The only way to mitigate this risk is to verify package names manually and never assume a package mentioned in an AI-generated code snippet is real or safe.

We’re doomed

I can’t imagine how a “black box” that is AI can ever be anything but a security risk. Compounding the problem are lazy developers that push code that they do not fully understand.

But it’s sTaTiStiCaLlY ReLeVaNt…

Generating dependencies is a huge weak point of ai right now. Version numbers are typically made up or very out of date at best. I just assume they’re wrong from the start now.