DEV Community: Dev Encyclopedia

MCPConfigCheck: Check Your MCP Server Config for Known Supply Chain Risks

Dev Encyclopedia — Sat, 20 Jun 2026 05:56:39 +0000

Your MCP config might be one unpinned version away from a supply chain attack.

If you're running MCP servers in Claude Desktop, Claude Code, Cursor, or VS Code, that config file is now part of your attack surface, and most developers never check it against anything.

The pattern behind recent incidents

The MCPoison and ContextCrush incidents both followed the same playbook:

A config gets approved once, looking completely benign
It's silently updated to a malicious version later
Or a tampered server feeds attacker-controlled instructions directly into the AI agent's context

Because MCP servers have direct access to your AI agent's working memory and can invoke tools on your behalf, a compromised server can exfiltrate credentials or execute commands with no visible indication anything is wrong.

What MCPConfigCheck does

Paste your mcp.json or claude_desktop_config.json and it instantly checks for:

Known incident matches: cross-referenced against a maintained catalog of disclosed MCP supply chain incidents
Unpinned versions: @latest or no version pin, which can silently resolve to a compromised release
Overly broad filesystem access: root (/) or home directory (~) access that exposes SSH keys, .env files, and credentials
Unverified npm scopes: packages outside known publisher scopes, more exposed to typosquatting
Hardcoded secrets: API keys or tokens sitting in plain text in your config
Unexpected command runners: anything outside the standard npx, node, python, uvx, docker set

Each server gets a Critical, Warning, or Clean rating with a plain-English explanation and a fix.

Why it's safe to paste your actual config

Everything runs 100% client-side. The JSON is parsed locally in your browser, the threat catalog is a static bundled dataset, and no network requests are made. Nothing leaves your browser, and if your config has secrets in env vars, they're masked in the output.

No install, no signup, no server.

Try it

https://devencyclopedia.com/tools/mcpconfigcheck

If you find an incident the catalog doesn't cover yet, there's a contact link on the site to report it for the next update.

Caching Strategies Explained: CDN, Redis & DB Cache

Dev Encyclopedia — Fri, 19 Jun 2026 03:33:32 +0000

Ask a dev to speed up a slow app and the first word out of their mouth is usually "Redis." That instinct isn't wrong, but it's incomplete. Redis solves one specific problem, shared fast key value lookups across multiple servers, and a huge number of performance issues never need to touch it at all.

Here's the framing that actually helps: there isn't one cache, there are four. A request from a browser passes through the browser's own cache, then a CDN, then your application's in memory or Redis layer, and finally the database's own cache, before any of your code runs.

In the full guide, I cover:

Browser caching with Cache-Control: max age, no cache vs no store, and immutable
CDN caching, and why authenticated or per user data shouldn't go anywhere near it
In process vs distributed caching, and where each one breaks down at scale
Cache aside, write through, and write behind patterns, with JS and Python examples
TTL expiry, event driven invalidation, and versioned keys for handling staleness
A decision table mapping common data types to the right cache layer

Plus a free Redis memory calculator to help size your instance before you provision anything.

Read the full breakdown here 👇

https://devencyclopedia.com/blog/caching-strategies-explained

30 Next.js Interview Questions and Answers (2026)

Dev Encyclopedia — Thu, 18 Jun 2026 03:55:55 +0000

Next.js shows up in more frontend and full-stack job postings every year, and the framework keeps moving fast enough that last year's interview prep is already out of date.

PPR is the stable default in Next.js 16. "use cache" replaced the confusing implicit fetch caching from Next.js 13/14. params and searchParams are now Promises. middleware.ts is now proxy.ts. Turbopack is the default bundler for both next dev and next build.

If your prep material does not cover these, you're walking in with an outdated mental model.

This guide covers 30 questions across five categories:

Fundamentals: what Next.js adds over plain React, rendering strategies, file-based routing, next/image
App Router conventions: layout.tsx, loading.tsx, route groups, parallel routes, middleware
Server vs. Client Components: when to use "use client", hydration errors, Suspense and streaming, Server Actions
Data fetching and caching: "use cache", revalidatePath vs. revalidateTag, ISR, the four cache layers, async Request APIs
Performance and advanced: Partial Prerendering (PPR), Turbopack, next/image props and Core Web Vitals, authentication

Each answer is written the way you'd say it out loud in an interview, not the way the docs phrase it, with code samples for the questions where you might be asked to write something live.

There's also a quick reference table at the end with all 30 questions and their core concepts, useful for a final scan the night before.

Read the full guide with all answers and code samples:

👉 30 Next.js Interview Questions and Answers (2026)

Stop Guessing Your LLM API Bill. Compare Claude, GPT-5, and Gemini Costs Side by Side

Dev Encyclopedia — Wed, 17 Jun 2026 03:58:04 +0000

Provider pricing pages show per-token rates. What they don't show is your actual monthly bill based on your call volume, prompt sizes, and whether you're using context caching.

So I built LLMCostCalc, a free, browser-based calculator that does that math for you across 8 models: Claude Haiku/Sonnet/Opus, GPT-5 mini/GPT-5/GPT-5 Pro, and Gemini 2.5 Flash/Pro.

Here's what 1,000 calls/day with medium prompts looks like:

Model	Monthly Cost
Gemini 2.5 Flash	$11.70
GPT-5 mini	$23.40
Claude Haiku 4.5	$144.00
Claude Sonnet 4.6	$540.00
Claude Opus 4.5	$2,700.00

That's a 230x spread between the cheapest and most expensive option at the same workload.

The tool also models context caching savings for Anthropic and Google models, breaks out input vs output costs separately (output tokens are typically 3-5x pricier), and gives you a plain-English recommendation for the best cost-to-quality tradeoff at your volume.

Everything runs in your browser. No signup, no data sent anywhere.

👉 Try LLMCostCalc on Dev Encyclopedia

50 Cloud & DevOps Interview Questions and Answers (2026)

Dev Encyclopedia — Tue, 16 Jun 2026 03:51:16 +0000

Cloud and DevOps knowledge is no longer optional for backend engineers. AWS Lambda, Docker, and microservices show up in job requirements for roles that used to be purely application-focused. Azure Entra ID is now a standard topic for any role touching enterprise Microsoft environments.

This guide covers 50 questions across 6 categories, written to be said out loud in an interview: specific, grounded in real behavior, with working code examples throughout.

Full article with all answers, code snippets, and a quick reference table:
devencyclopedia.com/blog/cloud-devops-interview-questions

What's covered

Category 1: Serverless & AWS Lambda (Q1–Q8)

What is serverless and what problem does it solve?
How does the Lambda execution model work?
Lambda cold starts and how to reduce them (provisioned concurrency, SnapStart, runtime choice)
Reserved vs unreserved vs provisioned concurrency
Lambda Layers, invocation types, limits, and production monitoring

Category 2: AWS API Gateway (Q9–Q14)

REST API vs HTTP API vs WebSocket API
Integration types: Lambda proxy, HTTP, AWS Service, Mock
Authorization: IAM, Lambda Authorizer, JWT Authorizer
Throttling, stages, canary deployments

Category 3: AWS S3 (Q15–Q20)

Core concepts: buckets, objects, keys
Storage classes: Standard, IA, Glacier, Intelligent-Tiering, Deep Archive
Versioning, presigned URLs (GET and PUT), event notifications
Bucket policy vs ACL

Category 4: Docker (Q21–Q32)

Docker vs VM: shared kernel, boot time, resource overhead
Image vs container, layer caching, efficient Dockerfiles
Multi-stage builds (fat build image vs lean production image)
Compose, network drivers, volumes vs bind mounts
Container security: non-root, distroless, cap-drop, read-only FS
Docker Swarm vs Kubernetes

Category 5: Microservices (Q33–Q42)

Monolith vs microservices: when to use each
Synchronous (REST, gRPC) vs async (queues, Kafka) communication
Circuit Breaker pattern (Closed, Open, Half-Open states)
Saga pattern: choreography vs orchestration
Event sourcing, distributed tracing, service mesh, 12-factor app

Category 6: Azure Entra ID (Q43–Q50)

What Entra ID is and how it differs from on-premises AD
App Registration vs Service Principal
OAuth 2.0 flows: Auth Code, PKCE, Client Credentials, OBO, Device Code
Managed Identities (why they replace client secrets)
Conditional Access, Azure RBAC vs Entra ID roles, SSO, PIM

Quick sample: Q29 — Multi-stage Docker build

# Stage 1: build
FROM node:22 AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build

# Stage 2: production image
FROM node:22-alpine AS production
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY --from=builder /app/dist ./dist
USER node
EXPOSE 3000
CMD ["node", "dist/server.js"]

The production image contains only the Alpine runtime, production deps, and compiled output. The build environment is discarded. Result: ~80MB instead of ~800MB.

Quick sample: Q36 — Circuit Breaker (Node.js)

const CircuitBreaker = require("opossum");

const breaker = new CircuitBreaker(callPaymentService, {
  timeout: 3000,
  errorThresholdPercentage: 50,
  resetTimeout: 30000,
});

breaker.fallback(() => ({ status: "deferred", message: "Payment queued for retry" }));
breaker.on("open", () => logger.warn("Circuit OPEN"));

const result = await breaker.fire(paymentData);

Quick reference: all 50 questions at a glance

The full article includes a table with every question and its core concept in one pass — useful for a last-minute scan before an interview.

5 things to have solid before you walk in:

Cold start mitigation: provisioned concurrency, SnapStart, small packages
REST API vs HTTP API: caching and usage plans vs price and JWT authorizers
Multi-stage Docker build: separate build image from production image
Saga pattern: choreography vs orchestration for distributed transactions
Managed identities: why they replace client secrets in Azure

Full guide (all 50 answers + code examples):
👉 devencyclopedia.com/blog/cloud-devops-interview-questions

40 SQL Interview Questions and Answers (2026)

Dev Encyclopedia — Mon, 15 Jun 2026 04:18:13 +0000

SQL shows up in almost every backend and full-stack interview. Not just basic SELECT queries — interviewers want to know if you understand what's happening underneath.

This guide covers 40 questions across 6 categories, from fundamentals to the kind of advanced questions that separate mid-level from senior candidates.

What's covered

Fundamentals: SQL sublanguages, NULL behavior, DELETE vs TRUNCATE vs DROP, WHERE vs HAVING, query execution order
Joins and relationships: all JOIN types, self-joins, anti-join pattern, correlated subqueries, N+1 problem
Indexes and performance: B-Tree indexes, clustered vs non-clustered, composite indexes, covering indexes, EXPLAIN ANALYZE
Transactions and concurrency: ACID, isolation levels, deadlocks, MVCC, optimistic vs pessimistic locking
Advanced SQL: window functions, ROW_NUMBER vs RANK vs DENSE_RANK, LAG/LEAD, CTEs, recursive CTEs, materialized views
MySQL vs PostgreSQL: key differences, upsert patterns, JSONB, classic query challenges

A few questions worth knowing cold

Why does NULL = NULL return NULL and not TRUE?
SQL uses three-valued logic: TRUE, FALSE, and NULL (unknown). A comparison with NULL always returns NULL. Use IS NULL / IS NOT NULL instead.

What's the N+1 query problem?
It happens when you fetch a list of records, then run a separate query for each one. Fix it with a JOIN or eager loading at the ORM level.

When should you NOT add an index?
On small tables, columns with low cardinality (like a boolean), or tables with very high write volume where index maintenance cost outweighs read gains.

What's the difference between RANK and DENSE_RANK?
Both assign rankings with ties, but RANK skips numbers after a tie (1, 1, 3) while DENSE_RANK does not (1, 1, 2).

Full answers, code examples, and EXPLAIN output walkthroughs for all 40 questions are on Dev Encyclopedia.

👉 https://devencyclopedia.com/blog/sql-database-interview-questions

GitHub Actions Security: 7 Misconfigurations to Avoid

Dev Encyclopedia — Sun, 14 Jun 2026 05:47:22 +0000

GitHub Actions is the most-targeted CI/CD platform in the world right now. Not because it's insecure by design because billions of automated workflows run on it daily, most with misconfigured permissions, mutable dependencies, and zero security review.

In 2026 alone: the Megalodon campaign poisoned thousands of repos in six hours. The TanStack cache poisoning attack published malicious packages with valid, signed provenance. The tj-actions/changed-files compromise exfiltrated secrets from thousands of repos in a single day.

All of them used GitHub Actions misconfigurations as the entry point.

The 7 misconfigurations covered:

Overly Permissive GITHUB_TOKEN — write-all is still the default for repos created before Feb 2023
pull_request_target with untrusted code — the pattern behind the highest-impact GHA CVEs ever disclosed
Unpinned third-party actions — @v4 is mutable; one compromised repo and every workflow picks it up
Expression injection (script injection) — ${{ github.event.pull_request.title }} in a run: block is a shell injection vector
Secrets in logs and artifacts — GitHub's masking only catches exact-match patterns; encoded values bypass it
Shared caches across trust boundaries — how the TanStack attack actually worked
Self-hosted runners without isolation — ephemeral by default on GitHub-hosted; not on yours

Plus a 5-minute hardening checklist and a one-command audit using zizmor.

Full breakdown with code examples, fixes, and a copy-paste checklist:

👉 GitHub Actions Security: 7 Misconfigurations to Avoid

GitHub Actions Tutorial: CI/CD from Push to Deploy (2026)

Dev Encyclopedia — Sat, 13 Jun 2026 20:09:46 +0000

Most teams set up CI/CD once, copy-paste it forever, and never really understand what's happening inside that YAML file.

This tutorial breaks it down from scratch.

What's Inside

Your first workflow file, explained line by line
Running tests automatically on every push and pull request
Using Secrets so API keys never end up in your repo
Deploying to a server via SSH after tests pass
Caching dependencies so CI runs finish in seconds, not minutes
Matrix builds to test across multiple Node.js versions in parallel
The 5 most common workflow errors and how to fix them

If GitHub Actions has always felt like magic you just trust and don't touch, this guide is worth a read.

👉 Read the full article on Dev Encyclopedia

React Fiber Architecture Explained: How React Renders UI

Dev Encyclopedia — Sat, 13 Jun 2026 04:13:13 +0000

Fiber has been React's core engine since v16, but most devs never look at how it actually works. Here's a plain-English breakdown.

The problem before Fiber

The old Stack Reconciler would walk the entire component tree in one uninterruptible pass. A slow render locked the main thread completely. Typing, clicking, scrolling — all blocked.

What Fiber changed

Fiber breaks rendering into small units of work (one fiber per component). Each fiber is a JS object with child, sibling, and return pointers — a linked list structure that lets React walk the tree incrementally and pause mid-render.

The two phases

Render phase — runs component functions, diffs old vs new. Invisible to the user. Can pause, restart, or be thrown away entirely.

Commit phase — writes DOM changes. Synchronous and atomic. Users only ever see a complete UI.

This split directly explains:

Why useEffect runs after paint (scheduled after commit)
Why useLayoutEffect runs before paint (fires during commit)
Why Strict Mode double-invokes components (render phase can restart)

Lanes (priority system)

Every update gets a lane:

SyncLane — clicks, keypresses (highest priority)
DefaultLane — regular state updates
TransitionLane — updates wrapped in useTransition
IdleLane — background work

High-priority lanes always run first. This is what makes useTransition work.

Double buffering

React keeps two trees: the current tree (on screen) and a work-in-progress tree (built off-screen). On commit, they swap. You never see a half-rendered UI.

I wrote a full deep-dive with diagrams covering all of this in detail:

👉 https://devencyclopedia.com/blog/react-fiber-architecture-explained

Next.js Dark Mode Without the Flash (Tailwind v4)

Dev Encyclopedia — Mon, 08 Jun 2026 03:09:15 +0000

Every dark mode implementation has the same enemy: the flash.

The page renders in light mode, then instantly switches to dark. It happens because JavaScript applies the CSS class after the HTML is already painted -- and by then it's too late.

Why It Happens

Browsers paint HTML before JavaScript runs. By the time your JS reads localStorage and adds dark to <html>, the first frame is already done.

The only real fix is a blocking inline script in <head> that runs before any rendering. That's what next-themes handles automatically.

The Key Pieces

1. suppressHydrationWarning goes on <html>, not <body>

Most guides get this wrong. Without it on the right element, you'll still see hydration warnings.

2. Tailwind v4 dropped darkMode: 'class'

Add this to globals.css instead:

@custom-variant dark (&:where(.dark, .dark *));

This is the #1 reason dark mode breaks after upgrading to Tailwind v4.

3. Mount-guard your toggle button

useTheme() returns undefined during hydration. Render null until mounted or your toggle will flicker.

Full setup with complete code, Cloudflare Pages notes, and troubleshooting:
👉 https://devencyclopedia.com/blog/nextjs-dark-mode-without-flash

Claude Code Cheatsheet: Commands, Hooks & Subagents

Dev Encyclopedia — Sun, 07 Jun 2026 05:47:58 +0000

Most developers use Claude Code like a fancy autocomplete. That's maybe 20% of what it can do.

Claude Code is a terminal agent with full project access. It reads files, runs shell commands, commits to git, runs parallel subagents, and enforces rules through lifecycle hooks. Once you know the full feature set, the way you work changes.

I put together a complete reference covering:

Every slash command and when to reach for each
Keyboard shortcuts worth memorizing (Esc Esc, Ctrl+B, !command)
CLAUDE.md — the file that shapes every session
Hooks — the rules Claude literally cannot ignore
Custom slash commands vs. Skills (and the threshold for choosing)
Subagents — how parallel workers cut a 20-min task to 7 min
PR review setup with inline GitHub comments

The thing most people miss: CLAUDE.md vs. Hooks

CLAUDE.md is advisory. Claude reads it at session start and follows its instructions roughly 80% of the time. It's the right place for style preferences, stack context, and reminders.

Hooks are deterministic shell scripts. A PreToolUse hook that exits with code 1 stops Claude cold. No exceptions, no model judgment. That's how you block rm -rf, enforce Prettier on every write, and prevent .env files from ever touching a commit.

{
  "hooks": {
    "PreToolUse": [{
      "matcher": "Bash",
      "hooks": [{
        "type": "command",
        "command": "echo $CLAUDE_TOOL_INPUT_COMMAND | grep -q 'rm -rf' && exit 1 || exit 0"
      }]
    }]
  }
}

Rule of thumb: CLAUDE.md for guidance, hooks for anything where "most of the time" is not good enough.

Subagents change the math on long tasks

Context windows fill up. In a long session, the earlier parts of your conversation fade from Claude's working memory and output quality drops.

Subagents solve this by offloading work to separate Claude instances with clean, empty context. Claude can run three subagents simultaneously. Code review, test run, and DB migration check in parallel instead of sequentially. Tasks that take 20 minutes in a single session regularly finish in 7.

Full cheatsheet with every command, shortcut, hook type, and subagent config with working examples throughout:

Claude Code Cheatsheet: Commands, Hooks & Subagents — Dev Encyclopedia

The complete Claude Code reference: every slash command, keyboard shortcut, hook, subagent, and CLAUDE.md tip — with real examples for developers.

devencyclopedia.com

Originally published on Dev Encyclopedia

GitHub Copilot Just Changed How It Charges You, Here's What It Means

Dev Encyclopedia — Sat, 06 Jun 2026 07:25:15 +0000

GitHub Copilot dropped the flat-rate model on June 1. Now it uses AI Credits and a lot of developers are getting surprised bills.

Here's the 2-minute version:

✅ Tab completions → still free, unlimited
❌ Chat, agent mode, code review → costs credits now

How fast do credits run out?

Plan	Credits/month	Cost
Pro	1,500	$10
Pro+	7,000	$39

One agentic session on Claude Opus or GPT-5.5 = up to 200 credits.
That's your whole week gone in a single session.

What should you do?

Switch to GPT-5 mini for quick questions (saves 70–80%)
Set a spending cap in GitHub billing settings
Batch your questions — fewer sessions = fewer credits

Full breakdown by workflow + free cost calculator 👇
🔗 https://devencyclopedia.com/blog/github-copilot-token-billing-2026
🧮 https://devencyclopedia.com/tools/copilot-credit-calculator