Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreibf5kx4hduwk2fzwfjsq3fue7zued6yczq7oubxh25xrllphc4jta",
    "uri": "at://did:plc:pi6woz4d47bkuws673w2il2r/app.bsky.feed.post/3mja6nbjgeu52"
  },
  "path": "/t/how-to-filter-out-vibe-coded-dependencies/13918#post_5",
  "publishedAt": "2026-04-11T11:31:03.000Z",
  "site": "https://discourse.haskell.org",
  "textContent": "I reckon the best way to find out whether a project is through a combination of scripting and calls to some analysis tool. High level steps:\n\n  * Write a script that walks the dependency tree. Either with cabal/hackage, or something that walks over Nix expressions to find the source (hackage, GitHub repo, pick whatever you prefer). This first step produces package metadata.\n  * A second part is to iterate over the metadata, and then download the source code, or clone a Git repo, or Darcs, pick whatever\n  * Third, write down a comprehensive definition of “vibe coded\". What signals are indicative, what signals are counterindicative. How do different signals should combine to a score and/or conclusion. And crucially: define as precisely as you can, when something falls in the vibe coded bucket and when it does not.\n  * The fourth step is running some coding agent on the downloaded code. Depending on your definition, you can give it access to just reading files, or also some specific Git log/Git search commands. Tell it to output JSON results with signals, location of signals (e.g. file locations or Git commit messages) in a very specific format.\n  * Note to iterate on the above. Let it do some analysis on a known good and known bad package, make up your own judgement, and modify the definition until the agent gives a satisfactory output.\n  * Let the script run on all packages\n  * Then write a final script to summarize the JSON reports into a report\n  * This is another point to iterate: spot check some packages, compare to your own judgement and iterate on the definition and prompt to fine tune\n  * Optionally write a script to create issues on all affected repositories to voice your concerns\n\n\n\nThe biggest challenge I reckon will be defining what constitutes vibe coded, as that line gets quite blurry fast.\n\nAnd then the next challenge will be convincing anyone that blacklisting packages based on your specification is a morally defensible choice.",
  "title": "How to filter out vibe-coded dependencies"
}