Ladybird will stop accepting public pull requests, citing AI-driven code risks, and will only allow maintainer contributions going forward.
The Ladybird Browser Project has announced it will no longer accept public pull requests and will limit changes to those made by its maintainers as it works towards its first alpha release.
According to Ladybird’s creator Andreas Kling, this is “not a change we make lightly,” but the rapid shift in AI capabilities forced their hand. Previously, a massive PR implied that the person behind it put a lot of care into the code and is ready to “answer for the consequences.” Now with AI, anyone can generate a PR without even understanding the bug fix or feature they want merged.
For a browser, this matters. A browser runs untrusted input from the entire internet on the user’s machine, and one well-disguised vulnerability is all an attacker needs. We have already seen patient, well-resourced campaigns in open source to earn maintainer trust and abuse it. What has changed is how much faster and cheaper it has become to produce work that looks like a serious contribution.
At the same time, every change that enters Ladybird becomes our responsibility. It has to fit the architecture, survive future refactoring, interact correctly with the rest of the browser, and be understood by the people maintaining it.
The blog post goes on to say that the team is closing all open public pull requests immediately, and that maintainers will not treat external forks as a review queue for upstream Ladybird. Instead, the team wants outside contributors to focus on reporting bugs and running tests.
Kling started Ladybird back in 2019 as LibHTML, a simple HTML viewer for his hobby operating system, SerenityOS, but by September 2022, it had turned into a full-fledged browser project. What sets Ladybird apart from the likes of Google Chrome, Apple Safari, or Mozilla Firefox is its totally independent engine, which does not rely on pre-existing codebases. The project maintains a strict policy against default search engine deals or user data monetization, keeping development funded entirely by donations and sponsorships.
Generative AI is forcing open source project maintainers to rethink how they handle public code contributions (and the whole open-source thing in general). One month ago, a leak about the National Health Service (NHS) suggested the organization was planning to take all of its public repositories private ahead of a May 11 deadline, thanks to Mythos (an AI model that Anthropic believes is too dangerous to be released to the public) and its ability to find and write exploits for zero-day vulnerabilities.
Thankfully, the Government Digital Service (GDS) issued a counter-report titled “AI, open code and vulnerability risk in the public sector” that stopped the shutdown by pointing out that hiding code does not improve security.
