A Node.js TSC member Matteo Collina has made a pull request to Node.js core that was 19,000 lines long and mostly written by AI, although the author says he reviewed all the changes himself. Now thereβs a petition to ban machine-written code from the project altogether.
Honestly? Good.
What happened
Fedor Indutny, a Node.js contributor for a long time, started a petition to ban AI-written code from the Node.js core. It was prompted by a VFS pull request of almost 19,000 lines, the majority of which were authored by AI.
Take a moment to consider that number. 19,000 lines inserted into one of the most vital runtimes on Earth. The infrastructure that invisibly fuels much of the internet.
Nobody can review this
Here's the core problem: code review doesn't scale when a machine can generate pull requests faster than humans can read them.
A seasoned maintainer might review a few hundred lines carefully in a sitting. Maybe a thousand if they're caffeinated and angry. 19,000 lines is not a PR. It's a hostage situation. π«
β AI can generate code at infinite speed
β Humans still review at human speed
β The bottleneck isn't generation β it's understanding
If you unload that quantity onto volunteer maintainers, you aren't giving, you're shifting your labor onto others, and in a project like Node.js, an obscure bug is not a failure, itβs a supply chain crisis.
The legal mess nobody talks about
Now, to the interesting bit. A lot of open source projects will ask you to sign something called a Contributor License Agreement. In simple terms, you are stating that: "This is my work, I have permission to contribute it, and I am giving the project a license to use it."
CLAs were never designed for AI-generated code. Who owns the output of a model trained on millions of repositories? How can you warrant that you are able to contribute something a machine learning model gleaned from the entire internet?
β If you didn't write it, can you sign a CLA for it?
β If the model regurgitates copyrighted code, who's liable?
β If nobody knows, should it go into critical infrastructure?
These questions are not just theoretical. They are current legal ambiguities. And Node.js core is probably the worst place to find out the answers the hard way.
This isn't anti-AI
I use AI tools all the time. They're great for prototyping, exploring ideas, rubber-ducking at 2 AM when no one's awake. Iβm not here to say that Copilot is the devil.
However, there's a distinction between applying AI as a thinking aid and applying it as a code cannon pointed at critical open source projects. The petition is not saying "AI is bad." It's saying "our review process, our legal framework, and our governance model aren't built for this." π―
It seems logical. Arguably the only reasonable position right now.
Where this goes
Node.js won't be the last project to have this fight. Every major open source foundation is going to face the same question: what do we do when contributions arrive faster than we can verify them?
Some projects will ban AI-generated code outright. Others will require disclosure. Some will try to build tooling to detect it. None of those solutions are perfect.
However, taking no action and allowing 19,000-line machine-generated PRs to be queued for review by volunteer maintainers is the most damaging choice. It burns out the people who keep this stuff running. And it introduces risk that nobody fully understands yet.
The Node.js community is drawing a line. I think they're right to draw it. πͺ
Should open source projects require contributors to disclose when code is AI-generated β or ban it from core entirely?
Top comments (0)