcoded credentials (`password = "123"`)

Use tools like Semgrep or Bandit in your pipeline.

Where to go next

• 39. Prompt Engineering for Experts