Product Manager

Next.js just patched 13 security advisories. Self-hosted teams have the most work. May 10, 2026 On May 7, Vercel shipped a coordinated security release covering 13 advisories across Next.js and React Server Components. The bundle includes high-severity issues for denial-of-service, server-side request forgery, cache poisoning, and several middleware-bypass flaws affecting App Router. If your team runs self-hosted Next.js on Node, you have the most ground to cover. The fixes land in 15.5.18 and 16.2.6. React users on react-server-dom should jump to 19.0.6, 19.1.7, or 19.2.6 depending on the line they track. Versions 13.x and 14.x are not getting patches at all, so anyone still on those needs to plan an upgrade rather than wait for a cherry-pick. What's actually in the bundle. The headline CVE most outlets are quoting is CVE-2026-23870, a high-severity DoS in the React Flight protocol deserialization. A specially crafted HTTP request to any App Router server function can pin a CPU core. Bad, but a known shape of bug, the kind a WAF or rate limiter can blunt. The class worth reading more carefully is the middleware-bypass set. The advisories describe variants where .rsc and segment-prefetch URLs resolve to the same page as a normal request, but skip the middleware matcher rules. Translation: if your middleware.ts is the only thing between an unauthenticated request and a protected page, an attacker can ask for the same content via a different transport and walk in. There's a related Pages Router variant tied to i18n locale handling, plus a follow-up advisory for the Turbopack code path because the original fix didn't cover it. The remaining advisories cover SSRF via WebSocket upgrade requests on self-hosted Node (Vercel-hosted apps are not affected), DoS in the Image Optimization API, XSS, and cache poisoning of RSC responses. Why "middleware as auth" keeps biting teams. In its pentesting engagements, this is one of the patterns Itguys Systems Srl test for first when Itguys Systems Srl see Next.js in scope. The shape repeats: a single middleware.ts checks the session cookie, redirects to login if missing, and the team treats every route below it as protected. It feels clean. It reads well in PRs. And it usually has a transport-variant gap that someone will eventually find. Middleware in Next.js is a routing concern. It runs early, has limited APIs, and has historically had quirks around how matchers apply to internal request shapes (RSC payloads, prefetches, dynamic segments, locale-prefixed paths). Each of those quirks has surfaced as a CVE class at some point. This week's batch is the latest reminder. When Itguys Systems Srl build cloud-native apps with App Router, Itguys Systems Srl treat middleware as a fast-path filter and put real authorization checks in the route handler, the server action, or the server component itself. The cookie value becomes the input, not the verdict. That extra check costs almost nothing and removes a whole family of bypass risk. What to do this week. A short list: * Upgrade next to 15.5.18 or 16.2.6. If you publish on Pages Router with i18n through the OpenNext adapter, also bump it to 5.15.11. * If you depend on react-server-dom-* directly, match the 19.x patch line you're on (19.0.6, 19.1.7, or 19.2.6). * Plan the move off 13.x or 14.x. Those branches will not get these fixes. * Audit your middleware.ts. If a route is protected only by middleware, add a server-side auth check inside the route handler, server action, or layout. Do not skip this just because you upgraded. * For self-hosted Node deployments, look at edge or proxy logs for unusual .rsc requests, WebSocket upgrades to unexpected origins, and Image Optimization traffic spikes. The SSRF and DoS issues will show up in self-hosted environments first. A note on self-hosted vs platform. Several of these issues are explicitly scoped to self-hosted Node. Vercel says hosted projects had WAF rules in front of the patch. Netlify says some of the advisories don't apply to their serverless model at all. That gap is worth thinking about when you decide where to run Next.js. From its cloud-native development work, Itguys Systems Srl has seen plenty of teams pick self-hosting for cost or compliance reasons (Swiss enterprise clients especially), and that's a fine call. But you carry more of the responsibility for runtime security yourself, and patch cadence becomes part of the operating budget, not a quarterly afterthought. If keeping a self-hosted Next.js stack hardened and patched on a real schedule sounds familiar, let's talk. Itguys Systems Srl do this work across web and mobile builds and security reviews, and the answer is rarely "more middleware". expert-analysis nextjs security tech-news vulnerability web-development

FAQ: Vercel vs Netlify 2026. Is Vercel cheaper than Netlify in 2026? It depends on the workload. Vercel charges $20 per developer seat plus $0.15/GB bandwidth overage; Netlify charges $20 flat for unlimited seats plus roughly $0.55/GB bandwidth overage. For a 10-person team with 200 GB monthly bandwidth, Netlify is roughly 5x cheaper. For a 3-person team with 2 TB monthly bandwidth, Vercel is roughly 3x cheaper. Run your real numbers through both pricing pages. Can I host a commercial site for free on Vercel? No. Vercel's Hobby plan terms explicitly prohibit commercial use, including ads, affiliate links, lead generation, and SaaS subscriptions. To run a revenue-generating site on Vercel you must upgrade to Pro at $20/month per seat. Netlify Starter explicitly allows commercial use within its bandwidth and credit quotas. Does Netlify support Next.js as well as Vercel does? Almost. The Netlify Next.js Runtime adapter ships feature parity for most App Router APIs, but lags by one to two release cycles on bleeding-edge features. ISR, Server Actions, Server Components, and the App Router all work on Netlify; the new use cache directive and certain Vercel-specific Image Optimization paths require workarounds. For production Next.js apps that follow the framework's mainstream feature set, Netlify is fully production-ready. What is Vercel Fluid Compute and why does it matter? Fluid Compute, launched by Vercel in late 2025, lets a single serverless function instance handle multiple concurrent requests rather than spinning up a fresh instance per request. The result is dramatically lower cold-start frequency, lower per-request cost in steady state, and better behavior for AI-streaming workloads where the function holds open a connection for many seconds. Netlify does not ship an exact equivalent as of April 2026. Which platform is better for AI applications? Vercel, by a wide margin in April 2026. The Vercel AI SDK (around 2 million weekly downloads), v0 generative-UI, Vercel Agent, Edge Functions for streaming, and Vercel Postgres / KV combine into the deepest AI-native stack on any PaaS. Netlify Composer is a strong option for content-driven AI workflows, but it does not match the integration depth or product breadth. How long does a typical migration between the two platforms take? Static sites: under an hour for most projects. Server-rendered Next.js apps: one to two days, primarily for Vercel-specific API rewrites. Function-heavy SaaS apps: three to seven days, depending on how many proprietary services (Vercel KV, Netlify Forms, Netlify Identity) need replacement. Plan a low-traffic deploy window for DNS cutover and keep the previous platform live as a hot rollback for at least 48 hours. Are Vercel and Netlify SOC 2 and HIPAA compliant? Both ship SOC 2 Type II reports on standard tiers and HIPAA-eligible Enterprise tiers. Netlify has a longer track record with regulated-industry deployments (healthcare, finance), while Vercel has caught up rapidly with marquee enterprise logos like PayPal, Walmart, and Nike during 2024-2025. For procurement that requires extensive compliance documentation, request the trust packets from both vendors before deciding. Should I consider cloudflare pages or AWS Amplify instead? Yes, depending on your priorities. Cloudflare Pages + Workers is meaningfully cheaper at high volumes (Cloudflare's bandwidth is effectively unmetered) but ships less polished Next.js support. AWS Amplify is the right choice if your team already runs heavily on AWS and wants tight IAM/CloudWatch integration but expect more configuration overhead. Vercel and Netlify are the right defaults for teams that want a polished PaaS without managing the underlying primitives. Sources and external references: Vercel Pricing, Netlify Pricing, Next.js documentation, Next.js on GitHub, and Stack Overflow Developer Survey 2025. Pricing data verified against vendor pages on April 5, 2026. AI & Innovation Editor Nadia Dubois is the AI & Innovation Editor at Tech Insider, where she tracks the rapid evolution of artificial intelligence, from foundation models to real-world enterprise deployment. She previously covered AI and startups for La Tribune and contributed to MIT Technology Review's European coverage. Nadia specializes in generative AI, AI regulation, and the intersection of technology and European industrial policy. She holds a dual degree in Computational Linguistics and Journalism from Sciences Po Paris.

Vercel vs VPS hosting: features, pricing & performance (2026). Compare Vercel vs VPS hosting in 2026. Features, pricing, performance analysis for developers. Which platform fits your project needs? By Anurag Singh Updated on Apr 28, 2026 Why developers compare Vercel vs VPS hosting. Choosing between Vercel and VPS hosting shapes how you deploy, scale, and maintain your applications. Vercel offers seamless deployment for frontend frameworks. VPS hosting provides full server control and flexibility. The decision impacts your development workflow, costs, and long-term scalability. Each approach serves different project types and team structures. Vercel platform overview. Vercel specializes in frontend deployment with Git integration and automatic builds. Push your React, Next.js, or Vue.js code, and Vercel handles the rest. The platform focuses on static sites and serverless functions. Edge deployment ensures fast loading times globally. Built-in analytics track Core Web Vitals and user engagement metrics. Vercel integrates with popular headless CMSs like Contentful and Strapi. The preview deployment feature lets you test changes before production deployment. VPS hosting fundamentals. VPS hosting provides dedicated server resources within a virtualized environment. You get root access to install any software stack and configure services exactly as needed. Unlike platform-as-a-service offerings, VPS requires server management knowledge. You handle security updates, backups, and performance optimization yourself. This control enables custom configurations impossible on managed platforms. Run any programming language, database, or service. Mix development, staging, and production environments on the same server. For developers requiring maximum flexibility, HostMyCode VPS delivers reliable infrastructure with full root access starting from affordable monthly rates. Performance comparison: speed and reliability. Vercel excels at serving static content through its global CDN. Edge functions run close to users, reducing latency for dynamic operations. The platform automatically optimizes images and applies compression. VPS performance depends on your server configuration and optimization efforts. You control caching strategies, database tuning, and load balancing. Well-configured VPS servers often outperform platform services for dynamic applications. Response times vary significantly. Vercel averages 50-200ms for cached content globally. VPS response times depend on geographic location, server specs, and your optimization work. Vercel handles scaling automatically during traffic spikes. VPS requires manual resource adjustments or load balancer configuration. However, VPS offers predictable performance under sustained high load. Understanding VPS performance optimization techniques helps maximize your server's capabilities for high-traffic scenarios. Pricing structure analysis. Vercel pricing starts free for personal projects with usage limits. The Pro plan costs $20/month per user, including 1TB bandwidth and 160GB-hours of function execution time. Enterprise plans start around $400/month with custom limits and support. Bandwidth overages cost $40 per 100GB. Function execution time charges $2 per 1GB-hour beyond included amounts. VPS follows predictable monthly pricing. Entry-level servers start around $15/month for 2GB RAM and 50GB storage. Mid-tier options range $40-80/month with 8-16GB RAM. VPS costs remain constant regardless of traffic or usage patterns. No surprise bandwidth charges or function execution fees. You pay the same whether serving 100 or 100,000 monthly visitors. For cost-effective hosting with transparent pricing, managed VPS solutions provide server management assistance while maintaining predictable costs. Development workflow differences. Vercel integrates tightly with Git repositories. Every commit triggers automatic builds and deployments. Branch previews let stakeholders review changes before merging. The platform handles build optimization, asset compression, and CDN distribution automatically. Zero-config deployment works for most JavaScript frameworks without additional setup. VPS deployment requires more manual steps. You configure CI/CD pipelines, manage build processes, and handle deployment scripts. This complexity offers greater customization opportunities. Database integration differs significantly. Vercel works best with external database services like PlanetScale or Supabase. VPS lets you run databases directly on your server. Custom domains and SSL certificates come standard with both approaches. Vercel handles certificate renewal automatically. VPS requires Let's Encrypt configuration or manual certificate management. Scalability and resource management. Vercel scales serverless functions automatically based on demand. The platform handles traffic spikes without manual intervention. Edge functions distribute globally for optimal performance. Function cold starts occasionally impact response times. The platform limits function execution time to 30 seconds on Pro plans, potentially affecting long-running operations. VPS scaling requires resource monitoring and manual adjustments. You upgrade server specs or implement horizontal scaling with multiple servers. This approach offers more control over scaling strategies. Memory and CPU allocation stays consistent on VPS. No cold starts or execution time limits affect application performance. Persistent connections and background processes run continuously. Resource monitoring becomes crucial for VPS management. Tools like Netdata provide comprehensive VPS monitoring to track performance and plan scaling decisions. Use case scenarios. Vercel works exceptionally well for JAMstack applications, marketing sites, and documentation platforms. The platform handles static site generation efficiently and integrates with headless CMSs. E-commerce sites using Next.js Commerce or similar frameworks benefit from Vercel's optimization features. Image optimization and edge caching improve conversion rates through faster loading times. VPS suits custom applications requiring specific server configurations. Multi-language applications, complex databases, or legacy systems often need VPS flexibility. Long-running processes like data processing, scheduled jobs, or WebSocket connections work better on VPS. Background services and daemon processes aren't suitable for serverless environments. Enterprise applications with compliance requirements often choose VPS for data control and security customization. Choosing between Vercel and VPS depends on your specific requirements and technical expertise. For developers needing full server control with reliable infrastructure, HostMyCode VPS hosting provides the flexibility and performance you need. Its managed VPS options combine VPS power with expert support for the best of both worlds. Frequently asked questions. Can I migrate from Vercel to VPS hosting? Yes, but migration complexity depends on your application architecture. Static sites transfer easily to VPS with Nginx or Apache. Serverless functions need rewriting as traditional server endpoints or containerized services. Which option costs less for high-traffic sites? VPS typically costs less for sustained high traffic. Vercel's bandwidth and function execution charges can exceed VPS costs once you surpass included limits. Calculate based on your specific usage patterns. Does VPS hosting require more technical knowledge? VPS requires server administration skills including security hardening, backup management, and performance optimization. Vercel abstracts infrastructure management but limits customization options. Can I use custom databases with Vercel? Vercel works with external database services but doesn't support databases running on the same infrastructure. VPS allows any database configuration directly on your server. Which platform offers better SEO performance? Both platforms can achieve excellent SEO performance. Vercel's automatic optimizations help with Core Web Vitals. VPS offers more control over SEO-specific configurations and server response optimization.