Introducing deepsec: The security harness for finding vulnerabilities in your codebase
A new open source tool from Vercel that uses AI coding agents to find security vulnerabilities in your codebase. It runs locally on your laptop or on your own infrastructure using your existing AI subscriptions. The workflow involves static analysis to find security-sensitive files, agent investigation of each candidate, and includes a revalidation step to reduce false positives
π Next.js 16.2.6 & 15.5.18 Security Releases
Important security updates have landed for both Next.js 16 and 15. These patches fix multiple vulnerabilities ranging from low to high severity
β‘οΈ Sponsor
Your AI shouldn't grade its own homework
Claude Code writes beautiful code. So does Codex. But here's the thing, they also think they write beautiful code. And when you ask an AI to review code it just wrote, you get the intellectual equivalent of a student grading their own exam. Shockingly, they always pass.
CodeRabbit CLI plugs into Claude Code and Codex as an external reviewer, different AI Agent, different architecture, 40+ static analyzers and zero emotional attachment to the code it's looking at. The agent writes, CodeRabbit reviews, and the agent fixes. Loop until clean.
You show up when there's actually something worth approving.
One command. Autonomous generate-review-iterate cycles. The AI still does the work. It just doesn't get to decide if the work is good anymore.
Free tier available. Try CodeRabbit's CLI.
π Articles / Tutorials / News
π§ Next.js works everywhere now
Jimmy Lai, who leads the Next.js team at Vercel, hops on the PodRocket podcast to explain the adapters API: what it is, why it exists, and how it fixes the pain of self-hosting Next.js on platforms like Cloudflare, AWS Amplify, and Netlify
Async React: Building Non-Blocking UIs with useTransition and useActionState
A practical guide to two React 19 hooks that make async work easier. useTransition keeps your UI responsive without manual loading states, while useActionState bundles state, errors, and pending status into one hook
βΊ Stop Writing Blind Server Components
We've shared this tool before, and now Tobi Mey walks through it on video. RSC Boundary shows you exactly where server components end and client components begin in your Next.js app
π¦ Projects / Packages / Tools
vercel-openclaw
A serverless approach to running OpenClaw. It comes with CLI deployment, sandbox snapshots that preserve state between messages, webhooks routed through Vercel Functions, a Redis-based control plane, and an egress firewall for domain blocking
portless v0.12.0
Portless got some awesome improvements since the last time it was featured. The big one: zero-arg mode auto-discovers your dev script so there's nothing to configure. It also now handles monorepos, giving each workspace package its own subdomain. v0.12 adds --tailscale and --funnel flags to share your local apps over Tailscale
The Agent Harness Framework
A framework that lets you build powerful AI agents (think Claude Code or Codex) in just a few lines of TypeScript. It gives you sandboxed shell access, sessions, reusable skills, and structured outputs
shadcn/ui: May 2026 updates
The shadcn CLI now lets you use package.json#imports (e.g. #components/*) instead of relying on tsconfig.json paths. It also adds target aliases so registry items can specify exactly where files get installed
β‘οΈ Sponsor: Bluebag
Add Skills to your AI-SDK Agent in minutes
Execute Skills in runtime VMs without building infrastructure. Run complex scripts, read Skills on-demand, install dependencies, mint download links, and build predictable, specialised agents in minutes.
π Related
π Vercel Weekly - May 4, 2026
Vercel's AI Accelerator cohort finished with a Demo Day in SF. Meanwhile, Grok 4.3 landed on the AI Gateway, Stripe Projects now handle Pro plan upgrades, hobby deployments are kept for 30 days by default, and Deployment Checks are now built in
New to the web platform in April
A look at what landed in browsers last month. Highlights include contrast-color() reaching Baseline (picks black or white for best text contrast), ariaNotify() for screen reader announcements in Firefox, element-scoped view transitions in Chrome, and Math.sumPrecise
Why TSRX isn't just your Favorite Templating Language
Ryan Carniato digs into TSRX, a potential JSX successor, and explains why it matters: it uses plain JS control flow, allows state inside conditionals and loops (no hook rules), and offers cut-and-paste composability that JSX can't match
Server-Driven UI in 22 lines of TypeScript
A practical guide to letting your backend control page layouts through JSON. The article covers the JSON contract, a component registry, a tiny recursive renderer, and handling actions like navigation and tracking
Top comments (0)