| ▲ | woeirua 15 hours ago | ||||||||||||||||
Supply chain attacks are so scary that I think most companies are going to use agents to hard fork their own versions of a lot of these core libraries instead. It wasn’t practical before. It’s definitely much more doable today. | |||||||||||||||||
| ▲ | pglevy 13 hours ago | parent | next [-] | ||||||||||||||||
I was thinking about this as a bull case for human developers. Seems if you're worried enough to do this you're not going to have LLMs write the new code. | |||||||||||||||||
| ▲ | samuelknight 5 hours ago | parent | prev | next [-] | ||||||||||||||||
Large companies already maintain a clone of their packages. Very large ones actually bundle their own build system (Google Bazil, AWS Brazil). If you want to update a package, you have to fetch the sources and update the internal repository. It slows down the opportunities for a supply chain attack down to a crawl. | |||||||||||||||||
| ▲ | cryptonym 11 hours ago | parent | prev | next [-] | ||||||||||||||||
If it becomes a thing, it's just a matter of time for a new class of attacks on LLM that are blindly trusted with rewriting existing libs. | |||||||||||||||||
| |||||||||||||||||
| ▲ | silverwind 8 hours ago | parent | prev | next [-] | ||||||||||||||||
Even better would be to not use so many libs. Most use cases will do fine with native `fetch`. | |||||||||||||||||
| ▲ | Levitating 10 hours ago | parent | prev [-] | ||||||||||||||||
Or just lock to a specific version? | |||||||||||||||||
| |||||||||||||||||