The problem is that it’s not a supply chain. It’s a supply tree structure. Your ten dependencies might have ten dependencies each, which might in turn have ten dependencies each. cough cough node

The only path forward is for responsible developers to reduce external dependencies, and for each of the library maintainers to reduce external dependencies as well.

Snake-oil vendors are already pivoting to the next moral panic: “Your software is secure, but what if the evil AI agents steal your stuff? Install pink-rubber-band-AI-endpoint-SOC-SIEM today!” Just moving the goalpost to whatever is scary this quarter.

Sounds true, what else do you have?

What we are building

The system we are building at Mendral lives inside the CI. It connects threat information, production event logs, source code, historical CI logs, and any custom signals you want to add, alongside secure sandbox environments and a set of dedicated tools (see Andrea’s post on agent harness for how that is wired). The agent operates on triggers, at different stages of the lifecycle.

Concretely, here is what happens when a Dependabot-style PR lands. The agent…

Oh ffs it’s an ad for some agentic bullshit.

You shouldn’t have dependencies when you can just vibe code everything yourself.