Dude, the thumbnails... Please stop

It seems that when React and Next.js address one issue, they also tend to introduce additional issues

Do I lookup “Taint” with Merriam-Webster or do I use Urban Dictionary? Just want to get the right definition.

This is just madness at this point. I'm 100% certain this is going nowhere and everyone gonna go back to using old school API way.

The react team has been trying to cleanup their own mess for years now while introducing footgun after footgun. Don't like where this is going at all. Personally will stick with a little SSR and mostly client side react for existing projects, and just use solid or svelte for new projects.

given these footguns, it really makes me wonder if the app directory is worth it...

This is madness. Seems like throwing complexity at a problem that shouldn't exist in the first place. Just use an API.

Love the Data access layer. It's almost like it "controls" the view layer. It might be helpful to model the domain after that? Not sure, though. Probably nothing that no one has thought about since the 70's.

Band-aids on an architecture that MAYBE we shouldn't even be doing.

People complaining about app directory don't understand that this is a thing that can happen in any kind of framework that talks to the server or any templating language like php and django. If you're not careful what you're returning you can expose data that you're not meant to expose. Because RSC is js/ts in both server and client you're able to do these kind of checks and actually make your app more safe especially when working in a big team. Edit: Most of comments say that APIs are better. They are better because you don’t think about it because someone else has done that work. That doesn’t mean it’s less work in fact that’s more work because you need a layer between the database and the frontend. Also anytime you need another field you will need to rely on someone exposing that from the API which can take a lot of time.

What are we even doing anymore? Feels like the result of a lot of bored engineers finding ways to invent problems to solve.

And here we are again... re-adding already solved problems... The Pages Router + API was ok, why do this tbh?

Your thumbnails don't match your audience sir

Considering how easy is to leak stuff this way i reckon best practice is to use http apis and old school “ajax” to mutate data, otherwise its inevitable that sooner or later stuff will Leak

Remixjs just became a much more attractive alternative, may be just because of this. Use it in the meantime while you get used to all these commandments of RSC in Nextjs😂

So we invented this new model, it came with lots of problems so we invented new tools to fix those problems but they also have some problems. also keep your data fetching in a single layer. At this point just use Remix and avoid the minefield altogether

10:34 Honestly, I'd never, EVER, define the secret in a component file in the first place. It'd have to be restricted to the server.

Overengineered much? Big fan of making the right thing to do the easy thing to do. This is certainly not that.

Thank you for posting this video before I go to bed 🙏

I feel like Theo is the type of youtuber who doesn't need weird thumbnails and he's such a good dev compared to many of us. Definitely much better than I am. Am I the only one who thinks this? I mean, we're the type of people who look for information, not overstimulation.

Ah the classic React stylez, let's re-invent a pattern that's been known for year.

I use the nextJS api route as a proxy to the express backend where the magic happens

React invented Java... gotta get all the dto's

React and Next are becoming so intertwined that I lost myself multiple times in the video. Who's Sebastian working for again? It's so awful to watch this happen.

8:05 Server actions went from experimental to canary. They're two separate release channels.

In the CSRF part of the video, I think you're mixing CSRF and XSS, no ? CSRF has nothing to do with injecting HTML that comes from a user. This exposes you to XSS. CSRF is kind of "the other way around", usually (request made to your backend, from another website).

a safety boundary between frontend bits and backend bits

Ok. Got it. Nextjs tries to be a backend solution and doing a not so good job at it, taking into account all the hard work these people give into it. Can't figure out why this wont end up in a coupling hell. Seems like it introduces new problems that we already solved way back just to reinvent something for a 0.01% benefit. I guess that's why true backends exist. So long and thanks for all the fish. I will come back in six months to see the video explaining why this was eventually bad and show the new way. Coloring all this as progress and not beta.

Is there more reading material on why this is an issue only with SSR? Would this be a non-issue with CSR and traditional rest apis

Seems to me that RSC is exposing lots of footguns that newer devs won't be aware of or know to look for, and those devs likely don't watch this channel or even know it exists. As for the word "taint", what a terrible choice. The obvious anatomical reference not withstanding, this data isn't "tainted", it's just not appropriate for the context it's in. Come on, thesaurus nerds - what should it be called?

Audio sounds great on this one!

Wow, its almost like js devs keep reinventing the damn wheel over and over again. Everyone should just go back to templating and some real backend language with just plain js on the frontend when and only when needed 🤦‍♂️

I feel like everything they do to mitigate these very valid and bad security issues is an afterthought now. The taint thing feels like PHP called to get its very old, very flawed, security mitigations back.

I envy simple minds that can get exited about such crap.

Tainting your backend with JavaScript is a code smell

This is very informative. Thanks a lot!

Performing SQL calls in a javascript framework, whether they call it "back-end", just smells bad practise. Let a real backend framework handle this, like .NET. Also, the Data Access Layer was something we, as backenders, used a lot 10-15years ago. DTO is still used and has been used quite a lot. So my point is that now that JS has become more and more "back-end", it's not really adopting newer trends, but rather trying to re-invent the wheel.

I really liked this breakdown.

all of this so we don't have a lot of spinners on screen

Only here for the taint definition and bc the thumbnail is strong with this one. Yo-duh told me so.

React devs reinventing the same wheel the rest of the world invented 20 years ago.

Urban dictionary 😂

Say the line... footgun taint trpc next tailwind

can you please enlight us about SSR vs SSG vs ISR ..........🙏🙏🙏🙏🙏

No thanks

I switched to Nuxt. Next is doing too much.

Its almost like the React and Next teams wants to make vulnerable software at this point. Wtf are they thinking? How is blurring the lines between the frontend and the backend at this level a good thing? Juniors are going to commit atrocious security vulnerabilities everywhere if this crap gets adopted. What if someone forgets to import this "server-only" or whatever package its called into a file? Which is going to happen. It's just insanity

Should I put this skill on my resume?

Starts video, “So React showed me its Taint”… woah there buddy pause 😂

It would be great if we could name columns in the database with a prefix or metadata that marks that column as private info. Then we can easily filter out those columns before sending it to the client. Postgres has row level security, but we also need is column level security.

I don't like this direction at all. I work in security for quite a while and complexity is usally not making a piece of software more secure.

Bye Next. Your priorities are the wrong ones.

Ok, so I can stick with Trpc both for mutations and RSC, without worrying about these problems. Separate the client from a backend API still feels superior, even when you're doing SSR.

Seems a bit barebones. It could benefit from more/custom Taint Types like in PHP Psalm

Do you even shave?

All of these directives, like use client, use server and import server-only are actually just horrible hacks. I don't know how we got here. This is NOT an improvement, and I really hope NextJS dies because of this. It's not a pleasant developer experience at all.

im never going to recommend ssr

Yay first taint taint woo

7:16

i'm so glad i left nextjs

Or…gasp…just separate your backend and frontend.

This is Progress ehh? NextJS/React is failing us. Thankfully, so many great alternatives exist.

Just send HTML/X

I've deleted my api directory and have only been using server actions for some time now. Is this not safe? Would trpc help?

nice, more bullshit to worry about. everyday i want to use react less and less.

This is so dumb. They are trying so hard to have their cake and eat it too. Separation of concerns is a good thing. I wish react would go back to trying to be a great framework for frontend.

Next 14????? Holy Crap, Next 13 STILL HAS MAJOR ISSUES.... this company....

I'm sorry but this RSC paradigm is becoming a joke the more they work on it

So, we are coming around to MVC patterns again uh?

Problem with layers is that coupling (while giving a big advantage first) will eventually overcomplicate things. Suddenly you will have a method used at 16 different places. Sounds like goal achieved, no? No. Use-cases should not all be generalized, but optimized for. Usually you would use vertical slices architecture, but it's weird to do in NextJS because of the file-based (API) routing.

Without unneeded complexity react and next developers would be out of business

I don’t understand the point of server side components if they just render on the client anyways or expose your data. All of this unnecessary complexity to just serve data to a front end. SSR was supposed to make things easier, not add even more levels of abstraction. I love Next.js and React is fine, but this is absolute madness

Can you make a video explaining the new partial prerendering feature of Next 14? Because I don't understand it from the release blog post 👀

this is cool and all, though the syntax seems so counter intuitive to me. i love the way Remix does data flow, even if it's route level and not component level like RSC + server actions. if we could land somewhere in the middle, it would be so cool.

So what we get out of this?, After doing all of these things and probably leak sensitive data (dont lie to yourself either you or your co-worker gonna mess up)

I am in the camp of what real benefits all this complexity is giving the developers. The real security is to reduce the client side code, since that is visible to the user and having a large codebase also slows down the page. Using the newer features built-in to the web browsers is more secure and should allow for a smaller codebase on the frontend. React is getting too large to be a great solution. I know that React might be needed for a little while longer as support for these new features have to have higher browser support.

7:16 - *MEOOOOOW*

One more reason not to use NextJS I would say

While talking can you stop chewing the words would be more clear what you are trying to say.

As someone who’s proficient in Angular and Vue (in addition to React) this is kinda why a lot of people still prefer Angular.

Nuxt anyone?

07:15 miauw

can someone please make it clear to me that if i have sensitive info inside a Server component is it secure or still an issue? i understand that inside client components it is an issue as that code gets compiled on the client side but if the server components are not secure in execution of that and the need to use "use Server" to specifically tell it why is it even a server component then besides from the rendering part.

All this added complexity is for what?

I.. I'm going back to simple ssr templates. JSX works on the server too just fine.

No mutations? not even an analytics event?

thanks for posting this

Am I missing something? What the hell is this syntax 2:43 line 18? With sql`....`

Developer Experience on Nextjs still sucks. Waiting for 10+ seconds for HMR to reload after code changes is not acceptable (on other Linux/Windows pc/laptops that are not Apple M1/M2 Macbooks). Any new features are completely useless/meaningless if you have to constantly stare at the loading screen.

yoo what browser is that though? looks sick

first

This is madness, its like back in Holocaust where I am suffocated by React smoke