Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
progx 6 days ago

That solve not really the problem.

A better (not perfect) solution: Every package should by AI analysed on an update before it is public available, to detect dangerous code and set a rating.

In package.json should be a rating defined, when remote package is below that value it could be updated, if it is higher a warning should appear.

But this will cost, but i hope, that companies like github, etc. will allow package-Repositories to use their services for free. Or we should find a way, to distribute this services to us (the users and devs) like a BOINC-Client.

jonkoops 6 days ago | parent | next [-]

Ah, yes! The universal and uncheatable LLM! Surely nothing can go wrong.

NitpickLawyer 6 days ago | parent | next [-]

Perfect is the enemy of good. Current LLM systems + "traditional tools" for scanning can get you pretty far into detecting the low hanging fruit. Hell, I bet even a semantic search with small embedding models could give you a good insight into "what's in the release notes matches what's in the code". Simply flag it for being delayed a few hours, till a human can view it. Or run additional checks.

progx 6 days ago | parent | prev | next [-]

I can't wait to read about your solution.

orphea 6 days ago | parent [-]

You don't need to be a chef to tell that the soup is too salty.

progx 6 days ago | parent | prev [-]

As i wrote "not perfect". But better than anything else or nothing.

robertlagrant 6 days ago | parent [-]

The Politician's Syllogism[0] is instructive.

[0] https://en.wikipedia.org/wiki/Politician's_syllogism

progx 6 days ago | parent [-]

OK, we are here now on reddit or facebook?

I thought we discuss here problems and possible solutions.

My fault.

rpdillon 5 days ago | parent | next [-]

I'm not sure why everyone is so hostile. Your idea has merit, along the lines of a heuristic that you trigger a human review as a follow-up. I'd be surprised if this isn't exactly the direction things go, although I don't think the tools will be given for free, but rather made part of the platform itself, or perhaps as an add-on service.

robertlagrant 6 days ago | parent | prev | next [-]

I don't think "we should use AI to solve this" is a solution proposal.

6 days ago | parent [-]
[deleted]
6 days ago | parent | prev [-]
[deleted]
philipwhiuk 5 days ago | parent | prev [-]

A better solution is restricting package permissions.