Incomplete JSON (such as from a log that terminates unexpectedly) doesn’t parse cleanly, which means anything that usually prints JSON nicely, won’t. Frustration with this is what led [Simon Willison] to make The Incomplete JSON pretty printer, a single-purpose web tool that pretty-prints JSON regardless of whether it’s complete or not.
Making a tool to solve a particular issue is a fantastic application of software, but in this case it also is a good lead-in to some thoughts [Simon] has to share about vibe coding. The incomplete JSON printer is a perfect example of vibe coding, being the product of [Simon] directing an LLM to iteratively create a tool and not looking at the actual code once.
[Simon] shares that the term “vibe coding” was first used in a social media post by [Andrej Karpathy], who we’ve seen shared a “hello world” of GPT-based LLMs as well as how to train one in pure C, both of which are the product of a deep understanding of the subject (and fantastically educational) so he certainly knows how things work.
Anyway, [Andrej] had a very specific idea he was describing with vibe coding: that of engaging with the tool in almost a state of flow for something like a weekend project, just focused on iterating one’s way to what they want without fussing the details. Why? Because doing so is new, engaging, and fun.
Since then, vibe coding as a term seems to get used to refer to any and all AI-assisted coding, a subject on which folks have quite a few thoughts (many of which were eagerly shared on a recent Ask Hackaday on the subject).
Of course human oversight is critical to a solid and reliable development workflow. But not all software is the same. In the case of the Incomplete JSON Pretty Printer, [Simon] really doesn’t care what the code actually looks like. He got it made in a short amount of time, the tool does exactly what he wants, and it’s hard to imagine the stakes being any lower. To [Simon], however the LMM decided to do things is fine, and there’s a place for that.
“Vibe coding ain’t all bad” but sure, put the blacl box on the open internet. Nothing can go wrong with that.
Doesn’t even need that. Only needs to include a malware library / npm module / etc which includes a reverse shell / bitcoin miner / ransomware / rm -f / etc and you’re still screwed.
And the xz backdoor, where a psychopathic entity (likely some nation state) socially engineered an overworked single developer over months to ease the workload on ’em only to backstab the same dev much later on.
Threat actors will go great lengths these days. The very recent Github supply chain attack on SpotBugs that leaked Github secrets in hundreds of repos is only the reminder that when it rains, it pours:
[https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack/#update-4-2-25]
you just published an article today https://hackaday.com/2025/04/12/vibe-check-false-packages-a-new-llm-security-risk/ which gives you an example of why you might not want to execute LLM produced code without looking at it
“Of course human oversight is critical to a solid and reliable development workflow. But not all software is the same. In the case of the Incomplete JSON Pretty Printer, [Simon] really doesn’t care what the code actually looks like. He got it made in a short amount of time, the tool does exactly what he wants, and it’s hard to imagine the stakes being any lower. “
Unless … the AI-generated code imports a package that turns out to be malicious.
The author explicitly requested pure HTML and JS, no imports. And the generated code is exactly that. “Doesn’t care what the code looks like” does not mean “never looked at the generated code after it was created”.
If you’re checking the output it’s not vibe coding.
However, in his write-up of it he explicitly states:
is this vibe commenting, where you write your comment without even reading the article?
(you too, mark. but the linked article in your case)
Partially completed code to handle partially completed data. Nice.
Any string that ends with \ breaks this, because it doesn’t properly handle escapes. It only checks for \”, which obviously isn’t enough.
I ponder how much of this is the result of copied code since this exact task has been done to death.
This goes for most software nowadays, even when humans are writing it.
It would be great if built-in JSON parses (in languages like PHP, Javascript, and Python) could be given a flag telling them to produce an object from JSON even if it is incomplete.
Kaparthy’s definition of Vibe Coding includes -talking- to the computer to write code, he is quite specific about that. As for the doubters, I’ve written a couple of largeish internal projects without writing a single line of code with claude, complete with tests etc., which the LLM runs itself, and uses to fix its own code. (It actually works much better if you don’t interfere, and just let the LLM write and edit the codebase, it has its own style and is far happier if you don’t interfere directly). And the end result is projects that Just Work. It is mind bendingly good. I’ve also published a couple of the more useful, niche, projects claude wrote for me as FOSS. Ideas->code->real world applications is here!
If you look at the code, it’s obvious that escaping isn’t handled properly: e.g. {“\”:””}