Problems with Lovable applications
First of all, Lovable—the AI-powered full-stack app builder—is amazing! If you had told me five years ago that complex working applications could be built with simple text prompts then I would have stopped listening. Saying that though, I wouldn't use Lovable for a production application or website. Let me try and explain why.
I am a purposely slow adopter of AI for coding. My years of web development have taught me that if I do things the right way, slow as they may be, then I will avoid complications in the future. If I take shortcuts and don't think hard about the solutions then issues are likely to surface someday. If I ignore these issues and keep building on top of a shaky foundation then the project is inevitably going to need a total rebuild. This is how I look at Lovable too.
AI agents are mind-blowingly good at finding ways to solve problems and add features autonomously. They spew out good looking code effortlessly; code that would take a more traditional developer much longer to write. It's a painstaking task for us mere humans to review all of this newly generated AI code, but as long as it works then who cares right? Wrong!
When a vibe-coder, or a Lovable user, interacts with AI they usually stop when they are happy with what they see on screen, and commit the change to the project. They don't look at the underlying code because, like most people, they don't understand it, but this code is doing lots of things that cannot be seen on the front-end. What if important data is silently being erased or modified? What if API endpoints are wide-open and exposing full access to your database? What if payments aren't quite the correct amounts or frequency and nobody notices? AI-generated code already has a reputation for creating security vulnerabilities and scalability limitations. Check out reddit.com for thousands of similar stories about how a vibe-coder's app was immediately hacked after launch, or how their production database completely disappeared. Sometimes these issues become apparent very quickly, sometimes they will go unnoticed for years.
The lucky vibe-coder might have been runnable their Lovable application relatively smoothly for a couple of years and built up a solid user base of a few hundred or a few thousands users, but now something goes really wrong. They hire an experienced developer to look at it but not even they can fix the problem, or when they do, something else breaks. On close inspection the code is spaghetti and there are thousands of lines that seem to do nothing. Even the best human developer cannot understand the AI generated code. The AI can't understand it either, and it never really could, it was just mimicking code it had been trained on. It was fine to make these mistakes when the application has no users but now we have thousands of customers who cannot access the service that they paid for, and their data is being extracted by bots and malicious actors. The only option is to pull the plug, issue refunds and hope that you're not legally liable for damages.
This is a typical "old-school developer" premonition of doom for vibe-coded and Lovable applications. Maybe someday soon Lovable will take all of this into consideration and protect against the worst scenarios. For the moment, I cannot recommend that anyone continue with a Lovable or vibe-coded project, unless it is purely for personal use.
Lovable amazes me and it has earned its place in the web development mix, but I recommend only using it for prototypes, or to test a new application on a limited audience. Use it wisely and rebuild on a solid foundation as soon as your budget allows.
I am currently researching the best and most cost-effective ways to convert Lovable applications to my framework of choice — Laravel. Get in touch if you would like me to look at your project.