It's really, really not. Just write the libraries yourself. Have a team or two who does that stuff.

And, if you do need a lib because it's too much work, like maybe you have to parse some obscure language, just vendor the package. Read it, test it, make sure it works, and then pin the version. Realistically, you should only have a few dozens packages like this.

at some point having LLMs spit out libraries for you might be safer than actually downloading them.

This does help. Even before, I was pretty careful about what I used, not just for security but also simplicity. Nowadays it's even easier to LLM-generate utils that one might've installed a dep for in the past.

LLMs will happily copy-paste malware or add them as dependencies

this kicks the can down the road until we get supply chain attacks through LLM poisoning, like we already do with propaganda

Well, he didn’t say vibe code. Presumably, you’d still be reviewing the AI code before committing it.

I ran a little experiment recently, and it does take longer than just pulling in npm dependencies, but not that much longer for my particular project: logging, routing, rpc layer with end-to-end static types, database migrations, and so on. It took me a week to build a realistic, albeit simple app with only a few dependencies (Preact and Zod) running on Bun.

Heh, that's if the reviewer actually is a human doing their job and not another AI just waiting for the right keyword to act like a manchurian candidate.

or just vendor your deps like we have been doing for decades.

still need to read them to make sure you don't vendor a trojan in the first place.

auditing is the first step in vendoring a dep by my definition of the practice