Code Reviews & Package Security

My company has a full development team that follows standard engineering practices, including mandatory code reviews. My VP of Software Development is requiring that all VibeCode projects go through our code review process. While that presents some obvious challenges, I’m taking a solutions-focused approach by building a CustomGPT to help pre-review code based on the same criteria our developers use.

One area they focus on is package security, specifically verifying that dependencies are legitimate, actively maintained, and free of known vulnerabilities. I’ve recently learned that some bad actors are creating malicious packages specifically to be picked up by AI and exploited in downstream apps.

Does anyone know how Replit handles package selection and whether there’s any internal vetting or security process for packages surfaced in the environment?

Thank you,

They’re moving in this direction with the integration of Semgrep for a security review before deploying apps. Remember that Replit Agent is still powered by an external LLM, so it’s still going to have many of the out of the box directions that the LLMs have from their training data. Thinking out loud, you could take the package.json file and run the dependencies through o3 or Perplexity deep research to find any known security vulnerabilities.

Thank you Ethan for weighing in! That’s the direction I’ll go with until there are more “robust” built in security checks. The VibeCoding space is moving so fast that I don’t see this as much of an issue a year from now.