← BACK TO ARCHIVE
The Weekly Dev's Brew #5 ☕

The Weekly Dev's Brew #5 ☕

TLDR: This week in web dev: Next.js releases a critical security patch for middleware bypasses, Vercel serves up a rich AI SDK update with reasoning capabilities, W3C finally drafts standardized CSS form control styling, and that coffee warming your hands right now? It's actually the perfect coding companion for your brain.

March 26, 2025 • Estimated Reading Time: 5 minutes

Vercel Brews Trouble and Solutions

Two big shots of news from Vercel this week – one bitter, one sweet – that'll keep web developers both alert and jittery.

A Shot of Security: Next.js Middleware Vulnerability

Vercel has released a critical security patch to address vulnerability CVE-2025-29927 in Next.js, affecting all versions since 11.1.4. Security researchers discovered that the x-middleware-subrequest header could be abused to completely bypass middleware, rendering authorization, path rewrites, CSP headers, and other critical security measures ineffective.

The vulnerability is particularly dangerous because middleware is often used as the primary mechanism for authentication, authorization, and setting security headers. As the researchers explained, "The impact is considerable, with all versions affected, and no preconditions for exploitability." Attackers could effectively skip past all middleware-based protections with a simple header manipulation. But to be clear, this vulnerability solely affects middleware. You are completely fine if those aren’t used in a sensitive context.

If you're self-hosting Next.js apps that rely on middleware, you'll want to filter this update immediately. The fix is available across multiple versions:

  • Next.js 15.x: update to 15.2.3

  • Next.js 14.x: update to 14.2.25

  • Next.js 13.x: update to 13.5.9

  • Next.js 12.x: update to 12.3.5

The good news? If you're brewing on Vercel or Netlify, you're already protected.

A Rich Cup of AI: SDK 4.2 Release

On a more flavorful note, Vercel also released AI SDK 4.2, and this update is no weak brew. The highlight feature is support for reasoning models – including Anthropic's Claude 3.7 Sonnet – that can methodically work through problems like a human, producing more reliable results for complex tasks.

The SDK now supports the Model Context Protocol (MCP), connecting your applications to hundreds of pre-built tools for everything from GitHub and Slack integration to filesystem operations. There's also improved image generation features that let language models create visuals directly in chat responses.

Other additions to this rich blend include:

  • URL sources standardization for attribution

  • OpenAI Responses API support

  • Complete rewrite of the Svelte package for Svelte 5

  • Stable middleware for enhanced model behaviors

With over a million weekly downloads, developers are finding this toolkit to be just their cup of teacoffee.

Quick Sips

  • Biome v2.0 beta is brewing with plugins support, domain-specific lint rules, HTML formatting, and improved import organization

  • Valibot v1.0 has been officially released as a 1kB schema library, 10x smaller than Zod with full tree-shakability

  • tRPC v11 is now fully brewed with TanStack Query v5 support, streaming responses, and RSC integration

  • e18e is spearheading migration of the JavaScript ecosystem to ES modules with Node.js now supporting require(esm)

  • Unhead v2 launches as a full-stack <head> manager for any framework, now supporting React, Svelte, Solid.js, and Angular

  • URLPattern API has been added to Node.js v23.8.0 and Cloudflare Workers for improved URL pattern matching

  • Kyle Gill writes "Next.js vs TanStack," arguing that TanStack provides better abstractions for most projects

CSS Finally Gets a Form-al Makeover

The W3C has finally poured out the First Public Working Draft of CSS Form Control Styling Level 1 this week, and it's a rich, full-bodied solution that web developers have been thirsting for since the early days of CSS. This specification aims to standardize how we style form controls across browsers – bringing harmony to a space that's been brewing inconsistency for decades.

The draft introduces an appearance: base value that serves as a consistent foundation across browsers with sensible defaults. No more browser-specific form control styling that leaves your UI looking like it was brewed by different baristas! The spec also defines a comprehensive set of pseudo-elements targeting specific parts of controls: 

/* Style the thumb of a range input */
input[type="range"]::thumb {
  background-color: #8B4513; /* Coffee brown */
}

/* Target different parts of a date picker */
input[type="date"]::field-component {
  color: #FFA500;
}

The specification includes everything from styling checkmarks and file selector buttons to color swatches and number input controls. At long last, we'll be able to craft form experiences that match our brand without having to filter out browser inconsistencies or brew our own controls from scratch. Like a perfectly timed pour-over, this specification has been a long time coming, but the results should be worth the wait.

Coffee Fact of the Week ☕

Did you know that caffeine doesn't actually give you energy? It works by blocking adenosine receptors in your brain. Adenosine is the neurotransmitter that makes you feel tired, and caffeine just prevents it from doing its job. So that coffee you're sipping isn't adding fuel to your brain—it's removing the brake pedal, allowing your natural neural activity to run at full speed, perfect for those late-night debugging sessions!

See you next week. Happy coding & brewing!

JOIN THE BREW CREW

Don't miss the next episode and stay up to date completely for free