Does vibe coding risk destroying the Open Source ecosystem? According to a pre-print paper by a number of high-profile researchers, this might indeed be the case based on observed patterns and some…
Eh. I never considered myself some hard-core old professional, but:
The LLM will not interact with the developers of a library or tool, nor submit usable bug reports, or be aware of any potential issues no matter how well-documented
If an LLM introduces a dependency, I will sure as hell go see it myself. Enough people do not do that for this to become a problem?
There’s a term called “dependency hell”. Sure, this one dependency is fine, but it depends on 3 other libraries, those 3 depend on a sum of 7 others, etc…
Nah, dependency hell is when two things you want to use depend on same thing, but different versions. The depth of dependencies needed to make “this one thing” work may or may not be a problem
It’s exacerbated by “oh this library is updated for no reason than its version is newer so we need to force that bleeding edge on any ecosystem we’re in” thinking.
We’ve absolutely lost the careful, measured long-term release and maintenance cadence that we built the Internet on.
The worst dependency hell is when a library has a strict version dependency, and another library uses that same dependency. When the second library updates their minimum version of the dependency to one that is higher than the exact version needed for the first, THAT’S dependency hell.
there’s at least one guy i know of on github whose claim to fame is he finds code in existing node codebases by big corpos that’s duplicated, breaks it out into a library, then PRs the original codebase with “instead of doing <this part> manually, switch to depending on this library”, then adds to his profile “my code is used by <big corpo>”. he had thousands of libraries like that last i checked, most of them less than ten lines of code. the manifest and other boilerplate is way larger than the actual code.
Your node_modules directory can get so bloated that the community came up with different package managers just for deduplication! pnpm, for example, makes one global-adjacent cache, and then just symlinks the dependencies as needed. This is because the regular npm doesn’t, because what if the package changed between the 20ms since I downloaded it for nuxt? (Sorry Nuxt users, had to pick a name)
Eh. I never considered myself some hard-core old professional, but:
If an LLM introduces a dependency, I will sure as hell go see it myself. Enough people do not do that for this to become a problem?
There’s a term called “dependency hell”. Sure, this one dependency is fine, but it depends on 3 other libraries, those 3 depend on a sum of 7 others, etc…
https://xkcd.com/1579/
Nah, dependency hell is when two things you want to use depend on same thing, but different versions. The depth of dependencies needed to make “this one thing” work may or may not be a problem
It’s exacerbated by “oh this library is updated for no reason than its version is newer so we need to force that bleeding edge on any ecosystem we’re in” thinking.
We’ve absolutely lost the careful, measured long-term release and maintenance cadence that we built the Internet on.
Compare Systemd.
The worst dependency hell is when a library has a strict version dependency, and another library uses that same dependency. When the second library updates their minimum version of the dependency to one that is higher than the exact version needed for the first, THAT’S dependency hell.
This wouldn’t be a problem if libraries didn’t frequently make breaking changes to their api.
“Move fast and break things” is for startups with no userbase, not libraries with millions of users.
There are times when things need to be broken. But I also definitely understand your angle.
ever heard of node.js?
Heard, not used though. Jokes about isEven™ too, but I never thought it goes like this in anything intended for external use
there’s at least one guy i know of on github whose claim to fame is he finds code in existing node codebases by big corpos that’s duplicated, breaks it out into a library, then PRs the original codebase with “instead of doing <this part> manually, switch to depending on this library”, then adds to his profile “my code is used by <big corpo>”. he had thousands of libraries like that last i checked, most of them less than ten lines of code. the manifest and other boilerplate is way larger than the actual code.
Damn. isEven come alive. But hilarious enough to watch someone do it :)
Your
node_modulesdirectory can get so bloated that the community came up with different package managers just for deduplication!pnpm, for example, makes one global-adjacent cache, and then just symlinks the dependencies as needed. This is because the regularnpmdoesn’t, because what if the package changed between the 20ms since I downloaded it fornuxt? (Sorry Nuxt users, had to pick a name)Given an example from another reply… yeah. Things are fucked