No, You Can’t Just Vibe-Code Commerce — Yet

“What coding?”

Vibe-coding is the cute term for using genAI systems to create, debug, or update programming code. People can use it without knowing how to write a line of code themselves.

What this means: Lots of people are generating code they don’t understand. It’s not just developers using these tools to code faster; for example, it’s school teachers writing their own grading systems. Of course, developers can also use it to move faster, it’s not reserved for non-nerds.

What’s happening with this now?

With the recent surge in the use of Anthropic’s Claude genAI tools, including its Code functionality, I’m starting to see buzz that sounds like: “Why should we pay for SaaS solutions anymore when we can just vibe-code them?”

First, I want to be clear: I love the democratization of tech. Democratization is a huge unlock for folks who want to create but don’t know code. But there is a hard line between small process improvements or personal projects versus replacing major business applications like commerce solutions — at least for now.

Why is vibe-coding so appealing to replace vendor solutions?

Businesses are actively looking for ways to rein in costs across their operations — and the costs of SaaS solutions can become prohibitive. Financial burdens increase as commerce tech ecosystems expand, often assembled from an increasing number of separate solutions, and every digital selling channel takes its own slice of the profit pie.

It can also be slow to wait for vendors’ professional services teams — or third-party services providers — to make requested changes. Understandably, it’s appealing for digital businesses to want to take this into their own hands.

But there are hidden costs of DIY, mainly in the expertise and protections we lose if we remove vendor solutions entirely.

Why can’t we vibe-code our way to commerce solutions?

Software vendors keep their clients current as trends and expectations shift. Commerce tech vendors bring some things to the table that code alone doesn’t:

1. Domain expertise
2. Best practices in execution
3. Security and compliance
4. Accountability for issues/support
5. Perpetual pattern of improvement

Maintenance over time is the biggest issue with home-grown tech solutions. We see it repeatedly: a digital business with strong technical bench depth builds a custom solution. At first, it’s powerful, effective, and customized to their needs. Over time, it increasingly falls behind market solutions (e.g., due to evolving standards, trending experiences, budget allocations, emerging security issues, regulation, etc.), whereas software vendors are singularly focused on evolving their solutions. That perpetual pattern of improvement (for vendors that successfully demonstrate it) creates differentiated culture in software management.

What are the specific risks for vibe-coding around security and compliance?

I brought in Forrester experts to explain this crucial point.

“In a market where retailers are experiencing heightened risk and volatility — and most commerce teams still struggle with basic third-party risk hygiene — trying to vibe-code your commerce app is like pouring jet fuel near a flame. You’re layering opaque AI-generated code, fragile dependencies, and unclear data flows on to vendors that haven’t been fully vetted for third-party risk. The combination doesn’t just increase complexity; it amplifies the blast radius when something inevitability goes wrong.”
      — Alla Valente, principal analyst, covering third-party risk and AI regulations

“Vibe-coding can feel like magic, but e-commerce demands uncompromising security, where a single data breach can result in lost revenue, hefty fines, and irreparable damage to customer trust. While AI accelerates the coding process, studies reveal that it often produces code with critical flaws such as exposed credentials, insecure dependencies, and insufficient validation. The code may function, but it falls far short of being production-ready. Transforming prototypes into secure, deployable solutions requires robust guardrails like secure-by-design principles, automated security testing, and knowledgeable human oversight.”
      — Janet Worthington, senior analyst, covering agentic development security, DevSecOps, and software supply chain security

“Regardless of how you develop an e-commerce site, you need the right web application protection tools. While vibe-coding may seem attractive because of speed, development and security leaders still need to understand the application attack surface and implement the right controls (such as web application firewalls, bot and agent trust management, and API security) at the right endpoints. Failure to do so exposes an e-commerce site to any number of application attacks.”
      — Sandy Carielli, VP and principal analyst, covering application security

There is a potential future, however, in which vibe-coding commerce becomes a real possibility.

In order for this practice to become mainstream, it’s the vendors themselves that must enable it. In fact, they might offer the perfect balance of expertise and protections, with the flexibility to extend the solution with vibe-coded customizations.

Another brilliant colleague of ours shows us the way.

“The value of vibe-coding is that you are free to differentiate how you want, unbeholden to the constraints imposed by the software vendor’s product design. That sounds great, except for highly regulated areas where you have no choice how to do things. My expectation is that commerce vendors will evolve into vibe-coding platforms. They will provide APIs for capabilities like PCI-compliant payments that shouldn’t be vibe-coded. And they will provide coding agents that understand the commerce domain and know how to assemble their APIs where appropriate. So yes, you will be able to vibe-code a commerce solution — once the commerce solutions offer vibe-coding!”
      — David Mooter, principal analyst, covering APIs and integration

Where does this leave vibe-coders now?

I began coding in HTML when the language was still so young that it was limited to text, images, colors, and links. I learned each new addition as it came out, like tables, includes, and style sheets. The benefit of learning incrementally made it much easier than it would have been to jump in later and have to catch up on the fundamentals and all the complexities at once.

Similarly, the opportunity to start “on the ground floor” with vibe-coding might just give folks a deeper understanding of how it all works. If you don’t know python code, you can ask Claude to generate some for you, run it to test if it functions as expected, and adjust it to your specifications. It will provide a beneficial view of how the code works. specifications. Unfortunately, as the systems get better, humans may need to intervene less — and therefore will see less of how the “sausage” is made.

Honing this new skill now will enable people to prepare for the potential future of come. If in fact commerce solutions vendors do become vibe-coding platforms that provide the necessary safeguards along with the endless flexibility at the speed of vibe-coding, those who start to learn now will be ready then.

Want to discuss vibe-coding further? Forrester clients can book a guidance session or inquiry with us.