What about packages that are not "flagged"? There could be hallucinations when deciding to (or not) "flag packages".

>What about packages that are not "flagged"?

You can't catch everything with normal static analysis either. LLM just produces some additional signal in this case, false negatives can be tolerated.

▲

ATechGuy 3 days ago | parent [-]

static analysis DOES NOT hallucinate.

	▲	tripzilch a day ago \| parent \| next [-]
		well, you've never had a non-spam email end up in your spam folder? or the other way around? when static analysis does it, it's called a "misclassification"
	▲	Twirrim 3 days ago \| parent \| prev [-]
		So what? They're not replacing standard tooling like static analysis with it. As they mention, it's being used as additional signal alongside static analysis. There are cases an LLM may be able to catch that their static analysis can't currently catch. Should they just completely ignore those scenarios, thereby doing the worst thing by their customers, just to stay purist? What is the worst case scenario that you're envisioning from an LLM hallucinating in this use case? To me the worst case is that it might incorrectly flag a package as malicious, which given they do a human review anyway isn't the end of the world. On the flip side, you've got LLM catching cases not yet recognised by static analysis, that can then be accounted for in the future. If they were just using an LLM, I might share similar concerns, but they're not.