Comment by mintplant

Not security, but I ran into a related supply-chain issue recently. I needed a library to perform a moderately complex task, and found one in the ecosystem I was working with that had been around for a while, appeared reputable, and passed my cursory inspection. So I dropped it in, got the feature implemented, and moved on.

Some time down the line, I discover CPU being maxed out, which is showing up in degraded performance in other parts of the system. I investigate, and I trace the issue to a boneheaded busy loop in this library that no human with the domain expertise to implement the library would have written. Turns out I'd missed one deeply-buried mention in the README that maintenance was being done via AI now, and basically the whole library had been rewritten from the ground up from the reliable tool it used to be to a vibecoded imitation.

Yeah, yeah, sure, bad libraries existed before all this. But there used to be signals you picked up on to filter the gold from the dreck. Those signals don't work anymore.