upvote

points

by nrengan17 hours ago |
comments
upvoteby throwatdem1231113 hours ago|
next
[-]
Stop blaming the LLM for your laziness and lack of due diligence.
reply
upvoteby zarzavat9 hours ago|
parent|
[-]
Indeed, I also use LLMs to suggest dependencies but:

- I ask the LLM for multiple options

- I tell it what I need and what I don't need

- I then look at the packages it has suggested. Sometimes LLMs suggest unmaintained packages with 5 downloads a month just because it came at the top of a web search.

- if it's not a very well known project, I look at the code, I have received vibecoded dependency suggestions before that don't even function

LLMs are useful resources for "getting the pulse of the ecosystem", but just pressing enter is crazy.

reply
upvoteby moritzwarhier16 hours ago|
prev|
next
[-]
What filter?

You say you rely on CC to suggest software to install from the internet, and then you install it.

I haven't heard anyone suggest CC or any LLM as a "filter" for "is this package safe right now", and it seems like a very bad heuristic to me, not only, but also for the reason you gave.

reply
upvoteby nrengan16 hours ago|
parent|
[-]
Well, people weren't checking CVEs before pip install before CC either, CC just scaled the habit to a larger audience at a faster cadence. The blast radius for day-zero compromises is what changed.
reply
upvoteby ShyCodeGardener31 minutes ago|
parent|
[-]
How has the blast radius changed though? The vibecoders that weren't developers before? If someone switched from pip installing themselves to having Claude do it, I don't see how that increased the blast radius.
reply
upvoteby vovavili2 hours ago|
prev|
next
[-]
This is easily circumvented by not pressing Enter.
reply
upvoteby nulltrace14 hours ago|
prev|
next
[-]
Stale training data is part of it. But even a current model can't tell what setup.py is going to run on your box. Nothing actually inspects the package before it executes. You'd want something that pulls the metadata and checks what hooks are in there before anything runs.
reply
upvoteby ashishbijlani14 hours ago|
parent|
[-]
Built Packj [1] to do exactly this.

1. Packj (https://github.com/ossillate-inc/packj) detects malicious PyPI/NPM/Ruby/PHP/etc. dependencies using behavioral analysis. It uses static+dynamic code analysis to scan for indicators of compromise (e.g., spawning of shell, use of SSH keys, network communication, use of decode+eval, etc). It also checks for several metadata attributes to detect bad actors (e.g., typo squatting).

reply
upvoteby BrenBarn17 hours ago|
prev|
[-]
By "the worst possible filter" do you mean "hitting enter when claude tells you to"?
reply
upvoteby throwawayqqq1117 hours ago|
parent|
[-]
"Sandbox this project before you make no mistakes."
reply