What’s interesting to me about this, reckless as it is, is that the conversation has begun to shift toward balancing LLMs with rigorous methods. These people seem to be selling some kind of AI hype product backed by shoddy engineering, and even they are picking up on the vibe. I think this is a really promising sign for the future.

I've seen companies advertise with LLM generated claims (~Best company for X according to ChatGPT), I've seen (political) discussions being held with LLM opinions as "evidence".

So it's pretty safe to say some (many?) attribute inappropriate credence to LLM outputs. It's eating our minds.

Good PBT code doesn't simply generate values at random, they skew the distributions so that known problematic values are more likely to appear. In JS "__proto__" is a good candidate for strings as shown here, for floating point numbers you'll probably want skew towards generating stuff like infinities, nans, denormals, negative zero and so on. It'll depend on your exact domain.

> most web developers are well aware of the risky parts of the language

In my experience this really isn’t true. Most web developers I know are not familiar (enough) with prototype pollution.

By the way, this isn’t because they are “dumb”. It’s the tool’s fault, not the craftsman’s, in this case. Prototype pollution is complicated and surprising

> most web developers are well aware of the risky parts of the language

I don't think this is true, and I think that's supported by the success of JavaScript: The Good Parts.

It would be unfair to characterise a lack of comprehensive knowledge of JavaScript foot-guns as general incompetence.

> insane false positives SAST scans dump on you

Great LLM use case: Please explain to the box ticking person why these "insane false positives SAST" are false and / or of no consequence.

Don't forget you can use AI to turn a 50 word blog post into a 2,000 word one!