|
|
|
|
|
|
by newexpand
95 days ago
|
|
|
The attack chain you described highlights a gap that most teams overlook: AI-generated code passes functional tests but skips the "why this version?" review that experienced developers do instinctively. I think the real issue is visibility. When AI generates a project, every dependency choice is implicit — there's no PR comment explaining why it pinned next@14.1.0 instead of 14.2.1. In a human workflow, someone would have caught that during review. Two things that have helped in my workflow:
1. Running `npm audit` as a post-generation step before even testing functionality
2. Treating AI-generated commits as "untrusted by default" — reviewing them with the same rigor as external contributor PRs |
|
|
That’s why I think continuous monitoring and centralized pentesting are essential — not just at merge time, but throughout the lifecycle of AI-generated projects.