Claude Code defaulting to a certain set of recommended providers[0] and frameworks is making the web more homogenous and that lack of diversity is increasing the blast radius of incidents
That's a funny way of saying "race to the bottom."
> The internet does that but it feels different with this
How does "the internet do that?" What force on the internet naturally brings about mediocrity? Or have we confused rapacious and monopolistic corporations with the internet at large?
It's a good point, but I don't think the problem here is Claude. It's how you use it. We need to be guiding developers to not let Claude make decisions for them. It can help guide decisions, but ultimately one must perform the critical thinking to make sure it is the right choice. This is no different than working with any other teammate for that matter.
Self fulfilling prophecy: You don't need to secure anything because it doesn't make a difference, as Mythos is not just a delicious Greek beer, but also a super-intelligent system that will penetrate any of your cyber-defenses anyway.
It's so trivial to seed. LLMs are basically the idiots that have fallen for all the SEO slop on Google. Did some travel planning earlier and it was telling me all about extra insurances I need and why my normal insurance doesn't cover X or Y (it does of course).
What is the rationale for using vercel ? I'm getting a lot of value out of cloudflare with the $5/month plan lately but my bare metal box with triple digit ram has seen zero downtime since 2015.
I haven't used Cloudflare and am the first to shit on Vercel. But I have to say, some aspects of their hosting are nice. In many ways it really is just a terminal command and up it goes with good tooling around it. For example, the PR previews take zero setup and just work. Managing your projects is easy, it's all nicely designed, it integrates well with Next and some other frontend-heavy systems and so on.
They put a massive amount of VC cash into convincing people that Next.js was "the modern way" to create a website. Then they got lucky with the timing of LLMs becoming popular while they were the hot thing, leading LLMs to default to it when creating new websites. To picture that amount of VC cash - they're at Series F, and a huge chunk of that went towards marketing.
Both have been changing as people realize it's rarely the right tool for the job, and as LLMs also become more intelligent and better at suggesting other, better options depending on what is asked for (especially Claude Opus).
I really want this to be true. nextjs is a nightmare. I'm eternally disgruntled.
nextjs is also powerful due to AI. But the value is a robust interactive front-end, easily iterated, with maybe SSR backing, nothing specific to nextjs.
So much complexity has gone into SSR. I hate 5MB client runtime just to read text as much as anyone, but not if the tradeoff is isomorphic env with magic file first-line incantations.
So glad I decided to just stick with django/htmx on my project a few years ago. I invested a little time into nextjs and came to the conclusion that this can't be the way.
Perhaps the rationale is laziness. Maintaining VM probably takes some more effort and competence than deploying to Vercel. Some people are willing to pay to minimize effort and the need to learn anything.
Very nice developer experience. A lot of batteries included, like CDN, incremental page regeneration, image pipeline or observability. Not having to maintain a server.
I’m still planning to move elsewhere though, the vendor lock-in is not worth it and I’d like to keep our infra in the EU.
Knowing how to operate a basic server is perceived as hard and dangerous by many, especially the generation that didn’t have a chance to play with Linux for fun when growing up
For a lot of folks, I think its ease of deployment when using Next.js. I switched to astro, also doing a lot of cloudflare at the moment. Before that, I was doing OpenNext with sst.dev on AWS but it started feeling annoying.
it's free for newbies and everyone, ofc it's a trap but freemium model gets people. aws can cost easily few thousands with 2-3 mistakes and clicks. vercel makes you start free then if you grow they bill you 10x-100x aws
I dunno I put a lot of traffic through Vercel, maybe 100k visitors per day, and it was under a few hundred a month. I think a couple EC2 instances behind a load balancer would cost similar or more. I was under the impression that its still a VC subsidized service.
They regularly try to get me to join an enterprise plan but no service cutoff threats yet.
I started using it a few years ago when I moved to my current company, and have to say I've learned to like it quite a bit. Moving to Cloudflare is an option, but currently it just works so we can't be bothered. Costs are not nothing, but basically no issues with it until now, and it's not so expensive that it raises eyebrows with the biggest being that we have 3 seats. The setup is quick and again it just works. We are a very small team, and the fact we don't have to deal with it on a daily/weekly basis is valuable. Obviously this current situation is a problem, but I am not sure which platform is free of issues like these. People act like it can't happen to me, until it does.
Assuming that all homes are at equal risk of being burglarized. In practice the neighborhoods I’ve seen are either at much higher risk or much lower risk.
and burglarized homes have higher prob. of being burglarized again, and probabilities don't accumulate but compound, and is the server even in a house?
> Vercel did not specify which of its systems were compromised
I’m no security engineer, but this is flatly unacceptable, right? This feels like Vercel is covering its own ass in favor of helping its customers understand the impact of this incident.
Claude Code defaulting to a certain set of recommended providers[0] and frameworks is making the web more homogenous and that lack of diversity is increasing the blast radius of incidents
[0] https://amplifying.ai/research/claude-code-picks/report
It's interesting how many of the low-effort vibecoded projects I see posted on reddit are on vercel. It's basically the default.
10 years ago it was Heroku and Three.js.
next, vercel, and supabase is basically the foundation of every vibecoded project by mere suggestion.
The thing I can’t stop thinking about is that Ai is accelerating convergence to the mean (I may be misusing that)
The internet does that but it feels different with this
> convergence to the mean
That's a funny way of saying "race to the bottom."
> The internet does that but it feels different with this
How does "the internet do that?" What force on the internet naturally brings about mediocrity? Or have we confused rapacious and monopolistic corporations with the internet at large?
It's a good point, but I don't think the problem here is Claude. It's how you use it. We need to be guiding developers to not let Claude make decisions for them. It can help guide decisions, but ultimately one must perform the critical thinking to make sure it is the right choice. This is no different than working with any other teammate for that matter.
I think most people would agree.
However it is less clear on how to do this, people mostly take the easiest path.
Its an eternal september moment.
https://en.wikipedia.org/wiki/Eternal_September
> a. Actually do something sane but it will eat your session
> b. (Recommended) Do something that works now, you can always make it better later
I guess engineers can differentiate their vibecoded projects by selecting an eccentric stack.
That's the irony of Mythos. It doesn't need to exist. LLM vibe slop has already eroded the security of your average site.
Self fulfilling prophecy: You don't need to secure anything because it doesn't make a difference, as Mythos is not just a delicious Greek beer, but also a super-intelligent system that will penetrate any of your cyber-defenses anyway.
Conspiracy theory: they intentionally seeded the world with millions of slop PRs and now they’re “catching bugs” with Mythos
"Nobody ever got fired for putting their band page on MySpace."
It's so trivial to seed. LLMs are basically the idiots that have fallen for all the SEO slop on Google. Did some travel planning earlier and it was telling me all about extra insurances I need and why my normal insurance doesn't cover X or Y (it does of course).
What is the rationale for using vercel ? I'm getting a lot of value out of cloudflare with the $5/month plan lately but my bare metal box with triple digit ram has seen zero downtime since 2015.
I haven't used Cloudflare and am the first to shit on Vercel. But I have to say, some aspects of their hosting are nice. In many ways it really is just a terminal command and up it goes with good tooling around it. For example, the PR previews take zero setup and just work. Managing your projects is easy, it's all nicely designed, it integrates well with Next and some other frontend-heavy systems and so on.
They put a massive amount of VC cash into convincing people that Next.js was "the modern way" to create a website. Then they got lucky with the timing of LLMs becoming popular while they were the hot thing, leading LLMs to default to it when creating new websites. To picture that amount of VC cash - they're at Series F, and a huge chunk of that went towards marketing.
Both have been changing as people realize it's rarely the right tool for the job, and as LLMs also become more intelligent and better at suggesting other, better options depending on what is asked for (especially Claude Opus).
I really want this to be true. nextjs is a nightmare. I'm eternally disgruntled.
nextjs is also powerful due to AI. But the value is a robust interactive front-end, easily iterated, with maybe SSR backing, nothing specific to nextjs.
So much complexity has gone into SSR. I hate 5MB client runtime just to read text as much as anyone, but not if the tradeoff is isomorphic env with magic file first-line incantations.
So glad I decided to just stick with django/htmx on my project a few years ago. I invested a little time into nextjs and came to the conclusion that this can't be the way.
You use a free template that's done in Next.js and uses its Image component, so you need a server.
Everything runs fine locally until you try to deploy it, and bam you need 4g ram machine to run the thing.
So you host it on Vercel for free cause it's easy!
Then you want to check for more than 30 seconds of analytics, and it's pay time.
I am not following the logic. If you’re a hobbyist, sure.
But the argument is if you’re using Vercel for production, you’re paying 5-10x what you’d pay for a VM, with 4gb.
So then what’s the rationale? You can’t be a hobbyist but also “it’s pay time” for production?
Perhaps the rationale is laziness. Maintaining VM probably takes some more effort and competence than deploying to Vercel. Some people are willing to pay to minimize effort and the need to learn anything.
Very nice developer experience. A lot of batteries included, like CDN, incremental page regeneration, image pipeline or observability. Not having to maintain a server.
I’m still planning to move elsewhere though, the vendor lock-in is not worth it and I’d like to keep our infra in the EU.
All of this is available in Cloudflare $5 plan?
In my experience it severely lacks on developer experience, compared to Vercel.
For many people Vercel is Easy (not simple)
Knowing how to operate a basic server is perceived as hard and dangerous by many, especially the generation that didn’t have a chance to play with Linux for fun when growing up
If you are using nextjs it is easier because vercel done a lot of things to make it a pain to host outside of vercel.
For a lot of folks, I think its ease of deployment when using Next.js. I switched to astro, also doing a lot of cloudflare at the moment. Before that, I was doing OpenNext with sst.dev on AWS but it started feeling annoying.
it's free for newbies and everyone, ofc it's a trap but freemium model gets people. aws can cost easily few thousands with 2-3 mistakes and clicks. vercel makes you start free then if you grow they bill you 10x-100x aws
I dunno I put a lot of traffic through Vercel, maybe 100k visitors per day, and it was under a few hundred a month. I think a couple EC2 instances behind a load balancer would cost similar or more. I was under the impression that its still a VC subsidized service.
They regularly try to get me to join an enterprise plan but no service cutoff threats yet.
I suppose their market is one click deployments. Maybe for non technical people or people not willing to deal with infra.
Can one host a Next js app on cloudflare?
yes, https://developers.cloudflare.com/workers/framework-guides/w...
Ohh this is very cool!
Develop experience. Ephemeral deploys. Decent observability. Decent CI options. Generous free tier.
I started using it a few years ago when I moved to my current company, and have to say I've learned to like it quite a bit. Moving to Cloudflare is an option, but currently it just works so we can't be bothered. Costs are not nothing, but basically no issues with it until now, and it's not so expensive that it raises eyebrows with the biggest being that we have 3 seats. The setup is quick and again it just works. We are a very small team, and the fact we don't have to deal with it on a daily/weekly basis is valuable. Obviously this current situation is a problem, but I am not sure which platform is free of issues like these. People act like it can't happen to me, until it does.
It takes a while to realize you're being gaslit.
0.82% of homes are burglarized every year.
Meaning since 2015, you’ve got an 8.2% chance of having someone walk out with that box. Hopefully there’s nothing precious on it.
Assuming that all homes are at equal risk of being burglarized. In practice the neighborhoods I’ve seen are either at much higher risk or much lower risk.
and burglarized homes have higher prob. of being burglarized again, and probabilities don't accumulate but compound, and is the server even in a house?
I definitely do not keep it at home but the thought has crossed me for smaller less demanding boxes.
They didn't imply the box was at their home and that probability is off
That’s not how probabilities work.
Imagining a thief walking in and demanding the home's RAM gave me a chuckle though.
Thieves probably look for small stuff like jewelry, cash, laptops, not some big old server.
Or burglars.
If they have good backuos, no worries. Mine is in a locked colo cage in a datacenter, so I'm not worried either.
yes, this is indeed how probability works. thanks.
>you’ve got an 8.2% chance of having someone walk out with that box.
The chance of being burglarized is not the same as the chance that when you are hit, they decide to take your webserver. Think it through.
> Vercel did not specify which of its systems were compromised
I’m no security engineer, but this is flatly unacceptable, right? This feels like Vercel is covering its own ass in favor of helping its customers understand the impact of this incident.
Porter also had a breach recently. I assume it is as tightly scoped as they say to not have publicized it.
Dupe. Other thread with comments:
https://news.ycombinator.com/item?id=47824463
Wow, maybe Cloudflare can help them secure their systems? I hear they have a pretty good WAF.
That's why infra needs stricter internal walls than normal SaaS
The original link posted in the post has almost same content: https://vercel.com/kb/bulletin/vercel-april-2026-security-in...
Missing from Glasswing