Why take on additional supply chain risks adding another dependency when an LLM can likely kick out the subset of functionality needed by your own code to-order? > I still believe in open source, and I’m still doing it (in fits and starts). But one thing has become clear to me: the era of small, low-value libraries like blob-util is over. They were already on their way out thanks to Node.js and the browser taking on more and more of their functionality (see node:glob, structuredClone, etc.), but LLMs are the final nail in the coffin. I’ve been thinking about a similar issue myself recently as well.

Source: The fate of “small” open source

This is a fantastic prompt. "small" open source was always considered a risk when it came to software development, but a risk worth taking because of the fundamental nature of open-source, esp popular open source. The security stance on it was mostly - if there are enough users, it's also highly likely that there are more eyes and hence, less chances of a security vulnerability.

I think LLMs shift that risk around. While there is less supply-chain risk, there's far more risk when it comes to security-audited code. Now each developer, institution and organization will have a different set of variables they need to consider.

IOW, I don't think it's one way versus the other.