Most of the supply chain vulnerabilities I’ve seen published and talked about lately have been trying to do things like exfiltrate keys/secrets from developers, including ci.

So of you’ve got a pr open with the vulnerable package update on it then you’ve goofed. Even potentially without merging if you’ve not got ci set up very securely, which is probably more common than we’d like to admit

What do you mean by “make” what do you want it to do that you aren’t getting.

Maybe some existing model via ollama - llama-uncensored?

Do you need to add context with some specific set of data, should it be retrieval based or tuned or cross trained?

Does it even need to be an llm? What are you trying to actually achieve?