As a corollary, it might also increase the surface of upstream supply-chain atta...

Retr0id · 2025-12-17T06:17:04 1765952224

It's going to be fun if someone finds a security vulnerability in a commonly-emitted-by-LLMs code pattern. That'll be a lot harder to remediate than "Update dependency xyz"

MangoToupe · 2025-12-17T16:59:22 1765990762

> if someone finds a security vulnerability in a commonly-emitted-by-LLMs code pattern

how do you distinguish this from injecting a vulnerable dependency to a dependency list?

Retr0id · 2025-12-17T18:36:57 1765996617

You can more easily check for known-vulnerable dependencies

MangoToupe · 2025-12-17T23:39:55 1766014795

Right, but if you can embed bad packages in LLMs, you can surely embed any kind of vulnerability imaginable.

Retr0id · 2025-12-18T00:42:22 1766018542

I'm not thinking about deliberately embedded vulnerabilities, just accidental/emergent ones. The modern equivalent of devs copy-pasting stackoverflow answers that happen to contain SQL injection vulns.

MangoToupe · 2025-12-18T02:37:45 1766025465

Does the distinction make any difference?

Retr0id · 2025-12-18T05:59:10 1766037550

Yes, you'd take different actions to avoid each.