Harry Tan and Y Combinator face criticism over a bloated 6.4 MB AI-built site

After Y Combinator CEO Gary Tan boasted of generating 37 thousand lines of code per day, an independent audit of his garryslist.org website turned into a textbook examination of the consequences of such an approach. The audit of the client-side code revealed not simply a heavy page, but production where AI accelerated code output faster than code reviews, optimization, and basic frontend hygiene could catch up.

What the audit found

The garryslist.org homepage turned out to be unexpectedly heavy for an ordinary news blog with a newsletter. On a single load, the browser makes 169 requests and downloads 6.42 MB of data. For a site of this type, this looks less like built-in redundancy and more like the consequence of uncontrolled code and asset accumulation. The audit author emphasizes that he analyzed only what actually goes to the browser, without diving into internal source code.

"Absolutely insane week for agent development. 37 thousand lines of code..."

It is precisely against this backdrop of public boasting that the audit sounds particularly harsh. The speed of release itself says nothing about the quality of the result, and in this case shows rather the opposite: the more code and automation goes to production without strict filtering, the higher the chance that the user receives something unnecessary, broken, or simply unwanted. The analysis of the site became not a dispute over style, but a test of what "vibe coding" looks like in a combat environment.

Where the site got bloated

The most notable finding is 28 test files that are served to the visitor as part of the regular page load. These are not test reports, but real test wrappers like membership_form_controller.test and other files, totaling roughly 300 KB. All of them return HTTP 200 and are actually downloaded by the browser. For users this is meaningless traffic; for the team it is a sign that there is no proper filter for dev artifacts in the publication pipeline.

On top of that, the page loads 78 Stimulus controllers totaling about 154 KB, including modules for image generation, voice extraction, video generation, and even a template hello world. These features are not used on the homepage, but the code still goes to every visitor.

There is a separate story with the logo: the same bear is served eight times in different formats, and one AVIF file even has zero size.

• 169 requests and 6.42 MB on one homepage
• 28 test files in production, about 300 KB of unnecessary code
• 78 unnecessary Stimulus controllers that still get downloaded
• 4 MB of raw PNG where the browser asks for WebP or AVIF
• The same logo loads eight times, including an empty AVIF

The most traffic is consumed by images from articles: the server sends them as raw uncompressed PNGs through CloudFront, even though the browser explicitly requests modern formats. The audit provides examples of two images weighing 2.07 and 1.99 MB. In WebP they could take up much less space. On just these two files the site wastes approximately 4 MB of traffic, and this best shows the cost of the absence of elementary optimization.

Not just about megabytes

The analysis comes down not only to performance, but to engineering culture. The page had DOM duplication for mobile and desktop versions, empty CSS files, repeated title tags, and dozens of images with missing alt text. In other words, the problem is not a single random error, but an accumulation of minor defects that no one systematically cleaned up before release. When there are many such details, they no longer look like noise, but as a consequence of weak quality control.

The audit author particularly criticizes the PostHog analytics that the site proxies through the /s/ path to bypass ad blockers. The code contains a direct comment about the fact that the SDK loads through a proxy precisely for this reason. Against the backdrop of test files in production and empty broken assets, such an attempt to circumvent privacy settings looks particularly careless: a resource that positions itself as socially useful simultaneously loads garbage and tries to track its audience more tightly.

For comparison, the audit cites Hacker News, which is maintained by the Y Combinator ecosystem itself: 7 requests and 12 KB on the homepage. Against this background, garryslist.org turns out to be 562 times heavier. Even if you don't count images, about 73% of the transmitted volume the author considers pure garbage. This is what makes the case important: it's not about taste, but about concrete network, product, and operational losses today.

What it means

The story of Gary Tan's website is a good example of how AI truly accelerates development, but does not substitute for architecture, code review, and responsibility for production. If a team starts measuring progress by lines of code and push frequency, they easily end up not with a faster product, but with a more expensive, heavy, and fragile website.