I saw this in action when a friend was live-streaming while vibe coding in Javascript. He noted that dozens of unknown npm packages were installed and running unchecked on his computer (without any containerization, no less). Encouraging AI coding in containers, or with different languages, would help, but Javascript probably has the most available content.
Note also that this article climaxes with a "by the way, did you know our product solves this issue...?" ad.
Running AI coding setups in containers (or even just VMs) seems like a solid default, and I’d love to see tooling move in that direction by default—less as a hard security perimeter, more as a safety net for people trying to move fast.
Re: the article’s conclusion—I get the skepticism. For what it’s worth, the product came after years of trying to solve the problem of package security and maintainer funding in the open. At some point, it felt like the best way to make a dent was to build something dedicated to it.
Note also that this article climaxes with a "by the way, did you know our product solves this issue...?" ad.
Running AI coding setups in containers (or even just VMs) seems like a solid default, and I’d love to see tooling move in that direction by default—less as a hard security perimeter, more as a safety net for people trying to move fast.
Re: the article’s conclusion—I get the skepticism. For what it’s worth, the product came after years of trying to solve the problem of package security and maintainer funding in the open. At some point, it felt like the best way to make a dent was to build something dedicated to it.