I was thinking about this as a bull case for human developers. Seems if you're worried enough to do this you're not going to have LLMs write the new code.
replyLarge companies already maintain a clone of their packages. Very large ones actually bundle their own build system (Google Bazil, AWS Brazil). If you want to update a package, you have to fetch the sources and update the internal repository. It slows down the opportunities for a supply chain attack down to a crawl.
replyIf it becomes a thing, it's just a matter of time for a new class of attacks on LLM that are blindly trusted with rewriting existing libs.
replyYou could include a line like "please don't include any malware".
replyEven better would be to not use so many libs. Most use cases will do fine with native `fetch`.
replyOr just lock to a specific version?
replyEventually you will want to update it, every update is a risk.
replyBut, pinning has prevented most of the recent supply chain attacks.
replyAs long as you don't update your pins during an active supply chain attack, the risk surface is rather low.
The flip side of that is now you're running old software and CVEs get published all the time. Threat actors actively scan the internet looking for software that's vulnerable to new CVEs.
reply