Vibe coding is killing open source, increasing software risk

How does vibe coding change OSS?

The term "vibe coding" was coined by AI researcher Andrej Karpathy in early 2025, and Collins English Dictionary named it the Word of the Year the same year. It describes a workflow where the developer's primary role shifts from writing code to guiding an AI assistant using natural language. The AI selects packages, writes the implementation and integrates dependencies, often without the user knowing which libraries were used.

Adoption is accelerating

By October 2024, more than a quarter of all new code at Google was AI-generated and accepted by engineers, per Alphabet's Q3 2024 earnings call. Using commit-level data from 170,000 developers, Daniotti et al. (2025) -- cited in the paper -- estimated that by the end of 2024, AI generated roughly 29 to 30% of Python functions authored by U.S. contributors on GitHub.

The "Stack Overflow 2025 Developer Survey," drawing on responses from 49,000 developers across 177 countries, found that over 80% of professional developers use or plan to use AI tools in their workflows, with 51% doing so daily.

How OSS maintainers earn

Traditional OSS development follows a documented engagement loop. A developer downloads a package, reads documentation, encounters a problem, asks a question in a public forum and sometimes contributes a fix. That activity generates the visibility through which many maintainers earn private returns, including reputation, consulting leads from documentation traffic and paid enterprise add-ons.

The engagement loop breaks down

Vibe coding disrupts that model through two channels.

The first is a genuine gain. AI reduces the cost of using and integrating existing code, and field experiments cited in the paper found it raises developer productivity by 26-56%.

The second channel erodes what maintainers earn. The paper calls this dynamic the "demand-diversion channel." Downloads rise while engagement falls.

"The consumption of open source is actually increasing, but the human interaction layer around those projects is shrinking," Shanea Leven, co-founder and CEO of Empromptu, said. "That's why you see usage rise while engagement metrics drop. Developers are still relying on those projects heavily, but the path between the developer and the project is now mediated by AI."

When an AI agent mediates access to OSS, the user does not visit documentation, file bug reports or engage with maintainers. Documentation traffic and Q&A were historically how mid-tier projects reached enterprise users, a channel that narrows as AI mediates more of that interaction.

"AI tooling used for vibe coding may not know about new projects being productized because it wasn't trained on them," Matt Farina, head of portfolio architecture and community at SUSE, said. "This impacts their route to market."

What happens when the OSS ecosystem shrinks?

The paper's model predicts that as vibe coding spreads, the variety and average quality of shared OSS fall.

Measuring the decoupling

Tailwind CSS is the paper's central illustration. The paper's Figure 2 tracks Tailwind's npm download volume, rising steadily through 2025, against Stack Overflow questions tagged "tailwind-css," which declined over the same period.

Tailwind creator Adam Wathan reported in a January 2026 GitHub comment that documentation traffic was down roughly 40% from early 2023, despite Tailwind being more popular than ever. Revenue, he reported, was down close to 80%. "Right now there's just no correlation between making Tailwind easier to use and making development of the framework more sustainable," wrote Wathan.

The platform signal

Stack Overflow's broader decline reflects the same dynamic at scale. Research published in "PNAS Nexus" in 2024 by del Rio-Chanona, Laurentsyeva and Wachs found that access to ChatGPT causally reduced Stack Overflow activity by about 25% within six months.

Not all of that decline is harmful. "Decreases in bug reports and community Q&A aren't always bad for a project," Farina said. "When AI helps users deal with these situations, it can reduce the burden on open source maintainers."

Jason Brooks, senior manager for community architecture and infrastructure at Red Hat, sees the same nuance in his own practice, though he notes the engagement that drives discovery and monetization is falling alongside the noise. "I often find myself seeking out the docs to better understand the features or limitations of a dependency a tool has suggested to me," Brooks said.

The effects of declining OSS maintenance

The OSS maintenance crisis predates vibe coding, but vibe coding compounds it. Mid-tier and emerging projects that depend on engagement-based revenue with no enterprise licensing backstop face the greatest exposure.

The OSS maintenance crisis predates vibe coding, but vibe coding compounds it

The 2026 Black Duck OSSRA report found that 93% of applications examined contained open source components with no new development activity in the prior two years. Sonatype's "2023 State of the Software Supply Chain" report found that nearly 20% of open source projects across Java and JavaScript that were maintained in 2022 are no longer maintained today.

This growing maintenance debt creates real security vulnerabilities. The Apache Log4j vulnerability in 2021 allowed remote code execution across enterprise servers and cloud infrastructure; two years after disclosure, over 40% of downloads were still vulnerable.

In early 2024, a backdoor in XZ Utils was traced to an attacker who had spent two years building trust with a solo maintainer before embedding malicious code. Black Duck's survey found that 65% of orgs reported experiencing a software supply chain attack in the past year.

The compound effect

The paper models what happens at 70% adoption of vibe coding under traditional business models. In that scenario, per-user monetization for a typical OSS project falls by 70%, while AI productivity gains offset only about 12% of development costs.

The paper's model finds that sustaining current OSS provision requires either vibe-coded users to contribute at least 84% of what direct users do to monetization, or 84% of OSS revenue to come from usage-independent sources.

Neither condition is close to being met.

What needs to change to sustain the OSS ecosystem?

The paper's authors are explicit that slowing AI adoption is not the answer. Four structural responses address the gap.

1) Platform level redistribution

AI coding tools already track which packages they import and how often. A revenue-sharing model, where platforms distribute subscription revenue to maintainers based on attributable package usage, would reduce the monetization gap the paper identifies. The paper calls this a "Spotify for open source" model. The infrastructure exists in AI providers' telemetry, and implementation requires coordination among platforms rather than new technology.

"For individuals and organizations looking to monetize off of OSS projects, they will certainly have to take this new world of vibe coding under consideration," Scott Kingsley, VP of engineering at SmartBear, said. "Monetization strategies will need to shift."

2) Usage-independent funding

The "2024 Open Source Software Funding Report" by GitHub, the Linux Foundation and Harvard estimated that organizations contribute $7.7 billion annually to OSS, with employee labor accounting for 86% of that figure. Mechanisms to shift that balance toward direct financial contributions include GitHub Sponsors, foundation grants and the Open Source Pledge. This problem predates vibe coding but is now more urgent.

"We never really solved paying open-source developers for their contributions," Kingsley said. "But now their compensation and engagement needs to evolve again."

3) Internal governance for AI-generated code.

AI coding tools do not flag when generated code originates from an existing open source project, per FossID guidance on license compliance. They might also suggest deprecated dependencies or ones with unpatched vulnerabilities.

AI can be part of the governance solution as well as the problem. "AI tools can help triage contributions and aid in review," Brooks said. "On the contributor side, AI tools can help well-meaning contributors make contributions that better fit a project's contribution standards."

4) Direct investment in at-risk dependencies

The projects most exposed are not React or Kubernetes, but mid-tier components in the dependency chains beneath them, widely depended upon and minimally staffed. The Linux Foundation's "State of Global Open Source 2025" report found that 83% of enterprises consider OSS adoption valuable to their operations, but only 29% have hired or designated full-time in-house OSS maintainers.

A call to action

Koren, Békés, Hinz and Lohmann describe their paper as "a call to action" rather than a prediction of collapse. The open source ecosystem, they argue, has survived previous disruptions by adapting its technical and institutional foundations. Vibe coding requires the same kind of deliberate realignment.

"What is needed," they write, "is coordination and will." For IT leaders already managing OSS as a supply chain risk, that realignment begins with recognizing that the risk is no longer confined to a vulnerable package. It now extends to whether the projects those packages depend on will still be maintained.

Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.