The latest articles on DEV Community by Ben Minor (@benminor). https://dev.to/benminor https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3978518%2Fcfda9457-c5b5-444b-a10d-3fb8ae59e540.jpeg https://dev.to/benminor en Ben Minor Thu, 11 Jun 2026 12:17:45 +0000 https://dev.to/benminor/your-agent-writes-deprecated-model-calls-i-built-a-cli-to-catch-them-before-prod-does-gdg https://dev.to/benminor/your-agent-writes-deprecated-model-calls-i-built-a-cli-to-catch-them-before-prod-does-gdg <p>Coding agents are trained against a snapshot of the world. So when you ask one to wire up an LLM call, it reaches for whatever model string was current at its training cutoff — and writes something like <code>gpt-4-vision-preview</code> into your code without checking whether it still exists, or will exist in 2 months.</p> <p>The code compiles, tests pass, CI is green. Then one morning the provider retires that model, and your production calls start returning errors.</p> <p>I kept falling into that gap, so I built a tool for it.</p> <h2> The moment that made me write it </h2> <p>Last week I ran it across my own repos. It found <code>claude-sonnet-4-20250514</code> in <strong>three of my live apps</strong> — days before Anthropic retires that model on June 15. Nothing in my dependency tooling had flagged it, because a model ID isn't a dependency. I'd have shipped straight into the outage.</p> <h2> What it does </h2> <p><strong>arol-ai</strong> is a CLI that scans your codebase for third-party APIs, SDKs, and model strings, checks each one against a <strong>hand-verified</strong> database of vendor sunset dates, and tells you what breaks and when. It runs locally, reports exact <code>file:line</code>, and only fails your build on high-severity or imminent deprecations (configurable, so it won't nag you about something retiring eight months out).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx arol-ai scan </code></pre> </div> <h2> "Isn't this just Dependabot / grep?" </h2> <p>Fair question - it's the first one everyone has asked so far.</p> <p>The difference is <em>where</em> these things live and <em>what</em> triggers them. Model IDs and API calls sit in your code as plain strings, not as versioned packages in your lockfile — so your dependency graph never sees them, and Dependabot can't either. And the trigger isn't a version bump or a CVE. It's a physical date. <code>claude-sonnet-4-20250514</code> doesn't gradually go "out of date" — it works perfectly <strong>right up until June 15</strong>, then your calls start erroring on a schedule you never wrote down anywhere.</p> <h2> Coverage </h2> <p>Today it covers OpenAI, Anthropic, and Google models and APIs, across JS/TS and Python codebases. Plus some other common infra providers like Vercel (this ain't just for LLMs). Every sunset date comes from the vendor's own changelog — if I can't source a date, I don't ship it.</p> <h2> Honest caveats (it's early) </h2> <p>Right now arol flags <em>references</em> to deprecated models. It doesn't yet tell a live API call apart from a model ID sitting in a config table or a test fixture, so if you point it at a big library you'll see <em>some</em> noise. Call-site-aware scanning is what I'm building for early next week.</p> <p>Local scans are free and <strong>will stay free</strong>.</p> <h2> Try it / tell me what breaks </h2> <p>I'd <strong>love</strong> feedback — especially false positives, and which providers or frameworks you'd want covered next. Run it on a repo and tell me what it catches (or wrongly catches):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx arol-ai scan </code></pre> </div> <ul> <li>Site: <a href="https://arol.ai" rel="noopener noreferrer">https://arol.ai</a> </li> <li>GitHub: <a href="https://github.com/benminor/arol" rel="noopener noreferrer">https://github.com/benminor/arol</a> </li> </ul> showdev ai typescript webdev