new | show | ask | jobs Github

metaltyphoon 5 hours ago

> and similar package ecosystems altogether

Realistically, this is impossible.

▲

baq 4 hours ago | parent [-]

at some point having LLMs spit out libraries for you might be safer than actually downloading them.

▲

morshu9001 4 hours ago | parent | next [-]

This does help. Even before, I was pretty careful about what I used, not just for security but also simplicity. Nowadays it's even easier to LLM-generate utils that one might've installed a dep for in the past.

▲

Eduard 4 hours ago | parent | prev | next [-]

LLMs will happily copy-paste malware or add them as dependencies

▲

Muromec 4 hours ago | parent | prev [-]

this kicks the can down the road until we get supply chain attacks through LLM poisoning, like we already do with propaganda

	▲	christophilus 2 hours ago \| parent [-]
		Well, he didn’t say vibe code. Presumably, you’d still be reviewing the AI code before committing it. I ran a little experiment recently, and it does take longer than just pulling in npm dependencies, but not that much longer for my particular project: logging, routing, rpc layer with end-to-end static types, database migrations, and so on. It took me a week to build a realistic, albeit simple app with only a few dependencies (Preact and Zod) running on Bun.