02/27/2025: vulnerability reported to the maintainers (specifying that only versions between 12.0.0 and 12.0.7 were vulnerable, which was our understanding at the time)
03/01/2025: second email sent explaining that all versions were ultimately vulnerable, including the latest stable releases
03/05/2025: initial response received from the Vercel team explaining that versions 12.x were no longer supported/maintained (probably hadn’t read the second email/security advisory template indicating that all were vulnerable)
03/05/2025: another email sent so that the team could quickly take a look at the second email/security advisory template
03/11/2025: another email sent to find out whether or not the new information had been taken into account
03/17/2025: email received from the Vercel team confirming that the information had been taken into account
03/18/2025: email received from the Vercel team: the report had been accepted, and the patch was implemented. Version 15.2.3 was released a few hours later, containing the fix (+backports)
OK, tangentially: let's assume that Next is poorly maintained; what are some good alternatives? Of course everything that Next does can be assembled by hand from various smaller modules on top of Express, or similar. What are some more cohesive sets?
I don't think there's anything quite as featureful. For basic sites, Astro is fine, but it's not as powerful. Vite can be used for basic client or server side renders. Nuxt and SvelteKit have some of the basic features.
But I don't think there is a drop-in replacement for ALL that Next does. The strength of Next is in packaging together what would otherwise be like twenty different packages and servers (especially if you make use of all the Vercel specific features). And then it adds incredibly powerful (but often complex) hybrid caching strategies that combine what would traditionally be done by different daemons altogether (a KV store, a memory cache, a HTTP cache, CDN. etc.). And then it adds a bunch of additional features like the middleware layer, image processing and caching, etc. I don't know of any other frontend-focused JS framework with such features in one package.
These are more common in the full-stack world. Next takes some of those traditional backend concerns and puts them in the hands of frontend devs, for better or worse. If you know a bit of both, it can be a great shortcut. If you overestimate your ability/knowledge, it can be a great footgun.
> But I don't think there is a drop-in replacement for ALL that Next does.
The entirety of vite + tanstack (in particular the upcoming tanstack-start) is getting quite close. For quite a few uses that folks currently use next fork, I would argue that much of what tanstack does is a better fit. Eg: non marketing sites, but SaaS style dashboards.
Does that put you in a situation where the builder/bundler is made by a different vendor than the router & cache management layer?
That was one of the nice benefits of Next when it first came out, vs Frankensteining these basic concerns together on top of React with a bunch of different libs that don't always track each other in terms of upgrade compatibility, often resulting in dependency hell.
> Does that put you in a situation where the builder/bundler is made by a different vendor than the router & cache management layer?
Like in next? Next uses webpack (at least for the most part, there is now also turbo support but it's limited to dev builds for now) which is built by other people. Tanstack is intentionally building on vite and from what I can tell there is quite a deep cooperation going on. Most frameworks outside of the Vercel sphere have all put themselves on vite and started embracing it. Solid, Vue, Remix and Tanstack are all on vite and leveraging that rather than building their own infrastructure.
I think next.js is a terrific project for the record, but I happen to mostly sit in the space where it doesn't quite play out its strengths. [1] So I'm quite used to frankensteining over the years and Vite has made my life much more pleasant in that regard. It feels quite cohesive and it's so damn quick compared to the status quo ante.
[1]: That thing is highly interactive SaaS software with backends that are not written in JavaScript.
Ah ok, yeah.. unfortnutely this type of lag/mismgmt is pretty common once a company gets big enough. Often times the right people don't get involved on first-pass... even at tech-first companies like this -- though at that point perhaps you're no longer tech-first :/
Timeline:
02/27/2025: vulnerability reported to the maintainers (specifying that only versions between 12.0.0 and 12.0.7 were vulnerable, which was our understanding at the time)
03/01/2025: second email sent explaining that all versions were ultimately vulnerable, including the latest stable releases
03/05/2025: initial response received from the Vercel team explaining that versions 12.x were no longer supported/maintained (probably hadn’t read the second email/security advisory template indicating that all were vulnerable)
03/05/2025: another email sent so that the team could quickly take a look at the second email/security advisory template
03/11/2025: another email sent to find out whether or not the new information had been taken into account
03/17/2025: email received from the Vercel team confirming that the information had been taken into account
03/18/2025: email received from the Vercel team: the report had been accepted, and the patch was implemented. Version 15.2.3 was released a few hours later, containing the fix (+backports)
03/21/2025: publication of the security advisory