StableStack.ai

Blog

What AI gets wrong

Deep dives into the bugs AI assistants introduce and how to catch them before they reach production.

SecuritySEC0042026-02-104 min

Why AI Generates Insecure Random Tokens

Every AI assistant we tested uses random.randint() or Math.random() for security tokens. Here's why that's dangerous and what SEC004 catches.

DeterminismDET0012026-02-075 min

The Silent Bug: Dictionary Iteration Order

Your code works in dev, passes tests, then produces different results in production. DET001 catches the nondeterministic iteration that causes it.

AsyncASYNC0012026-02-044 min

Forgot Await: The Most Common Async Bug

Calling an async function without await doesn't throw an error — it silently returns a Promise that nobody checks. ASYNC001 finds every instance.

QualityQUAL0042026-01-303 min

Mutable Default Arguments: Python's Classic Trap

def process(items=[]): looks innocent. It shares state between calls. AI assistants write this pattern constantly — QUAL004 catches it every time.

SecuritySEC0022026-01-275 min

SQL Injection Is Still Happening in AI-Generated Code

We found f-string SQL queries in 40% of AI-generated database code. SEC002 catches string concatenation in SQL before it reaches production.

FrontendFRONT0022026-01-234 min

window is not defined: The Next.js SSR Problem

AI writes browser code that crashes on the server. FRONT002 finds every window, document, and localStorage access that needs an SSR guard.

ConcurrencyCONC0012026-01-205 min

Check-Then-Act: Race Conditions Hiding in Plain Sight

if file_exists then write_file looks safe. It isn't. CONC001 catches time-of-check-to-time-of-use bugs across Python and JavaScript.

TypesTYPE0092026-01-163 min

process.env.VAR! Will Crash Your Production Server

TypeScript's non-null assertion on environment variables compiles fine and crashes at runtime. TYPE009 catches this before deployment.