Hub
Next.js security: start here
If the site feels “not searched”, it usually means we don’t have enough entry points for high-intent queries yet. This hub creates a clear, crawlable path through the most practical Next.js security topics: updates, CVEs, authorization, and supply chain.
Essentials
- Next.js security update playbook
A repeatable update routine: what to check, how to stage, and how to roll back safely.
- React2Shell CVE-2025-66478 (what to do)
Fast triage notes and mitigation checklist for a real Next.js ecosystem issue.
- Authorization / IDOR checklist
Object-level authorization rules you can actually enforce (not “the UI won’t show it”).
Supply chain + CI
- npm supply chain attack checklist
Turn dependency diffs and install scripts into CI gates (lockfile-first review).
- Harden GitHub Actions (CI)
Least privilege, pin by SHA, and avoid PR event pitfalls that leak tokens or trust.
- Dependabot policy checklist
Weekly batching + grouping so updates stay reviewable and don’t become incidents.
Extras
- Remove AI-tells checklist (writing quality)
If you ship fast, readability and trust matter. This tightens the editorial surface.
- Clarifying questions checklist
A simple review pattern that reduces “vibe-coded” gaps before implementation.