Why You Shouldn't Use Vibe Coding Today #37
The current limitations of vibe coding and how these challenges might be overcome in the future.
(Service Announcement)
This newsletter (which now has over 5,000 subscribers and many more readers, as it’s also published online) is free and entirely independent.
It has never accepted sponsors or advertisements, and is made in my spare time.
If you like it, you can contribute by forwarding it to anyone who might be interested, or promoting it on social media.
Many readers, whom I sincerely thank, have become supporters by making a donation.
Thank you so much for your support, now it's time to dive into the content!
“Are you kidding? You just published an article talking about Vibe Coing as a revolution and only a week later you publish one saying that, at least for now, it would be better not to use it?”
Yes! And the reason is simple: theory is one thing, practice is another. Vibe Coding holds tremendous potential, but right now the risks are significant. Until the underlying technologies reach a higher level of maturity, a cautious, conservative approach is the wisest choice.
Let’s not forget: software directly affects our lives. When the stakes are this high, extreme caution isn’t just advisable, it’s essential.
The appeal of Vibe Coding is undeniable. Various emerging platforms promise to democratize software creation, break down technical barriers, and dramatically accelerate development cycles. Simply describe what you want to build, and let AI handle the details. No programming expertise required.
But beneath this seductive promise lies a complex reality that enthusiastic proponents often gloss over. As innovation evolves in the tech industry, concerning patterns are emerging in the vibe coding movement. This approach, while revolutionary in concept, introduces numerous critical problems that make it unsuitable for most professional contexts today.
The Ticking Time Bomb of "AI Legacy Code"
One of the most pressing concerns with vibe coding is the creation of what software engineers are already calling "AI legacy code", code that functions but is difficult to understand, maintain, or modify. So please don't touch anything!
When developers "vibe code" by instructing AI to "build a customer management system with authentication" without reviewing the underlying implementation, they receive functioning applications without necessarily understanding how they work. This creates a dangerous knowledge gap.
Experts draw a critical distinction: using AI to write code that you then review, test, and understand is not vibe coding – that's using AI as a typing assistant. True vibe coding involves accepting AI-generated changes with minimal human oversight.
This opacity creates severe maintenance challenges. When bugs inevitably emerge or requirements change, teams often find themselves unable to effectively modify the codebase without breaking existing functionality.
A notable pattern has emerged among early adopters of vibe coding. The initial development is impressively fast, what would typically take months of traditional development can be completed in weeks. However, when regulatory requirements change or business needs evolve, requiring modifications to the underlying systems, teams encounter a crisis. No one fully understands the complex interdependencies in the AI-generated code. What should be straightforward updates turn into months-long refactoring nightmares, ultimately requiring significant portions to be rewritten manually.
As one technology leader observed: "You might save three months during initial development but lose six months when you need to modify it. The technical debt accumulated remains hidden until you need to change something fundamental."
Another significant issue is the inconsistent coding patterns that emerge in vibe-coded applications. AI systems often switch between different architectural approaches, variable naming conventions, or error handling strategies within the same codebase. Academic studies of vibe-coded applications have found that the vast majority contain multiple inconsistent design patterns, making them significantly more difficult to maintain than traditionally coded applications. It's comparable to reading a novel written by five different authors who never coordinated their storylines.
In the future, these problems might be mitigated through several developments. Documentation-focused AI could automatically generate comprehensive explanations of implementation decisions and architectural choices. Consistency engines could maintain uniform coding patterns throughout a project. As explainable AI advances, coding systems may provide clear rationales for implementation choices, making the code more understandable to human developers. Eventually, AI systems might adhere to strict architectural patterns, ensuring consistent approaches to common problems.
The Unseen Danger of Security Vulnerabilities
The security implications of vibe coding are perhaps the most alarming and least discussed aspect of this approach. By removing human oversight from code implementation, vibe coding opens the door to various security vulnerabilities.
AI coding models are trained on vast repositories of code from the internet, including code with security flaws. These models can inadvertently reproduce vulnerable patterns in newly generated code. A significant percentage of AI-generated web applications contain critical security vulnerabilities, including SQL injection points, cross-site scripting vulnerabilities, and insecure authentication mechanisms.
The models are reproducing patterns they've seen, including outdated security practices and known vulnerabilities. What's particularly concerning is that these vulnerabilities aren't obvious to non-technical users who rely on vibe coding.
Imagine a healthcare organization leveraging vibe coding to build patient portals and experiencing significant data breaches. Investigations typically reveal that AI-generated authentication systems contained fundamental security flaws that would have been caught in standard security reviews. This pattern highlights a critical problem: vibe coding creates a false sense of security. Non-technical users assume the AI will handle security best practices automatically, while the AI simply implements what it understands from the prompt, which may not include robust security measures unless explicitly specified.
A uniquely modern risk comes in the form of prompt injection attacks. Malicious actors can craft inputs that manipulate the AI's code generation process, potentially introducing backdoors or vulnerabilities.
Security concerns may eventually be addressed through various advances. AI models could be specifically fine-tuned on security best practices and vulnerability prevention. Integrated security analysis tools might automatically evaluate generated code for vulnerabilities. Advanced AI systems could incorporate security threat modeling into their code generation process. Future systems might adopt highly conservative approaches to security-sensitive operations like authentication and data access.
The Compliance and Legal Issues
Vibe coding introduces complex legal and compliance challenges that many organizations are unprepared to address.
Who owns AI-generated code? This question remains legally ambiguous. AI systems are trained on millions of code repositories, many with different licenses. When these systems generate new code, they may inadvertently reproduce copyrighted patterns or algorithms.
High-profile lawsuits have already emerged when software companies claimed that vibe-coded applications contained portions of their proprietary algorithms. Defendants typically argue they had simply asked the AI to build a function without specifying implementation details. Legal experts note that we're in a gray area. Companies using vibe coding may be unknowingly incorporating copyrighted code into their products, creating significant liability exposure.
For industries with strict regulatory requirements, vibe coding presents particularly difficult challenges. Financial services, healthcare, and aviation software must meet rigorous standards that typically include code review and documentation requirements. Regulatory bodies have already issued guidance cautioning against the use of fully AI-generated code in certain critical systems. Code used in safety-critical systems must typically be traceable, reviewable, and developed according to established standards. Fully AI-generated code without human review and understanding does not currently meet these requirements.
Similarly, healthcare compliance regulations require developers to implement specific security controls and document their approach. Vibe coding's "black box" nature makes compliance verification challenging, if not impossible, in these regulated contexts.
Legal and compliance issues might be resolved through future developments. New regulations specifically addressing AI-generated code could provide legal clarity. AI systems might maintain detailed records of their "inspiration sources" to address intellectual property concerns. Models could be trained to generate code that adheres to specific regulatory frameworks. Third-party certification of AI coding systems for use in regulated industries could emerge to validate their appropriateness for sensitive applications.
The Hidden Costs of Dependency and Lock-in
Perhaps the most overlooked risk of vibe coding is the profound dependency it creates on specific AI providers and platforms.
Companies building through vibe coding become fundamentally dependent on the continuing availability and consistency of their AI coding platform. Even minor changes to the underlying AI models can dramatically affect code output. Significant updates to AI models have caused compatibility issues for applications built using vibe coding. Code that previously generated correctly suddenly produces different results, causing widespread disruption.
As one affected technology leader described it: "Overnight, our development workflow broke. The AI started generating code in a completely different style with different design patterns. We essentially had to freeze development for weeks while we adapted."
While vibe coding may appear cost-effective initially, long-term costs can become unsustainable, especially for complex, evolving applications. Many platforms have started with generous free tiers or unlimited code generation but later introduced usage caps and significantly raised prices as demand grew. Small businesses that built their development processes around these platforms suddenly can face unexpected cost increases of 300-500%.
The resulting situation creates a classic lock-in problem: "We've essentially built our entire product on their platform. Switching would require rebuilding from scratch, but staying means our development costs have quadrupled."
Another critical issue is the lack of control over the AI models powering vibe coding tools. These models are typically black boxes, with users having little visibility into their limitations, biases, or decision-making processes. Open-source alternatives have gained popularity precisely because they offer more transparency than commercial options. However, even with open-source tools, the complexity of large language models makes true understanding and control challenging for most users.
Dependency issues might eventually be addressed through technological evolution. Common formats for AI prompts and code generation could reduce vendor lock-in. As AI models become more efficient, running them locally could reduce dependency on external services. Technologies that help extract and reimplement vibe-coded applications in standard formats could emerge. Systems that combine traditional coding with selective AI assistance might provide the benefits without complete dependency.
The Skill Degradation Problem
One of the most profound long-term risk of vibe coding is its potential impact on developer skills and knowledge.
As more developers rely on AI to handle implementation details, there's a growing concern about the erosion of fundamental programming knowledge. Understanding algorithms, data structures, memory management, and other core concepts remains crucial for solving novel problems and optimizing application performance.
There's a world of difference between using AI as a coding assistant and completely surrendering understanding to the AI. When you don't understand what's happening under the hood, you're severely limited in what problems you can solve.
The impact on junior developers is particularly concerning. Traditionally, early career experiences building features from scratch provided crucial learning opportunities. With vibe coding, these opportunities diminish, potentially creating a generation of developers who can prompt AI effectively but struggle with fundamental problem-solving when AI falls short.
For complex systems, knowledge transfer between team members is crucial for long-term maintenance. Vibe-coded applications make this transfer particularly challenging since no individual may fully understand the entire codebase.
Skill concerns might be addressed through more sophisticated AI approaches. Future systems might not only generate code but explain their reasoning in educational ways. AI tools could provide multiple levels of explanation, from high-level overviews to detailed technical discussions. Special interfaces might prioritize teaching the user rather than simply solving the problem. Tools could challenge developers to manually improve AI-generated code, building their skills while leveraging AI assistance.
Development Workflow Disruptions
Integrating vibe coding into established development practices creates significant workflow challenges that can disrupt productivity and code quality.
Version control systems like Git are designed around the concept of meaningful, discrete changes that can be reviewed, merged, or reverted. Vibe coding often generates massive, sweeping changes across multiple files, making meaningful version control nearly impossible. Reviewing a pull request with thousands of lines of AI-generated code is essentially impossible. Developers end up either rubber-stamping changes without true review or spending days trying to understand what changed and why.
Continuous Integration/Continuous Deployment (CI/CD) pipelines are the backbone of modern software development. These systems run automated tests to catch issues before code reaches production. Vibe-coded applications often struggle with these pipelines because AI may not generate comprehensive tests for the code it creates. Tests that are generated may test implementation rather than behavior, breaking whenever the AI changes approach. Minor prompt changes can cause wildly different implementations, breaking builds unpredictably.
Software development is fundamentally collaborative. Vibe coding creates friction in collaborative environments because different team members may have different understandings of how the system works, or may use different prompting styles that create inconsistent code. This leads to what engineering teams call "prompt wars", situations where developers spend more time crafting the perfect prompts than they would have spent writing the code directly.
Workflow issues could eventually be resolved through technological advancement. AI systems might produce smaller, more focused changes rather than entire applications at once. Models could generate comprehensive tests before implementing functionality. Shared prompt libraries and standardized approaches within development teams could emerge. AI systems might eventually understand version control and generate changes that make sense in that context.
Performance Bottlenecks
AI-generated code frequently prioritizes functionality over performance, creating significant efficiency issues that may not be apparent until applications are under load.
On average, vibe-coded applications consume 3-4 times more server resources than comparable manually coded applications. The AI prioritizes making things work over making them work efficiently. It often includes unnecessary dependencies, implements inefficient algorithms, or fails to optimize database queries. For small applications, this isn't noticeable, but at scale, it creates significant cost implications.
Some technology leaders have expressed a common frustration: "We trusted the AI to implement best practices for scalability. It wasn't until we hit high traffic that we discovered critical performance flaws in the architecture. With no one on the team fully understanding the implementation, we couldn't quickly fix it." Such incidents have resulted in millions in lost sales during crucial high-traffic periods.
Performance issues might be addressed through future innovations. AI systems could be specifically trained to prioritize efficient implementation. Automatic generation of load tests alongside application code might become standard. AI systems could proactively identify performance bottlenecks in generated code. Tools might emerge that compare AI-generated code against established performance baselines.
A Balanced Approach
Despite these serious concerns, the underlying technologies behind vibe coding hold tremendous promise if approached thoughtfully. The solution isn't to abandon AI-assisted coding entirely, but to implement a balanced approach that preserves human understanding and oversight.
The distinction between using AI as a co-pilot versus true vibe coding is crucial. Having AI write code that you then review, understand, and take responsibility for is fundamentally different from the hands-off vibe coding approach.
Effective practices include reviewing everything rather than accepting AI-generated code without understanding it. Testing rigorously all AI-generated components is essential. Maintaining design control means using AI for implementation, not architecture. Documenting understanding ensures knowledge exists beyond the AI's generations. Keeping humans in the loop means using AI to accelerate development, not replace human judgment.
Vibe coding may be appropriate for certain limited scenarios such as prototyping and proofs of concept when exploring ideas quickly. Non-critical internal tools where performance and security requirements are lower might benefit from this approach. Educational environments can use vibe coding for learning conceptual approaches, provided there's subsequent explanation. Generating starting points that will be heavily modified and understood by human developers can be valuable.
However, for production systems, mission-critical applications, or regulated environments, the risks currently outweigh the benefits.
Future Evolutions
While today's vibe coding presents significant challenges, future developments may address many of these concerns.
In the short term (1-2 years), we'll likely see enhanced documentation generation as AI models improve their ability to explain the code they generate, making it more maintainable. Security-focused fine-tuning will train models to avoid common security pitfalls and follow best practices. Performance optimization modules will incorporate performance analysis into the generation process. Better integration with version control, testing frameworks, and CI/CD pipelines will emerge.
Medium-term developments (3-5 years) may include explainable coding models with new architectures that provide clear reasoning for implementation choices. Continuous learning systems will remember previous conversations and maintain consistent approaches throughout a project's lifecycle. Regulatory compliance frameworks specifically designed for regulated industries will include built-in compliance checks. Hybrid augmentation approaches will enhance human developers rather than replacing them, with clearer demarcation of responsibilities.
Long-term possibilities (5-10 years) suggest true code understanding where AI systems genuinely comprehend code at a semantic level rather than pattern matching. Self-verifying systems might formally verify the correctness of their own code. Models capable of high-level software design with justifications based on first principles could emerge. Knowledge preservation systems might effectively document and transfer knowledge between team members.
Embracing the Future Responsibly
Vibe coding represents a fascinating glimpse into the future of software development, but that future isn't fully realized yet. The current limitations, including maintenance challenges, security vulnerabilities, legal uncertainties, dependency risks, skill erosion, and workflow disruptions, make it unsuitable for most serious development work today.
As AI models improve, many of these issues will likely be addressed. Future systems may generate more consistent, maintainable, and secure code. They may provide better explanations of their implementations and integrate more seamlessly with existing development practices.
Until then, the wisest approach is to harness the productivity benefits of AI-assisted development while maintaining human understanding and oversight. Let AI accelerate your coding, but don't surrender comprehension in the process.
The code that powers our world is too important to be built on vibes alone, at least for now. The future promises more sophisticated, trustworthy AI coding systems, but that future requires careful, responsible development practices today.
Even in this field, we are only at the beginning.
Service Announcement)
This newsletter (which now has over 5,000 subscribers and many more readers, as it’s also published online) is free and entirely independent.
It has never accepted sponsors or advertisements, and is made in my spare time.
If you like it, you can contribute by forwarding it to anyone who might be interested, or promoting it on social media.
Many readers, whom I sincerely thank, have become supporters by making a donation.
Thank you so much for your support!
Massimo, excellent article. I agree with all sentiments.
I am evaluating a hobby application that is fairly robust with a mixture of vibe coding as well as collaboration with the AI tool (my mind first then ai).
The collaboration approach is pretty good and can be impressive. But the moment you lose site of any of the codebase, I could see issues compound quickly.
Ai has created extraneous folders and duplicate code files numerous times. New models completely changed requirements by making erroneous assumptions but it goes ahead and implements it.
The code style and patterns are all over the place even when you tell it. This is my second project evaluation for vibe coding and it is far and I mean far from feasible for "good", "important" applications. When it works well it is impressive. But all it takes is a bad iteration and it creates a mountain. This is inevitable with larger codebases and even medium sized ones.
I would ask biz decision makers a simple question. "Are you comfortable with vibe coders working on your mission critical applications?" Where risk and reward have a monetary impact?
You might even have a new wave of script kiddies getting hired and at first it is a revolution. Then the issues become apparent down the road. Who will fix it then?
I think we are stepping into uncertain territory. The leaders in the industry should be aware of these things and not make decisions based upon ideas driven by social media.