Ken Franqueiro3d ago

Realizing that npm, yarn berry, and pnpm are all LLM-tainted at this point:

npm has accepted code from cursor (as of 11.10.1)

yarn berry has accepted code from cursor (as of 4.13.0) and copilot (as of 4.9.3)

pnpm has accepted code from claude (as of 10.32.0 and 11 alpha/beta) and also seems to use copilot for reviews, including code suggestions.

In all 3 cases, this seems to have largely started or escalated in the past month. In quite a few instances it seems to be related to a person's first contribution to the repo.

Guess I'm putting "The supply-chain attack is coming from inside the package manager!" on my tech industry hellscape bingo card

(I tried to determine first versions affected by searching release notes or digging through the oldest PRs/commits I could clearly identify. I could very well have missed things.)

Show threadKen Franqueiro3d ago

And of course node, deno, and bun have all had LLM-generated contributions as well so basically everything is screwed and I should just throw the computer into the sea

(Upon closer inspection, node seems the least tainted out of the three so far from what I can tell; mainly involves extremely recent doc commits to main by one person, and one LLM-assisted PR in January which landed in 24.14.0)

Show thread👾 Attila Gonda3d ago
@kgf to be fair bun had problematic views before accepting LLM contributions, and deno is about to fade away, so there's only the illusion of choice on the runtime front.
Show threadKen Franqueiro3d ago

@pcdevil Yeah, I include bun on the list for completeness but bun being into LLMs is very "water is wet, film at 11" given they were acquired by Anthropic, and they'd already been on the ethics shitlist since basically square one with "don't work here if you like work-life balance"

Deno's recent pattern of LLM reliance is also unsurprising given obnoxious things Ryan Dahl has said recently, and a few AI-bro articles on their blog in the past year. Surprised LLM-generated code didn't land in their repo (at least clearly visibly) sooner.

Show thread👾 Attila Gonda3d ago
@kgf I think it's deceptive to not see claude as coauthor for commits. my ex-coworkers were pushing slop more than a 1.5 years ago, and only admitting it when called out how blatantly stupid the implementation was, so it's very hard to judge what's tainted and what is not 😞
Show threadKen Franqueiro
@pcdevil Yeah, the overall state is probably way worse than what is clearly labeled. And presumably some "maintainers" know that the attribution makes them look bad and so they actively hide it. Or even retroactively hide it when they are called out, like what happened with lutris...
Mar 20 at 4:35pmWeb
Show thread👾 Attila Gonda2d ago

@kgf yeah, it's very easy to rewrite git history to change the message (/ remove a co-author).. I can even imagine a pre-push hook that does it so there's no mistake made by the engineers. (disgusting)

I didn't follow lutris, what happened there?

Show threadKen Franqueiro2d ago

@pcdevil

Original issue: https://github.com/lutris/lutris/issues/6506

Follow-up discussion: https://github.com/lutris/lutris/discussions/6528

is lutris slop now · Issue #6506 · lutris/lutris

i can't help but notice quite a lot of LLM generated commits, is lutris slop now or will @strycore see the error of their ways

GitHub
Show threadcambria2d ago

@kgf
Relevant too, the "authored by Claude" tag will now be removed to obfuscate what is slop. But according to the contributor and some boot lickers this is totally fine.

https://github.com/lutris/lutris/issues/6538#issuecomment-4042182270

@pcdevil

Show threadKen Franqueiro1d ago
@cambria @pcdevil Indeed, that's what I was referring to with "retroactively hide it when they are called out"
Show thread👾 Attila Gonda1d ago

@kgf @cambria

"I understand the concern but in my case, the line between human written and AI generated are really blurry." - they don't even realise this is also concern?

"I have very loose views on copyright laws" - yeah, it shows buddy, you're more than happy to integrate the plagiarism machine into your everyday workflow...

thanks for the links for both though!
(now I remember reading something because their avatar is familiar but didn't remember the subject at all)