Nice reusable libraries are still a core part of most AI projects, but honestly I think it's not a terrible approach with all the updating dependency malware issues with stuff like NPM.
> I think it's not a terrible approach with all the updating dependency malware issues with stuff like NPM
I think in this instance, the only thing worse than a zero day in your dependency tree, is a zero day you don't know your LLM vendored directly into your codebase...
Personally I feel a vulnerability in local code (unshared ai slop) is much less likely to be exploited, than for say a npm package update that will pwn you as soon as it loads up.
I think in this instance, the only thing worse than a zero day in your dependency tree, is a zero day you don't know your LLM vendored directly into your codebase...