Nesbitt: Protestware for coding agents
Andrew Nesbitt discusses a concerning update in the jqwik library for Java. The recent release included a change that instructs coding agents to delete jqwik tests and code, raising supply-chain security concerns. This incident highlights the need for better tooling to detect such subtle changes in software dependencies.
- ▪The jqwik library's 1.10.0 release on May 25 included a controversial change.
- ▪This change instructs coding agents to disregard previous instructions and delete jqwik tests and code.
- ▪Existing security tools may not detect such subtle changes, as they focus on more obvious threats.
Opening excerpt (first ~120 words) tap to expand
Andrew Nesbitt has written a blog post detailing a recent incident with the jqwik library for property-based testing in Java. On May 25, the 1.10.0 release of jqwik included a change that attempts to instruct coding agents to disregard previous instructions and delete jqwik tests and code. I think this is a new class of supply-chain input worth keeping an eye on, mostly because of how little of the existing tooling has any opinion about it. A System.out.print of sixty-eight bytes of plain ASCII isn't the kind of thing scanners are looking for, since those watch for install hooks, network calls, filesystem writes, obfuscated strings and the like.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at LWN.net (Linux Weekly News).