Who Updates a Vibe-Coded App? Nobody, and That’s the Problem.
On the dependency responsibility gap in AI-built apps, and the 89 seconds that explain it. By Tom Raef, We Watch Your Website On March 31, 2026, a malicious version of axios went live on npm. The first machine was infected 89 seconds later. Nobody approved it. No developer read a changelog, clicked update, or weighed…