Godot bans 'vibe-coded' contributions
The open-source Godot game engine is updating its contribution policy to prohibit AI-generated code, citing low-quality pull requests and maintainer burnout. New contributors must get permission for major changes, and AI agents are banned from discussions. Limited AI assistance (e.g., code completion) is allowed if disclosed.
Godot says bye bye AI, bans vibe-coded contributions
'We can't trust heavy users of AI to understand their code enough to fix it,' say maintainers who previously called the flood of vibe-coded pull requests 'demoralizing'
Vibe coders apparently don't understand what their AI servants write - at least that's what the team behind open-source game engine Godot seems to be implying with a new policy that cracks down on AI-generated contributions.
The Godot team announced on Tuesday that they were in the process of rewriting their contribution policy to prohibit almost all use of AI from contributors, citing an overwhelming number of pull requests that have poured in, many of which appear to be AI-generated. Nor, the maintainers suggested, can many heavy AI users be relied on to respond meaningfully to review feedback.
"AI cannot take responsibility, and we can't trust heavy users of AI to understand their code enough to fix it," the Godot maintainers said in their announcement.
Ouch.
The maintainers described AI pull requests as "demoralizing" for the Godot team, echoing comments made earlier this year when maintainer Rémi Verschelde said AI pull requests were increasingly draining and demoralizing wastes of time.
Available Now
Get GoPeek
Preview links without opening tabs. Available on Edge and Firefox. Chrome support coming soon.
Microsoft Edge
Add to Edge — free
→
Mozilla Firefox
Add to Firefox — free
→
Google Chrome Soon
Coming to the Chrome Web Store
AI PRs, one game studio that uses Godot noted earlier this year, are largely garbage, come from users who don't understand what they're proposing, and are largely "a total shitshow."
The Godot team said that it now recognizes the problem isn't going away, so it's time to do something about it.
"Accordingly, we are in the process of updating our contribution policies, including adding a stricter policy on AI contributions," they said.
For starters, new contributors (defined as anyone with three or fewer merged pull requests) will be required to get explicit permission from maintainers if they want to submit new features or significant refactoring to Godot's codebase. This, the team said, is a bid to exclude vibe coders and AI agents and nurture a group of contributors who understand the Godot codebase and are willing to communicate with the team to learn more about it.
On that note, contribution discussions will be required to remain human-to-human, too: No AI agents or bots clogging up the comms channels, unless they're being used to translate between languages.
"We need to ensure that people who choose to review PRs feel their time is well spent," the Godot maintainers explained.
As for AI code itself, any autonomous agent-authored contributions or vibe-coded garbage will continue to result in an auto-ban from the team's GitHub repo, and the team is extending that ban on AI code to include a prohibition on the use of AI to generate any substantial piece of code.
"AI assistance should be limited to menial things (like code completion, regex, or find and replace)," the team explained. "If you do use AI in some capacity to author code, you must disclose it in the PR discussion."
The policy has yet to be formally amended, and the Godot maintainers didn't say when exactly they'd release the update. Needless to say, vibe coders and AI agents aren't welcome even now, so don't push your luck.
Vibe coding has shown other signs of falling out of favor lately as horror stories about deleted databases and wiped drives continue to pile up. Just last week, the chairman of IT consulting service Infosys predicted that vibe coding wasn't something professionals should be worried about as there's more to writing good software than coding.
"Given that AI is a much larger and disruptive technology transition than ever before, the questions are louder and the doubts are more insistent," Nandan Nilekani said in a speech at the company's AGM last week. "While we will embrace the best coding tools and improve our productivity, there is much more to do in the software development life cycle."
Context, Nilekani said, is paramount in software development. Based on the vibe-coded disaster that Godot has dealt with, AI doesn't seem quite capable of grasping that important element.
Available Now
Get GoPeek
Preview links without opening tabs. Available on Edge and Firefox. Chrome support coming soon.
Microsoft Edge
Add to Edge — free
→
Mozilla Firefox
Add to Firefox — free
→
Google Chrome Soon
Coming to the Chrome Web Store
Using GoPeek on GitHub
(See original article: I bypassed AWS API Gateway auth with a trailing slash. Got $12K bounty. ) I was poking at a fintech’s mobile API and noticed something that made no sense. GET /v1/accounts returned 401. GET /v1/accounts/ returned 200 with full account data. One character. Completely different security posture. What I was looking at The API ran on AWS HTTP API — the newer, cheaper alternative to REST API. Lambda authorizer checked a JWT against Cognito, returned an IAM policy. Standard. Routes in OpenAPI: YAML /v1/accounts : get : x-amazon-apigateway-integration : uri : arn:aws:apigateway:... /v1/accounts/{accountId} : get : x-amazon-apigateway-integration : uri : arn:aws:apigateway:... The authorizer ran on every request. But HTTP API makes two decisions: does this route exist, and does the authorizer allow it? Those two layers didn’t agree on what a “match” meant. The weird results I ran ffuf on the path. The results were… inconsistent....
Read more
Former Microsoft dev built a 2.5KB Notepad clone with zero AI features
Former Microsoft dev built a 2.5KB Notepad clone with zero AI features Dave Plummer started his programmer's career at Microsoft back in the MS-DOS days. He knows a thing or two about code optimization, which is why he is now trying to strip Notepad of the unwanted AI shovelware Microsoft has been adding over the past few years. Plummer is the man who claims to have created some major Windows features, including the original Task Manager application. Now, the YouTuber and retired developer shared his latest creation: a text editor named TinyRetroPad , which is designed to mimic Notepad's text editing functionality while staying as small as possible on disk. TinyRetroPad is a Notepad-style text editor contained in roughly 2.5 kilobytes (KB). One kilobyte traditionally refers to 1,024 bytes, which means the new editor is definitely using a lot of optimization tricks to contain a usable application inside such a tiny package. Plummer forked ...
Read more
I reproduced a Claude Code RCE. The bug is everywhere.
Last week, security researcher Joernchen published a clever RCE in Claude Code 2.1.118 . I spent Saturday reproducing it from the advisory to understand the pattern. The bug is fixed now, but the parsing anti-pattern behind it is everywhere in AI developer tools. The setup Claude Code registers a deeplink handler: claude-cli://open . Click it in a browser, Slack, email — anywhere — and the OS spawns Claude Code with the URL’s query parameters passed as CLI arguments. The vulnerability lives in eagerParseCliFlag , a function in main.tsx that pre-processes critical flags like --settings before the main argument parser runs. The code pattern: JavaScript // Simplified from Joernchen's analysis function eagerParseCliFlag (args) { for ( const arg of args) { if (arg.startsWith( '--settings=' )) { const settingsPath = arg.split( '=' )[1]; loadSettings(settingsPath); } } } startsWith on raw args. No context awareness. No und...
Read more