(I mostly agree with you, but) devils advocate: most people already do that with dependencies, so why not move the line even further up?

▲

batshit_beaver 3 hours ago | parent | next [-]

Because you trust that your dependencies are not vibe coded and have been reviewed by humans.

▲

bdangubic 3 hours ago | parent [-]

except they are vibe-or-not coded by some dude in Reno NV who wouldn’t pass a phone screen where you work

	▲	batshit_beaver an hour ago \| parent [-]
		I'd trust that dude over professional leetcoders any day. But you're right that trust is a complicated thing and often misplaced. I think as an industry we're always reevaluating our relationship with OSS, and I'm sure LLMs will affect this relationship in some way. It's too early to tell.

▲

almostdeadguy 3 hours ago | parent | prev [-]

There's a reputational filtering that happens when using dependencies. Stars, downloads, last release, who the developer is, etc.

Yeah we get supply chain attacks (like the axios thing today) with dependencies, but on the whole I think this is much safer than YOLO git-push-force-origin-main-ing some vibe-coded trash that nobody has ever run before.

I also think this isn't really true for the FAANGs, who ostensibly vendor and heavily review many of their dependencies because of the potential impacts they face from them being wrong. For us small potatoes I think "reviewing the code in your repository" is a common sense quality check.