My understanding is the notion is about getting an application to "work" without any underlying theory of operation or evaluation of the imported context.
Supabase is really tough to make secure, and it is probably a poor choice if you are interested in vibe coding. Row Level Security is likely to be insecure if the author author doesn't have a deep understanding of Postgres or isn't paying careful attention to all of the generated code relevant to the database.
Is there a low-code backend/full-stack which is secure by default? I remember some clunky UI to define filters and projection in Firebase. Can a Django/Laravel app weekend project get there before Supabase?
Just "vibe coding" something minimal in a Cloudflare Worker, or even, ironically, a Supabase Edge Function that directly connects to the DB would 9 out of 10 times lead to something more secure than using RLS. The LLM will always default to RLS when using Supabase as that's what they promote the hardest in marketing materials, so that's what it's trained on.
Secure by default? No such thing by virtue of the fact that security is case dependent.
That said, all of the full fat frameworks make it pretty easy to define what should and shouldn't be visible to what users, the use case that he has would not have been harder to do using rails, phoenix, django, etc as a backend, and it would have been very easy to control the failures that he had.
It doesn't have to be full fat, it can be literally anything as long as it provides a backend layer inbetween the DB and the FE. It can be a single Typescript file that uses literally whatever the LLM defaults to, probably Express given its training materials, or Hono for something more modern, or any of the 1000 other options.
I think that this is the answer. Maybe someone who is great with Postgres Row Level Security will have an OK time with Supabase security, even if they are vibe coding. They wouldn't think of asking the AI for something that won't work.
Frontend is always in insecure land. There's no such things as secure and insecure code there (there may be correct and incorrect code). You can't trust anything that originates from the frontend (anything that comes outside of your servers really)
For example, in the times of "lectures", where transmitted information was literally read (as the term says) in real time from the source to the public.
But in general, the (mis-)information that spinach could contain so much iron to be interchangeable with nails had to be a typo so rare that it would become anecdotal and generate cultural phenomena like Popeye.
We want to make you aware of some upcoming changes that will impact our earliest generation thermostats, including those at Your House. Starting October 25, 2025, Google will no longer provide support for the Nest Learning Thermostat (1st gen) launched in 2011 and Nest Learning Thermostat (2nd gen) launched in 2012.
You will still be able to access temperature, mode, schedules, and settings directly on the thermostat – and existing schedules should continue to work uninterrupted. However, these thermostats will no longer receive software or security updates, will not have any Nest app or Home app controls, and will end support for other connected features like Home/Away Assist. See more details at our support website."
> Neither? I'm surprised nobody has said it yet. I turned off AI autocomplete ...
This represents one group of developers and is certainly valid for that group. To each their own
For another group, where I belong, AI is a great companion! We can handle the noise and development speed is improved as well as the overall experience.
I prefer VSCode and GitHub copilot. My opinion is this combo will eventually eat all the rest, but that's besides the point.
Agent mode could be faster, sometimes it is rather slow thinking but not a big deal. This mode is all I use these days. Integration with the code base is a huge part of the great experience
Tariffs are effectively paid by the buyer, unless the seller reduces prices to counteract the tariff, which ain't gonna happen, so what is Trump trying to do, bankrupt us all? #angryface#
Not that it matters as much any more since SO is slowly dying, they should replace human moderates with AI and involve humans only when AI says it needs help with something
