Exactly. When you assume blob-util to be a utility library that has been in use for quite a while by many people in many different contexts, hasn't seen much changes and just "works", IMHO the risk of weird bugs is a lot larger with LLM-generated code. Code generated by LLM's often have the problem that the code seems logical, but then contain weird bugs that aren't immediately obvious.

This mostly sounds like a good thing to me from a utilitarian standpoint. Getting all your utility classes from somewhere like npm and creating dependencies on 20 different people and organizations who may or may not maintain their software has been a security nightmare with many highly public examples. If a LLM writes a utility class for me then my supply chain is smaller, meaning less surface area to attack plus I probably benefit from some form of security through obscurity for whatever non-trivial amount that's worth. "Downside" is I don't have some rando, probably unpaid labor out there updating a piece of my app for me...

It's not a new thing either, many years ago there was already the debate whether you should trust utility code copied from SO or use an NPM library. In fact, I'm 99% confident that the slew of single function NPM libraries became a thing because of that mindset.

The proper way to do it, would be to have an industry standard on the default things people blindly but massivly pull through dependencies.

I also don't get how code can be so massivly inefficient. left-pad needs 9kb to download and the code is a handful of lines: https://www.npmjs.com/package/left-pad?activeTab=code

If my unit tests run through, i don't have 'unproven' code. I have well working code which doesn't need to go through a dependency hell upgrade cycle just because one function in that lib, i don't use, has some CVE too high to be ignored.

> or a spammer where your incentives have probably increased.

Slight pushback on this. The web has been spammed with subpar tutorials for ages now. The kind of medium "articles" that are nothing more than "getting started" steps + slop that got popular circa 2017-2019 is imo worse than the listy-boldy-emojy-filled articles that the LLMs come up with. So nothing gained, nothing lost imo. You still have to learn how to skim and get signals quickly.

I'd actually argue that now it's easier to winnow the slop. I can point my cc running in a devcontainer to a "tutorial" or lib / git repo and say something like "implement this as an example covering x and y, success condition is this and that, I want it to work like this, etc.", and come back and see if it works. It's like a litmus test of a tutorial/approach/repo. Can my cc understand it? Then it'll be worth my time looking into it. If it can't, well, find a different one.

I think we're seeing the "low hanging fruit" of slop right now, and there's an overcorrection of attitude against "AI". But I also see that I get more and more workflows working for me, more or less tailored, more or less adapted for me and my uses. That's cool. And it's powered by the same underlying tech.

I was searching a specific niche on Youtube today, and scrolled endlessly trying to find something that wasn't AI generated. Youtube is being completely spammed.

> We are entering the era of cheap spam of everything with little incentive for quality

Correction -- sadly, we're already well within this era

But some webdev said they are 10x faster now so it cant be bad for humanity /s

Quick! Tell me what this does or you're not a real programmer, not a craftsman, and are a total hack who understands nothing about quality (may not even be a good person, want to lay off bread-and-butter red-blooded american programmers)

.global main

.text

main:

mflr 27

mr 13,3

mr 14,4

addi 3,3,48

bl putchar

li 3,10

bl putchar

next:

lwz 3,0(14)

bl puts

addi 14,14,4

addi 13,13,-1

cmpwi 13,0

bgt next

lis 3,zone@ha

addi 3,3,zone@l

bl puts

mtlr 27

mr 3,13

blr

.data

.align 2

zone:

.string "Bonjour"

The best outcome was things like jquery and then lodash where a whole collection of small util functions get rolled in to one package.

> Now that both have dried up

They have??

And is it not going to be orders of magnitude worse with the vibe-coded crud hitting the internet?

Your first sentence cheers that we're moving from NPM micropackages to LLM-generated code, and then you say this will result in people having to learn to code again.

I don't see how the conclusion follows from this.

There will be many LLM-generated functions purporting to do the same thing, and a bug in one of them that gets fixed means only one project gets fixed instead of every project using an NPM package as a dependency.

I don't quite understand your argument. Wasn't the post about how users might replace transparent dependencies with transparent LLM drop-ins? I don't see how having an LLM to do the same job would enable someone to learn more. They're probably the kind of person who will ask the LLM to perform a refactor when problems arise, so they won't learn that much through osmosis.

Now you got vibe coder

But as Go puts it:

“A little copying is better than a little dependency.”

https://go-proverbs.github.io/

> since languages like Go never had this dependency hell

What is the feature of Go that this is referring to?

True innovation will come from open source for sure. As the developers don't have the same economic incentives to be "safe", "ethical" "profitable" or whatever. large corporations know this and fear this development. That's why i expect a significant lobbying to take hold in USA that will try and make local AI systems illegal. And I think they will be very convincing to the government. Because the government also fears the "peasants" and giving them any true semblance of real AGI like systems. I bet very soon we will start seeing various classifications that will define what is legal and what is not for a citizen to possess or use.

> It’s posed to get significantly stronger

It's really not. Every project of any significance is now fending off AI submissions from people who have not the slightest fucking clue about what is involved in working on long-running, difficult projects or how offensive it is to just slather some slop on a bug report and demand it is given scrutiny.

Even at the 10,000 feet view it has wasted people's time because they have to sit down and have a policy discussion about whether to accept AI submissions, which involves people reheating a lot of anecdotal claims about productivity.

Having learned a bit about how to write compilers I know enough to know that I can guarantee you that an AI cannot help you solve the difficult problems that compiler-building tools and existing libraries cannot solve.

It's the same as it is with any topic: the tools exist and they could be improved, but instead we have people shoehorning AI bollocks into everything.

Vendoring dependencies is how I remember doing it for web projects pre-NPM. Find an open source, well tested library and copy the source into your project.

You have to manually update for any releases you care about, but that is also an incentive to keep dependency count low.

Why aren't those tiny header file libraries just part of the standard C library?

Wait sorry, I don't mean that. I read too many bog-standard HN comments about NPM above.

What's your copy& paste solution to security updates?

I keep seeing this attitude and I don't really understand it at all; there's no upside to publishing open source work because it might be utilized by more people, is that correct?

Or is it the attribution? There are many many libraries I have used and continue to use and I don't know the author's internet handle or Christian name. Does that matter? Why?

I have written a lot of code that my name is no longer attached to. I don't care and I don't know why anyone does. If it were valuable I would have made more money off of it in the first place, and I don't have the ego to just care that people know it's my code either.

I want the things I do today to have an upside for people in the future. If that means I write code that gets incorporated into a model that people use to build things N number of years from now, that's great. That's awesome. Why the hell is that apparently so demotivating to some people?

Sorry but source-available is probably going to get slurped up for training data as well

Microsoft already did this for all code in every public repo.

You're not obligated to give away your mind for free. You're free to share, of course. But sharing implies reciprocity, a back and forth. The internet used to be like that, but if the environment changes, you adapt your behavior accordingly.

In the long run I think it's time to starve the system from input until it's attitude reverts to reciprocal. It's not what I'd want, but it seems necessary. People learn from consequences, not from words alone

Staying true to free software principles. It's unethical to publish nonfree code or binaries.

This is kinda how I've felt for months. I don't have any interest in continuing existing open source projects and don't want to create any new ones.

What's the point?

All of my personal projects for the past few months have been entirely private, I don't even host them on Github anymore, I have a private Forgejo instance I use instead.

I also don't trust any new open source project I stumble upon anymore unless I know it was started at least a year ago.

> It gives people visibility while setting clearer boundaries on how the work can be used.

... Because those would be respected?

Yeah if I find some (small) unmaintained code I need, I will just copy it (then add in my metrics and logging standards :)

It shouldn't be a radical idea, it is how science overall works.

Also, as per the educational side, I find in modern software ecosystem, I don't want to learn everything. Excellent new things or dominantly popular new things, sure, but there are a lot of branching paths of what to learn next, and having Claude code whip up a good enough solution is fine and lets me focus on less, more deeply.

(Note: I tried leaving this comment on the blog but my phone keyboard never opened despite a lot of clicking, and on mastodon but hit the length limit).

A copyleft license is much better because it ensures that it will remain open and in most cases large companies won't use it, making sure they will have to shell out the money to hire someone to do it instead.

Yep. Even just sharing code with any license is valuable. Much I have learned from reading an implementation of code I have never run even once. Solutions to tough problems are an under-recognized form of generosity.

This is a point where the lack of alignment between the free beer crowd and those they depend on is all too clear. The free beer enthusiast cannot imagine benefiting from anything other than a finished work. They are concerned about the efficient use of scarce development bandwidth without consciousness of why it is scarce or that it is not theirs to direct. They view solutions without a hot package cache as a form of waste, oblivious to how such solutions expedite the development of all other tools they depend on, commercial or free.

I do agree with this, but there are some caveats. At the end of the day it is time people invest into a project. And that is often unpaid time.

Now, that does not mean it has no value, but it is a trade-off. After about 14 years, for instance, I retired permanently from rubygems.org in 2024 due to the 100k download limit (and now I wouldn't use it after the shameful moves RubyCentral did, as well as the new shiny corporate rules with which I couldn't operate within anyway; it is now a private structure owned by Shopify. Good luck finding people who want to invest their own unpaid spare time into anything tainted by corporations here).

Part of the benefit over a dependency is that the code added will (hopefully) be narrowly tailored to your specific need, rather than the generic implementation from a library that likely has support for unused features.

Not including the unused features both makes the code you are adding easier to read and understand, but it also may be more efficient for your specific use case, since you don't have to take into account all the other possible use cases you don't care about.

Right, but you do avoid worries like "will I have to update this dependency every week and deal with breaking changes?" or "will the author be compromised in a supply-chain attack, or do a deliberate protestware attack?" etc. As for performance, a lot of npm packages don't have proper tree-shaking, so you might be taking on extra bloat (or installation cost). Your point is well-taken, though.

Wouldn't call it a risk in itself, but part of the benefit of using a library, a good and tailored one at least, is that it'll get modernised without my intervention. Even if the code produced for you was state-of-the-art at the moment of inclusion, will it remain that way 5 years from now?

> and you just dump it in your project with limited vetting

Well yes there’s your problem. But people have been doing this with random snippets found on the internet for a while now. The truth is that irresponsibles developers will produce irresponsible code, with or without LLMs

I think it's a reference to the Google interview problem that the author of Homebrew (IIRC) failed. They were quite upset about it since they have proved their worth through their famous open-source contributions, but got rejected in a LeetCode-like interview.

It’s probably a mistake on the author’s end, but the problem comes across anyway.

I can only imagine reversing a binary tree would imply changing the “<“ comparison in nodes to “>” which would be a useless exercise

> so the comments are wasted bytes

Is there any modern compiler where the output code has anything to do with the comments in the source?

GitHub gists are probably the best technical option. They come with versioning (I think), and have comment threads.

Earlier this year I wrote an interpreter for a niche, proprietary binary format. Someone asked if I could open source it so that they could (more easily) run it on NixOS. I declined as I'm just that strongly opposed to my work being used to train AI models and further entrench the enshittification of the internet.

Why wouldn't you? Your codebase (if you're a business) exists to make you money, people being able to copy some unknown portions of it without further license if they somehow legally get their hands on a copy of it seems entirely irrelevant.

PS. I think this is much less clear and much less settled law than you are suggesting.

It's more nuanced. If I even have a few lines I can prove are mine, those parts are copywritable in the same way Pride and Prejudice is public domain but pride and prejudice and zombies is copyrighted.

Even worse...unmaintained code. Only the human-written one has a maintainer. The other one plagiariased by AI is instant legacy code

Autocomplete has been around for decades

I think if you dig a little deeper you will find that the answer is not so black and white.

> Reducing dependencies is a wrong success metric. You just end up doing more work yourself

Except it's just not true in many cases because of social systems we've built. If I want to ship software to Debian I have to make sure that every single of my 3rdparty dependencies is registered and packaged as a proper debian package - a lot of time it will take much less work to rewrite some code than to get 25 100-lines-of-code micro-libraries accepted into debian.

"when an LLM costs less, works faster and makes less mistakes"... indeed, but it doesn't follow at all that it's the fate of all programmers _now_... at least in my experience none of these things are true ATM.

So far I've never seen yet a non-programmer release production-grade code using only LLMs. There's just so much to care about (from security, deployments, secret management, event-driven architectures, and a large etc.) that "just" providing a prompt to create an "app" doesn't cut it. You need infra and non-engineers just don't know shit about infra (even if it's 99% managed), you need to deploy your llm-generated code in that infra; that should happen in a ci/cd probably. And what about migrations? Git? Who's setting up the api gateway? I don't mean to say that LLMs don't know how to do that, but you need to instruct them to do so, and even there, they will make silly mistakes and you need to re-instruct them or fix it.

Prompting is just 50% of the work (and the easy part actually). Ask the Head of Product or whoever is there to deploy something valuable to production and maintain it for 6 months while not losing money. It's just not going to happen, not even with truly AGI.

An LLM might be able to replace the majority of the code Sindre Sorhus has put out there, but it's probably a stretch to think that it could replace someone like John Carmack.

Trivial NPM libraries were never needed, but LLMs really are the nail in the coffin for them even when it comes to the most incompetent programmers because now they can literally just ask an LLM to spit out the exact same thing.

He also points out a pointless type check in a type checked language...

Your name is very accurate I must say.