This does help. Even before, I was pretty careful about what I used, not just for security but also simplicity. Nowadays it's even easier to LLM-generate utils that one might've installed a dep for in the past.
Well, he didn’t say vibe code. Presumably, you’d still be reviewing the AI code before committing it.
I ran a little experiment recently, and it does take longer than just pulling in npm dependencies, but not that much longer for my particular project: logging, routing, rpc layer with end-to-end static types, database migrations, and so on. It took me a week to build a realistic, albeit simple app with only a few dependencies (Preact and Zod) running on Bun.
Heh, that's if the reviewer actually is a human doing their job and not another AI just waiting for the right keyword to act like a manchurian candidate.
This does help. Even before, I was pretty careful about what I used, not just for security but also simplicity. Nowadays it's even easier to LLM-generate utils that one might've installed a dep for in the past.
LLMs will happily copy-paste malware or add them as dependencies
this kicks the can down the road until we get supply chain attacks through LLM poisoning, like we already do with propaganda
Well, he didn’t say vibe code. Presumably, you’d still be reviewing the AI code before committing it.
I ran a little experiment recently, and it does take longer than just pulling in npm dependencies, but not that much longer for my particular project: logging, routing, rpc layer with end-to-end static types, database migrations, and so on. It took me a week to build a realistic, albeit simple app with only a few dependencies (Preact and Zod) running on Bun.
Heh, that's if the reviewer actually is a human doing their job and not another AI just waiting for the right keyword to act like a manchurian candidate.
or just vendor your deps like we have been doing for decades.
still need to read them to make sure you don't vendor a trojan in the first place.
auditing is the first step in vendoring a dep by my definition of the practice