[progx]

That solve not really the problem.

A better (not perfect) solution: Every package should by AI analysed on an update before it is public available, to detect dangerous code and set a rating.

In package.json should be a rating defined, when remote package is below that value it could be updated, if it is higher a warning should appear.

But this will cost, but i hope, that companies like github, etc. will allow package-Repositories to use their services for free. Or we should find a way, to distribute this services to us (the users and devs) like a BOINC-Client.

[jonkoops]

Ah, yes! The universal and uncheatable LLM! Surely nothing can go wrong.

[NitpickLawyer]

Perfect is the enemy of good. Current LLM systems + "traditional tools" for scanning can get you pretty far into detecting the low hanging fruit. Hell, I bet even a semantic search with small embedding models could give you a good insight into "what's in the release notes matches what's in the code". Simply flag it for being delayed a few hours, till a human can view it. Or run additional checks.

[progx]

I can't wait to read about your solution.

[orphea]

You don't need to be a chef to tell that the soup is too salty.

[progx]

As i wrote "not perfect". But better than anything else or nothing.

[robertlagrant]

The Politician's Syllogism[0] is instructive.

[0] https://en.wikipedia.org/wiki/Politician's_syllogism

[progx]

OK, we are here now on reddit or facebook?

I thought we discuss here problems and possible solutions.

My fault.

[rpdillon]

I'm not sure why everyone is so hostile. Your idea has merit, along the lines of a heuristic that you trigger a human review as a follow-up. I'd be surprised if this isn't exactly the direction things go, although I don't think the tools will be given for free, but rather made part of the platform itself, or perhaps as an add-on service.

[robertlagrant]

I don't think "we should use AI to solve this" is a solution proposal.

[philipwhiuk]

A better solution is restricting package permissions.