Audit integrity
107
findings
7
critical
25
high*
35
medium*
31
low*
10
no-action
103
confirmed
4
overstated→down
0
refuted
12
version claims corrected
8
fabricated APIs
9
copy-paste hard-breaks
*severities after the verifier's corrections (4 findings down-ranked: ragas-result-indexing high→med, hypothesis low, sec-003 high→med, llm-sdk-006 stays low). "No-action" = libraries verified already current — kept as evidence, not work.
The damning part — skills inventing APIs that don't exist
Beyond version lag, the audit found 8 fabricated APIs — code the skill teaches that has no counterpart in the shipped library. A user copy-pasting these gets ImportError / TypeError / silently-ignored config, not a working result. Worst concentration:
react-server-components-framework/references/nextjs-16-upgrade.md (3 invented APIs) and json-render SKILL.md (4 broken signatures).
Cluster severity map
Findings
Verified version table — claimed vs independently re-confirmed
| cluster | library | taught/claimed | verified latest (2026-05-31) | verdict |
|---|
Upgrade roadmap — by impact × effort
🔴 Lane 1 — copy-paste hard-breaks (do first)
Code that throws on the version the skill targets. Highest user pain, mostly S/M effort.
- testing-llm:
ragas>=1.2.0pin is unsatisfiable +recalibrate=Trueinvented → repin>=0.4.0, class-based metrics, drop recalibrate - json-render:
Render/defineCatalog/createMcpApp/registerJsonRenderToolsignatures all wrong on 0.19 → one coordinated rewrite + re-sync - observability:
from langfuse.callback import CallbackHandler→langfuse.langchain;new Resource()→resourceFromAttributes() - langgraph:
langgraph.cacheimport +PostgresSaver.from_conn_stringbare-assign → fix imports +with…as cp: cp.setup() - mcp: 4 import paths resolve only against the 2.0-alpha split / fastmcp fork → align to
@modelcontextprotocol/sdksubpaths + FastMCP - python-backend:
httpx.AsyncClient(app=app)removed in 0.28 →ASGITransport(app=app) - vector-rag: gemini
text-embedding-004shut down 2026-01-14 →gemini-embedding-001
🟠 Lane 2 — deprecated / fabricated-but-non-crashing
Works today but wrong/deprecated, or invented config that's silently ignored. Misleads agents.
- next-react: rewrite
nextjs-16-upgrade.md— kill inventednext/proxy,revalidateTag({type}),cache()wrapper,next-browser - langgraph:
create_react_agentdeprecated since v1.0 →langchain.agents.create_agent; stop selling pre/post_model_hook as "new 1.2" - observability:
@observe(type=)→as_type=; v2trace().generation()→start_observation();@langfuse/* ^4→ 5.x - security: python-jose (CVE-2025-61152 alg=none) → PyJWT; OWASP LLM 2023 labels → 2025
- vector-rag: Cohere
Client()/v3.0/max_chunks_per_doc→ClientV2()/rerank-v4.0-pro/max_tokens_per_doc - llm-sdk:
google.generativeai(archived) →from google import genai - frontend-libs: Zod 4 —
z.string().email()/.uuid()→z.email()/z.uuid(),.flatten()→z.treeifyError()(shape change!)
🟡 Lane 3 — new-best-practice & version-pin
Not wrong, just behind the frontier. Additive guidance + pin bumps.
- db-migrations: PG18
uuidv7()over random v4; nativeWITHOUT OVERLAPS/PERIOD; B-tree skip-scan nuance - vector-rag: pgvector
halfvec/binary_quantize()for 3072-dim embeddings; voyage-3→3.5 - python-backend:
= Depends()→Annotated[…, Depends()](21 sites);.dict()→.model_dump();datetime.utcnow()×3;get_event_loop()×4 - next-react: next/image breaking defaults; async params for icon/og/sitemap; pins 16.2.6/19.2.6
- frontend-libs: Biome
noFloatingPromisesneedsdomains.types; Zustand checklist label is backwards - llm-sdk: gpt-5.2→gpt-5.5 (~18 sites); OpenAI Responses API; Claude 4.6→4.8 table
🟢 Verified current (no action)
Audited and confirmed up-to-date — proof the suite isn't uniformly stale.
- testing-js: Vitest 4.1, Playwright 1.60, MSW already v2 — strong shape (only 1 fabricated config block)
- infra-events: Temporal 1.27.2, Celery 5.6.3, redis-py 8.0, aiokafka 0.14 — all current
- db-migrations: Alembic 1.18.4 / SQLAlchemy 2.0 APIs all valid (staleness is PG18 feature-awareness, not breakage)
- langgraph: stream v2 / GraphOutput / RemoteGraph / core import paths — current
- llm-sdk: Anthropic caching shape + vision content-blocks + Claude Opus 4.8 — current
- security: py_webauthn 2.7.1, PyJWT 2.13.0, OWASP LLM list mostly mapped