←back to thread

Malicious versions of Nx and some supporting plugins were published

(github.com)
441 points longcat | 2 comments | 27 Aug 25 01:38 UTC | HN request time: 0s | source
Show context
f311a ◴[27 Aug 25 12:55 UTC] No.45038992[source]
People really need to start thinking twice when adding a new dependency. So many supply chain attacks this year.

This week, I needed to add a progress bar with 8 stats counters to my Go project. I looked at the libraries, and they all had 3000+ lines of code. I asked LLM to write me a simple progress report tracking UI, and it was less than 150 lines. It works as expected, no dependencies needed. It's extremely simple, and everyone can understand the code. It just clears the terminal output and redraws it every second. It is also thread-safe. Took me 25 minutes to integrate it and review the code.

If you don't need a complex stats counter, a simple progress bar is like 30 lines of code as well.

This is a way to go for me now when considering another dependency. We don't have the resources to audit every package update.

replies(17): >>45039115 #>>45039225 #>>45039464 #>>45039724 #>>45039994 #>>45040021 #>>45040056 #>>45040113 #>>45040151 #>>45040162 #>>45040972 #>>45041479 #>>45041745 #>>45044165 #>>45045435 #>>45045983 #>>45052913 #
amelius ◴[27 Aug 25 14:23 UTC] No.45040151[source]
And do you know what type of code the LLM was trained on? How do you know its sources were not compromised?
replies(1): >>45041664 #
1. f311a ◴[27 Aug 25 16:16 UTC] No.45041664[source]
Why do I need to know that if I'm an experienced developer and I know exactly what the code is doing? The code is trivial, just print stuff to stdout along with escape sequences to update output.
replies(1): >>45050219 #
2. amelius ◴[28 Aug 25 09:36 UTC] No.45050219[source]
In this case, yes, but where do you draw the line?