You wrote maybe 2,000 lines of code. Your node_modules has 80,000 files from 1,400 packages you never read. Most of them are fine. One of them is not, and the fix landed three months ago in a minor version you never pulled.
Vulnerable and outdated components means you are running code with known bugs in it. Not bugs you wrote — bugs in the libraries you imported, or the libraries those libraries imported. The fix usually exists. It just hasn't reached your package.json yet. Modern apps pull in thousands of transitive dependencies, so the surface area is enormous.
What your AI actually built
You asked for a markdown editor, a PDF renderer, a date picker — something real. The model reached for the obvious npm package, wired it up, and everything worked. Nice. Shipped.
What it didn't do was pin the version, check the changelog, or notice that the package was last updated in 2021 and has three open CVEs in its transitive deps. Models tend to suggest whatever was popular in the training corpus. Popularity and freshness are not the same thing.
The second trap is copy-paste from old Stack Overflow answers. A snippet that says 'install lodash@4.17.11' still runs perfectly. It also still has the prototype-pollution CVE that was patched in 4.17.12.
How it gets exploited
The attacker runs a scanner against your deployed app and reads the response headers.