Actually I have been told that replacements to (restricted subsets of) open source libraries, generated by LLM’s, vendored next to our code using the dependency, cannot be vulnerable since they don’t have cve’s, and therefore they don’t ever have to be maintained.

That’s how deep we are in neoliberal single truth shit now