From 72568e7e8789f0b1a2f5c8adcb3cd79cd4e109aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=7BAI=7Df=20D=2E=20M=C3=BCller?= Date: Wed, 15 Apr 2026 12:46:16 +0200 Subject: [PATCH 1/2] docs: add Lehman classification as failure mode (S/P/E-type) Extends the 'LLM-specific failure modes' section with Lehman's S/P/E classification and the Laws of Software Evolution. E-type systems (embedded in the world, must evolve) suffer from accelerated Lehman decay when LLM-generated, because LLMs have no persistent memory of project history. Closes #19 Co-Authored-By: Claude Opus 4.6 (1M context) --- src/i18n.js | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/i18n.js b/src/i18n.js index a3a7805..ba6d149 100644 --- a/src/i18n.js +++ b/src/i18n.js @@ -302,7 +302,9 @@ Dieses Framework bietet eine https://github.com/LLM-Coding/Semantic-Anchors?tab= *Halluzinierte Packages (Slopsquatting)* — https://www.helpnetsecurity.com/2025/04/14/package-hallucination-slopsquatting-malicious-code/[~20% der empfohlenen Packages existieren nicht]. Angreifer können diese Namen registrieren. "huggingface-cli" wurde https://www.infosecurity-magazine.com/news/ai-hallucinations-slopsquatting/[über 30.000 mal installiert]. -*Automation Complacency* — Entwickler mit AI-Assistenten produzieren mehr Vulnerabilities und glauben gleichzeitig, sichereren Code zu schreiben (https://arxiv.org/abs/2211.03622[Stanford, Perry et al. 2022]). https://devclass.com/2025/02/20/ai-is-eroding-code-quality-states-new-in-depth-report/[Code-Review-Beteiligung sinkt um 30%].`, +*Automation Complacency* — Entwickler mit AI-Assistenten produzieren mehr Vulnerabilities und glauben gleichzeitig, sichereren Code zu schreiben (https://arxiv.org/abs/2211.03622[Stanford, Perry et al. 2022]). https://devclass.com/2025/02/20/ai-is-eroding-code-quality-states-new-in-depth-report/[Code-Review-Beteiligung sinkt um 30%]. + +*Beschleunigter Lehman-Decay* — https://en.wikipedia.org/wiki/Lehman%27s_laws_of_software_evolution[Lehmans Gesetze (1980)] unterscheiden *S-Type* (formal spezifiziert, geschlossen), *P-Type* (Problemlösung mit Näherungs-Spec) und *E-Type* (in die Welt eingebettet, muss mitevolvieren — Banking, SaaS, Agenten). E-Type-Systeme unterliegen *Continuing Change*, *Increasing Complexity* und *Declining Quality*. AI-generierter Code beschleunigt diese Zerfallsdynamik, weil LLMs kein persistentes Gedächtnis der Projekthistorie haben — sie können nicht "mit dem Code altern". Bei S-Type-Code (Algorithmen, reine Utility-Funktionen) ist das Risiko gering. Faustregel: Je E-typischer das System, desto mehr Review-Budget und Refactoring-Kapazität einplanen.`, }, { id: "mitigations", @@ -664,7 +666,9 @@ This framework provides a https://github.com/LLM-Coding/Semantic-Anchors?tab=rea *Hallucinated packages (Slopsquatting)* — https://www.helpnetsecurity.com/2025/04/14/package-hallucination-slopsquatting-malicious-code/[~20% of recommended packages don't exist]. Attackers can register these names. "huggingface-cli" was https://www.infosecurity-magazine.com/news/ai-hallucinations-slopsquatting/[installed 30,000+ times] before detection. -*Automation Complacency* — Developers using AI assistants produce more vulnerabilities while simultaneously believing they write more secure code (https://arxiv.org/abs/2211.03622[Stanford, Perry et al. 2022]). https://devclass.com/2025/02/20/ai-is-eroding-code-quality-states-new-in-depth-report/[Code review participation drops by 30%].`, +*Automation Complacency* — Developers using AI assistants produce more vulnerabilities while simultaneously believing they write more secure code (https://arxiv.org/abs/2211.03622[Stanford, Perry et al. 2022]). https://devclass.com/2025/02/20/ai-is-eroding-code-quality-states-new-in-depth-report/[Code review participation drops by 30%]. + +*Accelerated Lehman Decay* — https://en.wikipedia.org/wiki/Lehman%27s_laws_of_software_evolution[Lehman's laws (1980)] distinguish *S-type* (formally specified, closed), *P-type* (problem-solving with approximate spec), and *E-type* (embedded in the world, must evolve with it — banking, SaaS, agents). E-type systems are subject to *continuing change*, *increasing complexity*, and *declining quality*. AI-generated code accelerates this decay dynamic because LLMs have no persistent memory of project history — they cannot "age with the code". For S-type code (algorithms, pure utility functions), the risk is low. Rule of thumb: The more E-type a system, the more review budget and refactoring capacity to plan for.`, }, { id: "mitigations", From dc356945f632ebc5b6fb66dd674beb387b26811c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=7BAI=7Df=20D=2E=20M=C3=BCller?= Date: Wed, 15 Apr 2026 12:48:13 +0200 Subject: [PATCH 2/2] fix: resolve npm audit vulnerabilities (picomatch, vite, yaml) - picomatch: method injection + ReDoS - vite: path traversal in optimized deps, arbitrary file read via WS - yaml: stack overflow via deeply nested collections Co-Authored-By: Claude Opus 4.6 (1M context) --- package-lock.json | 54 +++++++++++++++++++++++------------------------ 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/package-lock.json b/package-lock.json index 4ba5454..20975b1 100644 --- a/package-lock.json +++ b/package-lock.json @@ -836,9 +836,9 @@ } }, "node_modules/@eslint/config-array/node_modules/brace-expansion": { - "version": "1.1.12", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz", - "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==", + "version": "1.1.14", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz", + "integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==", "dev": true, "license": "MIT", "dependencies": { @@ -910,9 +910,9 @@ } }, "node_modules/@eslint/eslintrc/node_modules/brace-expansion": { - "version": "1.1.12", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz", - "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==", + "version": "1.1.14", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz", + "integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==", "dev": true, "license": "MIT", "dependencies": { @@ -1631,9 +1631,9 @@ } }, "node_modules/brace-expansion": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz", - "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==", + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.0.tgz", + "integrity": "sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==", "license": "MIT", "dependencies": { "balanced-match": "^1.0.0" @@ -2080,9 +2080,9 @@ } }, "node_modules/eslint/node_modules/brace-expansion": { - "version": "1.1.12", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz", - "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==", + "version": "1.1.14", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz", + "integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==", "dev": true, "license": "MIT", "dependencies": { @@ -2271,9 +2271,9 @@ } }, "node_modules/flatted": { - "version": "3.4.1", - "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.1.tgz", - "integrity": "sha512-IxfVbRFVlV8V/yRaGzk0UVIcsKKHMSfYw66T/u4nTwlWteQePsxe//LjudR1AMX4tZW3WFCh3Zqa/sjlqpbURQ==", + "version": "3.4.2", + "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz", + "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==", "dev": true, "license": "ISC" }, @@ -2716,9 +2716,9 @@ } }, "node_modules/micromatch/node_modules/picomatch": { - "version": "2.3.1", - "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz", - "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==", + "version": "2.3.2", + "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz", + "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==", "dev": true, "license": "MIT", "engines": { @@ -2922,9 +2922,9 @@ "license": "ISC" }, "node_modules/picomatch": { - "version": "4.0.3", - "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz", - "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==", + "version": "4.0.4", + "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz", + "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==", "dev": true, "license": "MIT", "engines": { @@ -3384,9 +3384,9 @@ } }, "node_modules/vite": { - "version": "6.4.1", - "resolved": "https://registry.npmjs.org/vite/-/vite-6.4.1.tgz", - "integrity": "sha512-+Oxm7q9hDoLMyJOYfUYBuHQo+dkAloi33apOPP56pzj+vsdJDzr+j1NISE5pyaAuKL4A3UD34qd0lx5+kfKp2g==", + "version": "6.4.2", + "resolved": "https://registry.npmjs.org/vite/-/vite-6.4.2.tgz", + "integrity": "sha512-2N/55r4JDJ4gdrCvGgINMy+HH3iRpNIz8K6SFwVsA+JbQScLiC+clmAxBgwiSPgcG9U15QmvqCGWzMbqda5zGQ==", "dev": true, "license": "MIT", "dependencies": { @@ -3547,9 +3547,9 @@ "license": "ISC" }, "node_modules/yaml": { - "version": "2.8.2", - "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.2.tgz", - "integrity": "sha512-mplynKqc1C2hTVYxd0PU2xQAc22TI1vShAYGksCCfxbn/dFwnHTNi1bvYsBTkhdUNtGIf5xNOg938rrSSYvS9A==", + "version": "2.8.3", + "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.3.tgz", + "integrity": "sha512-AvbaCLOO2Otw/lW5bmh9d/WEdcDFdQp2Z2ZUH3pX9U2ihyUY0nvLv7J6TrWowklRGPYbB/IuIMfYgxaCPg5Bpg==", "dev": true, "license": "ISC", "bin": {