Generating dependencies is a huge weak point of ai right now. Version numbers are typically made up or very out of date at best. I just assume they’re wrong from the start now.

I can’t imagine how a “black box” that is AI can ever be anything but a security risk. Compounding the problem are lazy developers that push code that they do not fully understand.

But it’s sTaTiStiCaLlY ReLeVaNt…

The only way to mitigate this risk is to verify package names manually and never assume a package mentioned in an AI-generated code snippet is real or safe.

We’re doomed