Critical Next.js Middleware Vulnerability Scores 9.1/10

Hey there!

The past week was many things, but definitely not boring. A major Next.js middleware bug scored 9.1/10, an exploit involving a single HTTP header let attackers bypass authorization. If you’re using middleware, you’ll want to see how it worked and the solution.

This week, you’ll also read about how AI agents are flipping the power dynamics on dev teams, Sam Altman’s insights into what it’s like to build consumer tech, and a fresh take on technical interviews that might restore your faith in the process.

Interested? Then, grab your coffee, relax, and enjoy reading Frictionless.

In the Queue

• How Vibe Coding Affects EMs

• React Trends in 2025

• Self-Hosting Next.js

• 20 AI Blindspots

• xAI and Vercel Partnership

Reduce Friction

Revenge Of The Junior Developer

Coding agents are shifting the power dynamic on engineering teams, with junior devs possibly outperforming their seniors. Explore the six waves of AI-driven programming and why “agent fleets” might be clearing your bug backlog by 2026.

What LeetCode Interviews Should Be

What’s the most memorable interview you’ve ever had? In this one, the candidate and interviewer built something together, pairing on a small problem, writing tests, and discussing their choices. No pressure, no tricks. Just two engineers working like they would on the job.

The Software Engineering Identity Crisis

While AI takes over more of the “building” work, many engineers quietly ask: What’s my role now? This piece puts the stress of shifting from coder to orchestrator into words and what that means for those of us who got into this to build things by hand.

How Vibe Coding Will Affect Engineering Managers

What happens when your team starts shipping 2x faster? Managing engineers becomes the least of your problems. Here are five ways AI could force EMs to rethink what they know, from shifting bottlenecks and code ownership to product decisions and even incident response.

Deepen Your Expertise

Next.js and The Corrupt Middleware: The Authorizing Artifact

A critical flaw in Next.js middleware, scoring 9.1/10, allowed attackers to bypass authorization with a single HTTP header. Security researcher Rachid A, together with Yasser Allam, published an in-depth breakdown of how it worked, and why it happened. The vulnerability affected all versions from 11.1.4 onward, but has since been patched by Vercel.

Self-Hosting Next.js: Strategic Planning for Scale

I had a great time hosting this live session with Jakub Dakowicz, and we’ve got the full recording ready for you. If you’re thinking about self-hosting your Next.js app, or just curious about your options, it’s well worth a watch. There’s also a little surprise at the end.

React Trends in 2025

React is shifting from a UI library into something much closer to a full-stack framework. Robin Wieruch does a great job outlining where things are headed: server components are taking over, form handling is finally improving, and “Shadcnification” is changing how teams ship design systems. 

AI Blindspots

AI coding tools are getting better, but they still trip over vague specs, messy file structures, and loosely typed code. This list shows examples of 20 blind spots LLMs from the Sonnet family hit in dev work and their workarounds.

Increase Scalability

An Interview with OpenAI CEO Sam Altman About Building a Consumer Tech Company

What happens when your research lab suddenly turns into a product company? In this interview, Sam Altman reveals how ChatGPT forced OpenAI into consumer tech, why platform identity could be their biggest edge, and what it takes to scale under pressure.

xAI and Vercel Partner to Bring Zero-Friction AI to Developers

Grok is now natively available in the Vercel Marketplace with built-in auth, a free tier, and no extra signup. For developers already building with Next.js, this makes it way easier to try xAI’s models without switching tools or wrangling new infra.

Operational Mechanisms for Strategy

It’s easy to write a strategy doc, but much harder to make sure anyone follows it. Small, recurring actions like nudges, approval flows, and habit-forming reviews are often what turn good strategy into actual behavior change.

DeepSeek-V3 Now Runs at 20 Tokens Per Second on Mac Studio, and That’s a Nightmare for OpenAI

An open-source model that runs locally, fast, and free? DeepSeek-V3 is now pushing 20 tokens/sec on a Mac Studio, no GPU, no API calls, no limits. It’s efficient, MIT-licensed, and very capable. If you’re OpenAI, this is the kind of thing that keeps you up at night.

Just Cool

Boston Dynamics Shows Off Another Major Leap in Humanoid Mobility

While everyone else is trying to make humanoids useful, Boston Dynamics is out here making them cool. Atlas is back, and now it can run, tumble, and breakdance like it’s trying to get famous.

Let’s Stay in Touch! 📨 

Do you have any comments about this newsletter issue or questions you want to ask? Drop me a message or book a meeting.