#Security

The Mintlify Vulnerability Is Not React2Shell: Framework Responsibility vs. Implementation Responsibility

An explanation of how the Mintlify vulnerability differs from React2Shell, and why it matters to separate framework-level problems from implementation-level ones.

Claude Code Permissions: I Have No Idea What I'm Doing

I started tweaking Claude Code's settings files to stop the constant permission prompts, and fell into a rabbit hole. When the official docs say permissions 'can be bypassed' and call them 'tricky,' perfect control is probably not the goal.

React2Shell Was Such a Headache I Migrated from Next.js to Astro

CVSS 10.0 React2Shell, fix it and another vulnerability appears, fix again... I was done. Migrated to Astro — including a lesson learned from installing 60 shadcn UI components and using only one.

[Node.js] Security release delayed again to January 13 - Three High-severity vulnerabilities to be fixed

The Node.js security release originally planned for December 15, 2025 was delayed four times and is now scheduled for January 13, 2026. The release will include fixes for three High-severity vulnerabilities.

CVE-2025-54100: Remote Code Execution in PowerShell's `Invoke-WebRequest`

A command-injection vulnerability was found in Windows PowerShell's `Invoke-WebRequest` cmdlet. When fetching a web page, embedded scripts could be executed.

npm Was Broken So I Switched to pnpm [React2Shell Vulnerability]

npm install kept failing with a mysterious error while patching Next.js/React for a security vulnerability. Switching to pnpm fixed it immediately.

Notes on addressing the Next.js/React 'React2Shell' vulnerability

A summary of how to verify impact and the mitigation steps for the CVSS 10.0 React2Shell vulnerability (CVE-2025-55182 / CVE-2025-66478), plus additional DoS and source code exposure issues.