> if someone finds a security vulnerability in a commonly-emitted-by-LLMs code pattern

how do you distinguish this from injecting a vulnerable dependency to a dependency list?

You can more easily check for known-vulnerable dependencies

Right, but if you can embed bad packages in LLMs, you can surely embed any kind of vulnerability imaginable.

I'm not thinking about deliberately embedded vulnerabilities, just accidental/emergent ones. The modern equivalent of devs copy-pasting stackoverflow answers that happen to contain SQL injection vulns.

Does the distinction make any difference?

Yes, you'd take different actions to avoid each.