the claude code team ethos, as far as i’ve been lead to understand— which i agree with, mind you— is that there is no point in code-reviewing ai-generated code… simply update your spec(s) and regenerate. it is just a completely different way of interacting with the world. but it clearly works for them, so people throwing up their hands should at least take notice of the fact that they are absolutely not competing with traditional code along traditional lines. it may be sucky aesthetically, but they have proven from their velocity that it can be extremely effective. welcome to the New World Order, my friend.

▲

knome 5 hours ago | parent | next [-]

>there is no point in code-reviewing ai-generated code

the idea that you should just blindly trust code you are responsible for without bothering to review it is ludicrous.

▲

jen20 4 hours ago | parent | next [-]

(I mostly agree with you, but) devils advocate: most people already do that with dependencies, so why not move the line even further up?

▲

batshit_beaver 3 hours ago | parent | next [-]

Because you trust that your dependencies are not vibe coded and have been reviewed by humans.

▲

bdangubic 3 hours ago | parent [-]

except they are vibe-or-not coded by some dude in Reno NV who wouldn’t pass a phone screen where you work

	▲	batshit_beaver an hour ago \| parent [-]
		I'd trust that dude over professional leetcoders any day. But you're right that trust is a complicated thing and often misplaced. I think as an industry we're always reevaluating our relationship with OSS, and I'm sure LLMs will affect this relationship in some way. It's too early to tell.

▲

almostdeadguy 3 hours ago | parent | prev [-]

There's a reputational filtering that happens when using dependencies. Stars, downloads, last release, who the developer is, etc.

Yeah we get supply chain attacks (like the axios thing today) with dependencies, but on the whole I think this is much safer than YOLO git-push-force-origin-main-ing some vibe-coded trash that nobody has ever run before.

I also think this isn't really true for the FAANGs, who ostensibly vendor and heavily review many of their dependencies because of the potential impacts they face from them being wrong. For us small potatoes I think "reviewing the code in your repository" is a common sense quality check.

▲

eclipxe 4 hours ago | parent | prev [-]

Why?

▲

fl4regun 3 hours ago | parent [-]

Is this a serious question? If you are handling sensitive information how do you confirm your application is secure and won't leak or expose information to people who shouldn't know it?

▲

lijok 2 hours ago | parent [-]

How do you with classic code?

▲

hallway_monitor an hour ago | parent [-]

Exactly.... -> Unit tests. Integration tests. UI tests. This is how code should be verified no matter the author. Just today I told my team we should not be reading every line of LLM code. Understand the pattern. Read the interesting / complex parts. Read the tests.

	▲	GrinningFool 21 minutes ago \| parent [-]
		But unit and integration tests generally only catch the things you can think of. That leaves a lot of unexplored space in which things can go wrong. Separately, but related - if you offload writing of the tests and writing of the code, how does anybody know what they have other than green tests and coverage numbers?

▲

lanbin 5 hours ago | parent | prev | next [-]

I see. They got unlimited tokens, right?

▲

lqstuart 3 hours ago | parent | prev | next [-]

yes, because who ever heard of an AI leaking passwords or API keys into source code

▲

Salgat 5 hours ago | parent | prev [-]

While the technology is young, bugs are to be expected, but I'm curious what happens when their competitors' mature their product, clean up the bugs and stabilize it, while Claude is still kept in this trap where a certain number of bugs and issues are just a constant fixture due to vibe coding. But hey, maybe they really do achieve AGI and get over the limitations of vibe coding without human involvement.