As SpaceX deal looms, Cursor partners with Chainguard to secure open-source dependencies in AI-built code
Cursor has spent the past week in headlines after confirming a partnership with SpaceX that could eventually lead to a $60 billion acquisition . The deal, for now, centres on training more capable coding models using SpaceX’s compute infrastructure. Alongside that push on model performance, however, Cursor is now addressing a separate issue: the reliability of the code those models produce. Cursor has partnered with Chainguard , which provides verified open-source packages, to route dependencies through its curated repositories, aiming to reduce the risk of compromised components entering AI-built applications. The announcement lands as AI coding tools push more software into production with less human review, raising questions about how much of that code can be trusted. Supply chain risks in the agentic era The partnership addresses a problem developers know all too well. Modern applications depend heavily on open-source libraries and container images, most of which are pulled from public registries such as npm, PyPI, and Docker Hub. Those registries operate on openness, with limited checks in place. Developers — and now AI agents — often install dependencies without knowing who built them or whether they have been tampered with. Recent incidents have underlined the risk . In March, projects such as Trivy, LiteLLM, Telnyx, and Axios were compromised, with attackers using poisoned packages to steal credentials and spread malware. For teams using AI-generated code, the exposure increases. Agents can select and install dependencies automatically, making trust decisions at a pace that outstrips manual review. As Chainguard co-founder and CEO Dan Lorenc put it, generating code is becoming routine — checking its integrity is where the pressure now sits. “AI agents are making dependency decisions at a scale and speed no security team can manually review,” he wrote in a blog post . “As organizations adopt agentic development, the biggest blocker is no longer how fast code