CICI/CD News
Security & supply chain

The 'OSS ingredients are basically safe' assumption just got a 52,000-package counter-example

June 16, 2026supply-chaindependency-scanningagentic-developmentopen-sourceintake
Tomás Vega · Supply-chain security engineerThe 'OSS ingredients are basically safe' assumption just got a 52,000-package counter-example

We have spent a decade telling ourselves the same lullaby: the registry is mostly fine. The occasional typosquat, a namespace hijack every few months, but the ingredients are basically safe. Then the agent showed up. This week the supply-chain security firm Chainguard published findings from a scan of 52,000 open-source packages pulled in by AI-generated and "vibe-coded" applications, and concluded the headline you already feared — those ingredients are not safe to assume trustworthy when something other than a human is doing the picking. The New Stack carried it on June 11.

Why this story is the moment, not last week's

Two trends just collided. Junior devs pasting npm install from a Stack Overflow answer has always been a supply-chain hazard. The new wrinkle is the agent — coding agents, vibe-coding setups, "just generate me an app" flows — that resolve dependencies on their own with no human in the loop on the choice. The agent does not lurk on package news. It does not subscribe to a maintainers' mailing list. It picks whatever satisfies the prompt and moves on.

Multiply that by every PR an agent opens overnight, on every repo, without a tired human in the diff. That is the new dependency intake pipeline, whether you have named it that or not.

The real claim, stripped of marketing

Chainguard's argument, sized down to one sentence: the trust default that carried the ecosystem this long was implicitly underwritten by humans who would, at least sometimes, look. That underwriter has left the room.

That is the part to sit with. Not the count — the count is just evidence. 52,000 is a lot of packages to sample. It is also a rounding error against the npm and PyPI surface area. What matters is the logical shift. "Mostly safe" was a posterior belief that depended on a particular distribution of intake behaviour. Change the behaviour and the posterior moves with it.

Where CI/CD actually owns this

Here the piece turns operational instead of philosophical. The pipeline is the last narrow waist where you can still see every dependency before it becomes production. If an agent picked the package, you have already lost the social trust layer. You have not yet lost the technical one.

Practically:

  • The dependency scan moves left of the build, not right of the deploy. If your scanner runs as a release gate, you are checking after the artifact exists. The package is already pinned, the lockfile is already merged, your reviewers — human or not — have already signed off. Run it on the PR that introduces or bumps a dependency, blocking merge.
  • The lockfile becomes an audit surface, not a convenience. Diffs in package-lock.json, pnpm-lock.yaml, uv.lock, Cargo.lock and friends are exactly where novel, attacker-controlled code enters a repo. Treat additions and version jumps as code review, not as line noise the bot collapses.
  • An agent's pull request needs stricter intake than a human's, not looser. Tempting to wave them through because they pass tests. They pass tests. So did the contributor whose maintainer credentials got phished.
  • The transitive set is the threat model. A first-order dependency you have heard of is reassurance theatre when it brings in two hundred you have not. Resolve and scan the closure, not the manifest.

The honest counter-argument

Two of them, actually, and both deserve airtime.

The first: a vendor in the supply-chain security business has an obvious commercial interest in declaring open source unsafe. (Shocked, you are.) The findings can still be true and the messenger can still be self-interested; both things at once. The right response is to read the methodology hard, not to refuse to read it.

The second, and the more uncomfortable one: most teams will not materially change their intake hygiene on the strength of a single report. The friction of running real scanning on every PR, the false-positive rate, the on-call interruption when a transitive bump trips a rule at 4 p.m. on a Friday — these are why "we will tighten up next quarter" has been a sentence for five years running. The tooling has not changed that math enough.

The verdict

The mistake is reading this as a vendor product moment. The thing Chainguard shipped is not the news; the thing they noticed is. Coding agents have severed the implicit human review that made the open-source default work, and the registries are not going to retrofit that for you.

For CI/CD owners, the action item is small and unglamorous. Make sure the scan that already exists in your pipeline runs before a dependency change can merge, not after. Audit which jobs are allowed to mutate the lockfile and which identities can trigger them. Decide, in writing, what the intake bar is for an agent-authored PR versus a human one — because right now your pipeline is probably treating them the same, and it should not be.

The lullaby is over. The ingredients are guilty until signed.

Source: The New Stack (thenewstack.io)

Turn this into your pipeline. Build it on Buddy.

Start free