We Have a Package for You! A Comprehensive Analysis of Package Hallucinations by Code Generating LLMs

TL;DR

This paper investigates the prevalence and causes of package hallucinations in code-generating LLMs, revealing high rates of erroneous package suggestions and proposing mitigation strategies to improve code generation reliability.

Contribution

It provides a comprehensive evaluation of package hallucinations across multiple models and languages, quantifies their severity, and introduces mitigation techniques to reduce these errors.

Findings

At least 5.2% hallucinated packages in commercial models

Open-source models exhibit 21.7% hallucinations

Over 200,000 unique hallucinated package names identified

Abstract

The reliance of popular programming languages such as Python and JavaScript on centralized package repositories and open-source software, combined with the emergence of code-generating Large Language Models (LLMs), has created a new type of threat to the software supply chain: package hallucinations. These hallucinations, which arise from fact-conflicting errors when generating code using LLMs, represent a novel form of package confusion attack that poses a critical threat to the integrity of the software supply chain. This paper conducts a rigorous and comprehensive evaluation of package hallucinations across different programming languages, settings, and parameters, exploring how a diverse set of models and configurations affect the likelihood of generating erroneous package recommendations and identifying the root causes of this phenomenon. Using 16 popular LLMs for code generation and two unique prompt datasets, we generate 576,000 code samples in two programming languages that we analyze for package hallucinations. Our findings reveal that that the average percentage of hallucinated packages is at least 5.2% for commercial models and 21.7% for open-source models, including a staggering 205,474 unique examples of hallucinated package names, further underscoring the severity and pervasiveness of this threat. To overcome this problem, we implement several hallucination mitigation strategies and show that they are able to significantly reduce the number of package hallucinations while maintaining code quality. Our experiments and findings highlight package hallucinations as a persistent and systemic phenomenon while using state-of-the-art LLMs for code generation, and a significant challenge which deserves the research community's urgent attention.