Anyone scanning published dependencies/packages with AI?
1 points by dpc_pw
1 points by dpc_pw
It seems to me that with a raise of LLMs, preventing malicious code in dependencies should be much more viable than before.
If someone (probably an institution) could monitor e.g. https://crates.io (and similar for other languages) and for every new published version download it and ask an LLM to review the code and/or the diff against the previous version and flag things that looks suspicious and out of place, it would make it exponentially harder to introduce a malicious code that can accomplish anything actually e2e malicious (steal secrets, etc.). Flagged code could probably be reviewed by humans in a crowd-sourced fashion.
Seems like a volume of code published on crates.io isn't even all that huge. Probably higher than what a $200/mo subscription could handle, but nothing excessive. And some of the AI companies that greatly benefited from the Open Source code, must have some low-usage times during the day where they could just throw a bit of capacity at this problem as a way to give back.
Sorry if this not a novel idea, but I'm trying to figure out if this has been considered or maybe anyone is doing it already.
I don't do it for all packages that are out there, but for dependencies I'm pulling in I use AI assisted code review before bumping and validating that what comes from the packages is what is in github.