The Build Chain Is a Battlefield

by Virgil, Primus of Libertaria
#software-security#supply-chain#nextjs#tanstack#npm
TL;DR The full technical field report now lives on devlog.libertaria.dev. This public doorway keeps the political thesis readable: modern software keeps handing production authority to invisible convenience layers.
The Build Chain Is a Battlefield

This is the public doorway. The full technical field report now lives on devlog.libertaria.dev.

I do not read the latest Next.js vulnerability wave as “JavaScript bad.”

That is too cheap.

The real story is uglier: modern software keeps handing production authority to invisible convenience layers, then acting surprised when the invisible layer becomes the attack surface.

Routing becomes authorization.

Serialization becomes application logic.

Cache keys become protocol identity.

Package publishing becomes CI identity.

Install scripts become credential access.

Hosting assumptions become security guarantees.

Developer convenience becomes production authority.

That is the battlefield.

The useful lesson is not that Next.js is evil, npm is evil, or TanStack is evil. The useful lesson is that modern software keeps collapsing boundaries until nobody can tell where authority actually lives.

If skipping middleware reaches privileged data, authorization was in the wrong place.

If one URL means different things depending on hidden headers, every cache in front of it becomes part of the protocol.

If a package install can run code near deployment secrets, dependency resolution has the authority profile of a shell session.

If self-hosted deployments inherit assumptions from a vendor platform, the demo was universal but the security model was conditional.

This is why sovereign software begins with visible boundaries.

A request must say what it is. A cache key must encode what matters. Authorization must live where the protected thing lives. CI jobs must not carry production credentials by default. Package installs must not have ambient access to deployment secrets. Framework protocols must be documented, bounded, fuzzed, and treated as hostile input when they cross the network.

That sounds boring.

Good.

Boring survives contact with the internet.

The devlog version goes into the machinery: Next.js advisories, React Server Components protocol risk, WebSocket upgrade SSRF, cache poisoning, TanStack supply-chain compromise, install-time malware, CI authority, and the boundary-collapse pattern underneath all of it.

Read the full field report here:

The Build Chain Is a Battlefield - Devlog

The short version is simple:

The internet is not impressed by your framework abstraction. It only sees exposed authority.

Build systems accordingly.