yo, @vercel @rauchg This is awful - not the vulnerability (those happen) but your handling of it with the next.js community. Glad major platforms have mitigations in place and rolled out. While Netlify itself was not vulnerable to this, ALL platforms have had to do a fire drill late/early today to validate this, push changes, and ensure this. Any platforms that were impacted now have to spend lots of time with customers ensuring their sites were not abused through this vulnerability - including Vercel's customers. Even Cloudflare's team @elithrar @dok2001 had to work on putting rules into place today instead of when Vercel/next knew about it?! From my perspective here, the timeline looks like the Vercel team knew about it for _at least_ 5 days and quietly pushed changes in that time to the latest versions of Next. This morning we see this advisory and it's the first time anyone from next/vercel reached out to anyone on the matter. This is a major security issue with an open source framework that you maintain and where was Vercel here? - The PRs for fixing the bugs look like maintenance not security issues - YOU HAVE DONE ZERO OUTREACH via @vercel @nextjs even now to customers to advocate for updating and validating their systems. - You privately hit up other platforms early this morning several hours AFTER the CVE was announced - you did put in a changelog today that talks about your firewall but this is covering your bases, not supporting the community. Even on your platform, were customers ever impacted or was there a timeline that they were? As far as I can tell - as someone with Next.js sites deployed to Vercel - no outreach has been done to confirm any of this. Maybe at the end of the month it will show up in the product emails. You've treated this thus far the same as a spelling error that you needed to fix. So this means, Vercel knew about this for 5 days and did not work with the open community about it until they had to. This hurts trust with the open source contributors to next and customers using next at all. It also increased the amount of time customers were vulnerable and the amount of auditing and research to protect customers. We need something here to believe that you're properly informing and advocating for security practices and safety for those who use this framework regardless of if they user Vercel.

You might want to start with making announcements from the social accounts to users/developers and doing proper advocacy on the security mitigations customers need through social channels. Then a follow up with a detailed timeline of where things happened and how you’re improving your stewardship of security as the leader of Vercel and Next.js. To be clear this is an active security problem for Next users on many platforms or self hosted. Showing up for them is what’s needed now. Not a response to this poor handling immediately.

This is missing some important context - clarification on “are not affected” or “are no longer affected”? Netlify was never impacted. Cloudflare users were until the CVE came out and CF patched it quickly. @vercel - was it ever impacted? This matters because those that were impacted still need security review to ensure no exploits over that period.

Stoked to announce I’m joining @Netlify next week as a Principal Engineer to help push the web forward and help make it faster!!! 🎉🎉🎉

Patched 5 days ago, disclosed to no one, zero advocacy to update to patch, and zero community work to ensure next hosted elsewhere is secured. Protecting themselves first and ghosted the community on it

I have brought receipts: - the only known sharing of this info from the team nitter.app/rauchg/status/19033609… - nothing from @vercel @nextjs @vercel_changes - CVE posted around midnight last night github.com/advisories/GHSA-f… Note - it's Vercel that determines when that gets posted - PR github.com/vercel/next.js/pu… "This just adds an additional header to our internal filtering list for middleware." is the commit message. - merged on March 17th

Since yall are active trying to gotcha folks.. can you tell us why Vercel had a firewall rule in place for this perfectly inert header that caused this security incident for many other providers? Infra companies don’t just have firewall rules set up for random headers, only dangerous or potentially dangerous ones. I’m really trying to understand why would you have that set already when it became known to be dangerous to your team in the last few weeks. You’ve already said Vercel was never vulnerable but this just doesn’t add up. Was it by accident or was there a known reason by your team earlier than this incident that this was dangerous? Or did you actually have an issue on Vercel and using word play to skirt the idea that it’s no longer affecting? Firewall rules are reactive tools - full stop. When/why did you react to it on Vercel?

I mean.. “My password is just 18 stars though...” seems to pass those rules...

Tomorrow I start at @InVisionApp as a Sr. Engineer on Growth. Super excited for the new challenges and opportunities 👊🏻👊🏻

We really enjoyed doing this over a zoom while we played skribbl.io/

Hey @rauchg I don’t want to interrup.. this.. but the Next community is still waiting for your leadership to follow up over here. nitter.app/JavaSquip/status/19034… Glad to see some of your team moving but where is your follow up here and owning the impact that was caused here? The silence today has been screaming and it seems like you’re getting distracted from your responsibilities to the OSS community nitter.app/JavaSquip/status/19034…

True story, I looked into and joined @InVisionApp because of @DannPetty raving about the folks there. Happy to report he undersold it and everyone at this company is 10x awesomer than I realized 🙌 Come join the team and help make cool stuff for designers and developers!

Dude, are you serious? @rauchg how do you say this and then start posting this mess instead of addressing the community with support and resources?! Stoked that Vercel isn’t impacted anymore but the Next community is?

👋 Netlify engineer here. Happy to partner with you on this! Shoot me a DM and we can knock it out. Would be maxing to see the idea to usable site - end to end 🙌

Even better tracking:

Update: from their report, it’s actually 7 days since patch and 23ish days since the vercel team was informed about it. I’m surprised the community of folks building on it, using, and supporting Next didn’t hear about it through enterprise customer security SLAs alone.

For posterity

Just because they are factual doesn’t make them not gotchas Regarding the headers, understandable! What Matle says makes sense, however that’s also not a firewall. You said users were proactively protected via a firewall with a link to the firewall docs - not that your edge overrides the headers during transactions and this was handled coincidentally

You’re right. However, getting users to the site in order to present a value prop + subscription means they want clicks. That’s how growth funnels work. Not saying the funnel is wrong but don’t say clicks aren’t your business because that’s BS

We also have receipts that the changelog from them didn’t happen until another platform reached out to get them to do this. Really? Literally zero proactive support from the team

@mxstbr @timolins @tobiaslins @lauridskern great work! 🐠

Principal Engineer 🎉🎉

I’m trying to figure out wtf is going on. The teams eventual acknowledgment and broadcast this morning was that Vercel isn’t impacted because of its firewall with a link (which was questionable at best), then the page completely changed, and now you’re saying this is why it works. I actually believe that’s why it works. Netlify’s system is safe because of its own override systems on our edge. So yes I think you’re spot on. But I am saying this was fumbled from the word go and this is another part of it - expressing customers were safe for invalid reasons and changing it without correction.

Update: remember this morning when Vercel said you need to use their Firewall rules to get around this security issue on Vercel @dok2001 @elithrar? Well they’ve deleted that changelog and now they’ve never had any issues apparently and they were never vulnerable. I have no idea how to help folks using Vercel/Next.js

We just launched durable, event-based architecture for Netlify. Run steps, pause execution for days, retries, etc. Give it a try!! @Netlify shippppppss netlify.com/blog/launching-a…

I have seen literally hundreds of people promoted while working remotely. I myself have been promoted a few times. This is just ambiguous bs for your antiquated ideals.

This has a mountain of knowledge and experience. 👍🏼👍🏼@tferriss

Agent Experience is critical, MCP is the interactivity layer we have today. It’s got a lot of issues, but MCP itself is just a tiny contract - nothing more. Support it now, and make something better. You can have your team join the conversation with industry working groups on AX. DMs open! (More info agentexperience.ax)

@kevinhou22 and the crew at @windsurf_ai are doing amazing work with the editor and Cascade. We @Netlify are so excited to be an official partner supporting them helping developers bring their ideas to life. Let's go!!!

Here's my @smashingmag article on how to leverage Server-Timing's unique properties to capture more data about how your site is performing and capture hard-to-access resource data! 👊👊 smashingmagazine.com/2022/05…

Hey! DDoS and attack mitigations have been in place for years. All platforms/mitigations have rare exceptions that get through. Other processes are there to ensure customers don't see unnecessary bills. We know this should have been avoided at either layer - we're improving this.

Introducing @Netlify's official MCP server! Netlify is already the number 1 deploy target for AI agents. Now, we can help tools that don't have a direct integration with Netlify build and deploy through your agent. This is day one, with much more to come - stay tuned!

Growing sideways?

Hey @jchiatt ! Happy Birthday! @InVisionApp is working on a lot of ambitious projects, team is 100% remote, and they’re really amazing to work with! And we certainly have lots of JS :) invisionapp.com/about/#jobs If that sounds interesting, I’d love to chat more with you! 👍

No one said the clicks were the value prop. Clicks are the top of the funnel. More clicks = larger funnel into business. Point stands

My bet is they pull an Google-> Alphabet structure change and that “rebranding” is for the umbrella not being FB. Also likely that there’s some value in doing that to prevent breaking it up or reduce that impact.

Btw, confirming to the world that @joelhooks and @jlengstorf are just as rad in person as they appear on the internet 🙌🙌

We're starting (slowly but surely) an open context standards initiative over github.com/opencontextstanda… with major agent providers as well as infrastructure companies around surfacing emerging opportunities/specs for context and delivery. The first spec for grounding this initiative is solving the challenge of the fragmentation of client-hosted context. Here is the initial spec I put together that's ready for group and community review as well. github.com/opencontextstanda… cc @digitarald @sqs @sualehasif996 @mntruell @kevinhou22 @kevinhou22 @embirico 🙌

Either upgrading to the latest versions or prevent the specific bypass header from coming into the system. Most major platforms that were vulnerable put the latter in place on behalf of customers. Something we should have been told before the CVE was published on a Friday at midnight.

I got to use Chai before they launched and... it's awesome. Check it out! Agents will come in all shapes and sizes. Chai is helping democratize this further!

For posterity: nitter.app/eduardoboucas/status/1… At this point, how can you trust the security posture here? They just happened to have a firewall rule in place for an extremely specific and obscure header? **You don’t need firewall rules for things that aren’t dangerous or possible to be so** i know how these systems work and saying that this has always been there feels disingenuous - good news is that’s easy to verify with changesets or audit logs to show when and why that rule was put into place. If I were a paying Vercel customer with anything on it worth having, you better believe I’d require a full audit. This doesn’t add up at all

@InVisionApp we’re always looking for amazing engineers! Happy to chat more and share your info with our recruiting team!

You might want to check out the details more closely. Took a few weeks to prioritize, a week to push a change and disclosed it to no one responsibility. Only acknowledged this when everyone figured out what was going on

Yep and it works for new files too. Create new file and, in the file name, slashes will create folders

As a platform that loves hosting Nextjs sites and building out the web ecosystem for everyone, we definitely will be there!

I’ve been @InVisionApp for 3 years (as of the 1st). I always start a new notebook when joining a new company and I’m an avid notetaker. It takes about 3 years to fill these books up. I love working with this amazing team and on our mission. Excited to fill up the next book 👊

I once instantiated a branding theme with a singleton. So essentially, first customer to hit it, every customer got their branding. We clustered customers based on industry. Fedex called very upset that all devices had UPS branding 😅 I’ll never forget how a singleton works :)

Netlify Blobs! - the easiest arbitrary data/file store on the market to use🔥🔥🔥

Ivy Caroline Roberts ❤️🙌 3:42pm - 8lb2oz - 20.5in instagram.com/p/B1korgrFED0/…

Another trip around the Sun complete! Grateful for all of the people that’s been apart of this trip

I did not realize .toString() takes a radix value so you can effectively convert numbers to binary, hex and oct that way too.. pretty cool

Update: nextjs docs now no longer advocate for solving auth in middleware. So following the docs now would have lead you the right way but not as of yesterday github.com/vercel/next.js/pu…

Turns out on the vercel side it was solved through coincidence on their side not through their firewall like they originally claimed after eventually acknowledging it. So if I’m tracking this right, it was known by the team since Feb, (everything that happened today), the team didn’t have an accurate understanding of the issue to share publicly, and throughout the day it was finally realized why it wasn’t impacting them. Lots to improve on showing up for community, partners, customers, and businesses. You know what might help? Does anyone have any good AI Ideas? Wait, that won’t help. nitter.app/cramforce/status/19035…

My favorite tech talk just happened with freehand live! #InVisionIRL #freehand

Excited to talk AX, MCPs, all the things with @kentcdodds and @domitriusclark 🚀🚀

nitter.app/JavaSquip/status/19046… Some improvements needed on your testing

🙂

I don’t disagree with that take. The problem is this is about an open source framework and standard practices of disclosure that were never done.

Never be good at something you don’t want to do. ...Applies to what you do and how you do it.

“Critical severity” CVEs submitted formally are not the same. I appreciate what you’re saying but this ain’t that. And this also isn’t some random OSS project with a few folks involved

Lots to solve in this space of offering good agent experiences - more than a registry. E.g., what’s the ideal payment processing checks and balances for genetic purchases? If you or the team is interested, we’re looking to have open conversations on this agentexperience.ax

Daily e2e smoke test by the company that manages the restaurant site 😅

I've been working remotely for the better part of a decade. IDK what keyboard shortcut to use to exit zoom. AMA

thecvefoundation.org/ Is looking to step in to take this on

I didn’t say click bait I said clicks were top of the funnel - a major part of the business. Said another way, a major part of their business. But 👋 moving on with life

Yes this is referring to earlier in the spa hype cycle

Join me and @DanBarak on April 25th to hear what to expect from the @Netlify AI Roadmap. ntl.fyi/48ZqQPb This is about Web + AI so of course it's going to be web/virtual and free to join! This is going to be an exciting year for the web and composability! 👊

Can you help here with @jayphelps? That post is actively causing issues with CF users - I know the linked post was fixed but the incorrect information in that tweet will filter out folks who need to read more into it. It's also unclear if Vercel was ever impacted by this? I have about 20 DMs asking to that end and I don't know how to direct them. "Not affected any longer" isn't the same as "never affected". Can that clarity also be added? nitter.app/_jayphelps/status/1903…

@burtonsnowboard you better take this man up ☝️👌

And if you want to do this with a platform that isn’t trying to directly compete with your product and has a full agent experience program set up for your product’s to be successful, leverage @Netlify 🚀

It's amazing Tony retweeted this. 👊🏻👊🏻 Skateboarders can do anything and have valuable hard earned experience of learning from failure

I got a @BenNadel thumbs up pic! My tech career has peaked!

This is just the beginning

@vercel shared a post mortem vercel.com/blog/postmortem-o… First, glad to see improvements also... - This would be the first time they told anyone they attempted to test on other partners. They never mentioned this in the entirety of the very public incident...also they might need to update their test for @Cloudflare It repeatedly seems like @vercel @nextjs thinks Cloudflare wasn't impacted, but they were/are and need the WAF rules - It seems they decided only testing CF/Netlify/Vercel was sufficient to say all is good - there are many other partners not involved in this conversation, not to mention self-hosted setups which can be impacted by it. Looking forward to the improvements, this postmortem of annotated timeline doesn't feel worth the HTML is was written on and only causes more questions.

We're working on a spec here across agents: github.com/opencontextstanda… Would love any input you have on it

Thanks for all the work you and team put into Moment! If you don’t get heat from shutting something down from major updates, did you really ship lots of value? Not saying it’s right, just that you can take this as a sign that you made their lives better - despite their tantrum

And how they show up for community and other platforms openly is also constantly clear..

@zeithq with the `now` api and cloud hosting is setting the bar really high. So simple and brings SSL and http/2 out of the box! Rad!

Merry Christmas from the Roberts family! 👊👍 instagram.com/p/B6eo8Qrl21R/…

Love this post from @stevenfabre on how collaboration lifts agent experience (AX). Check it out! liveblocks.io/blog/great-age…

I love remote work but man it'd be nice to be able to have a real happy hour with folks from work every now and then. Virtual happy hours don't cut it over long stretches of time

Hey, just a thought, but you could create a JWT token client side with all of this information and append that to the url. Then use the data from the url to generate what's presented. The URL will be less pretty, but this app could work entirely without a data/storage layer.

I confirmed the vendor being used to help filter out invalid emails is causing this ruckus. Vercel put in a bypass to help 🙌. That said, I think Netlify folks would still like to keep our fake mustaches on while we enjoy the event. 🥸 Looking forward to it!

🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥

Is it morally wrong for people to work indoors when others have jobs that require them to work outdoors?

#devtalentshow I skateboard sometimes and fall other times 👊 😅

Accept that every day has its own definition of success. Energy, time, etc. all play into that def. I think the ambition comes in when you try to maximize on your day given those variables vs not letting those variables determine your day. Some days ambition is just showing up

Join us to talk about the best and only MCP that can deploy full websites! 👊👊 let’s go!!

Check out this timeframe!?

Turns out you might be happier if you’re not seeing endless feeds of filtered versions of other people.

Yo! Mark your calendars! I’m going to dive into how you can use Async Workloads to capture the full opportunities your users give you - like at checkout on Black Friday/Cyber Monday. See you there! 👊👊

No way! We have way better ways! These days you can use OCR to avoid typing it in manually 👍👍

Write down everything in my head, extrapolate the actions, work on them - first action is break down the action to smaller steps. When “figuring it out” while doing the work can’t happen at the same time mentally, then “figuring it out” gets its own work item

Netlify complete full stack, build and claim - scale to zero or infinity as you need. 👊👊

Got to see my beautiful baby girl today 😍❤️🙌 instagram.com/p/Bx8inPVFV3Z/…

Got some skating in today 👊👊

@TejasKumar_ was so great to talk to about AX and the opportunities. If you have a chance to collab with him, I highly recommend it. Check out our conversation on AX and how solutions like MCP, llms.txt, etc. fit into this discipline.