this post was submitted on 29 May 2026
630 points (98.3% liked)

Technology

85032 readers
3231 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 3 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
630
Fed up with vibe coders, dev sneaks data-nuking prompt injection into their code - Ars Technica (arstechnica.com)
submitted 2 days ago by hamburgheftig@feddit.org to c/technology@lemmy.world
153 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] frongt@lemmy.zip 46 points 2 days ago (4 children)

If we all followed that rule, we'd be using nothing more complex than an 8080.

[–] RaphaelSchmitz@feddit.org 12 points 1 day ago

The code YOU run. If your code runs other code, that doesn't fall under this.

"Don't ride a car unless you know how driving a car works" doesn't mean you need to understand the chemical composition of the metal in the motor parts

[–] Cocodapuf@lemmy.world 12 points 1 day ago (1 children)

Well, I think it's legit to use software without understanding the code or use hardware without understanding the specifics of the logical mechanisms of the silicon. But when you're writing software, you really should know what's in your own code. Anything else is bad form in my opinion.

[–] AwesomeLowlander@sh.itjust.works 0 points 1 day ago (1 children)

It's an imported library, since when are devs expected to be inspecting the source code of every library they import?

[–] Cocodapuf@lemmy.world 1 points 1 day ago* (last edited 1 day ago) (3 children)

I don't like to use libraries I don't understand. Probably part why I'm not a professional developer, but it's the principle of the thing - don't put out code you can't vouch for.

I mean, yes, it's way easier to just use the library, trust it works; but by that logic, it's also way easier to just let an llm code for you.

[–] amju_wolf@pawb.social 3 points 1 day ago (1 children)

...but do yoz "understand libraries" by reading every line of their code, or by reading the documentation? And only in the parts you're actually interested in?

[–] Cocodapuf@lemmy.world 1 points 1 day ago

Yeah, a general understanding is enough. But I think yeah, actually skim over the code, at least get a basic idea about how the internal methods work. Depending on what you're using the library for, it could be prudent to know more about how data structures are handled.

Honestly, you'll probably learn something in the process.

[–] AwesomeLowlander@sh.itjust.works 5 points 1 day ago (1 children)

Probably part why I'm not a professional developer, but it's the principle of the thing

There's no 'principle' here, that's something that simply would not be possible in any sort of large project. To suggest all professional software developers read every line of every library before using it is ridiculously unworkable.

[–] mabeledo@lemmy.world -2 points 1 day ago* (last edited 12 hours ago) (1 children)

Libraries can be audited. LLM generated code cannot.

Edit: to clarify, it is impossible to audit all LLM generated code across a number of projects, that would replace a single library. It simply won’t happen, because there will always be a non trivial number of users who will copy and paste code without inspecting it. In contrast, widely used open source libraries may be audited by a small subset of their users, and the rest would benefit from that.

[–] Jakeroxs@sh.itjust.works 3 points 1 day ago* (last edited 1 day ago) (1 children)

Yes it can, its literally still code.

[–] mabeledo@lemmy.world 0 points 1 day ago (1 children)

I know it’s code. You are missing the point.

Any library with a critical user mass is auditable, because a fraction of those users would take the time to do so, whereas all LLM generated variations of the same library cannot and will never be auditable.

[–] Jakeroxs@sh.itjust.works 1 points 1 day ago (1 children)

That's literally not what you said, you said "LLM code can not be auditable" which is demonstrably wrong.

Go ahead and move the goal posts though.

[–] mabeledo@lemmy.world 0 points 1 day ago* (last edited 22 hours ago)

You missed the context. I don’t blame you.

Tell me how in hell are you going to audit every single variation of code generated by a LLM, that's equivalent to a whole library. I'll wait.

[–] this@sh.itjust.works 19 points 2 days ago (1 children)

True, but I would think developers should at least be following it with the code they're actually working on.

[–] AwesomeLowlander@sh.itjust.works -1 points 1 day ago (2 children)

It's an imported library, since when are devs expected to be inspecting the source code of every library they import?

[–] yessikg@fedia.io 3 points 23 hours ago (1 children)

Since forever? Don't you do security audits on the libraries you use?

[–] AwesomeLowlander@sh.itjust.works 1 points 19 hours ago

One person from the team, maybe. You don't have every single dev read every line of code in the libraries, which is what is being specified here

[–] sakuraba@lemmy.ml 5 points 1 day ago

it used to be a thing but javascript npm brainrot happened