Software Supply Chains are Dead: Use-Case-Oriented Regeneration

2026-07-14Software Engineering

Software Engineering
AI summary

The authors explain that using external software libraries to save time in development is becoming less reliable because of security risks and better AI tools. They propose a new way where developers generate just the exact parts of the code they need using AI, instead of relying on full external libraries. Their tests show this method works well, preserving almost all the original behavior while greatly reducing the extra code. This could lead to safer and more efficient software development when the needed features are simple and stable.

software dependencysoftware supply chain attacksgenerative AIcode synthesissoftware maintenanceAPI surfacesoftware sourcingrepositorysoftware validation
Authors
Tanmay Singla, James C. Davis
Abstract
Modern software development relies on an increasingly doubtful premise: that the up-front implementation savings from adopting a dependency outweighs the maintenance costs. Two changes are reshaping the build-vs.-reuse calculus: software supply chain attacks have raised the cost of external reliance, while generative AI has lowered the cost of local implementation. We envision use-case-oriented regeneration as a new software sourcing paradigm that shifts the supply chain from external trust to local verification. We evaluate an agentic workflow that synthesizes only the specific slice of dependency functionality that a repository exercises. Our measurements across 180 repository-dependency pairs suggest that this approach is feasible: the replacements preserve 99.8% of repository-observed behavior across baseline validation checks and reduce the exported API surface by 93%. Software sourcing may evolve toward verifiable repository-specific code synthesis, especially when the required functionality is narrow, stable, and well tested.