Clownflare (Cloudflare) and the 'Ecosystem' It Wants to Replace
"Vercel & Next.JS Hacked - Nothing New to Report"
Author: Ronny Siegel
Clownflare has long been in debt and has long lost money. We've written about this for nearly a decade already. Like many other American "tech giants", it deems it normal to keep losing money as long as some "shareholders" (or lenders) bear the loss at personal risk. They hope for a turnaround or "conversion" one day.
Recently, Clownflare made a move that we deemed to be an attack on WordPress (trying to replace WordPress with its own software in many millions of Web sites). See, the Clownflare aspirations of becoming a 'packet titan' or CDN giant (swallowing the Net's traffic, not just the Web) go further up the stack. Next up: JavaScript/Web browsers? The CMS?
"Hi Dr. & Mrs. Schestowitz," a reader recently told us, letting us know something we've not heard about because we generally dislike and try to avoid JavaScript. "Not sure if this crossed your radar during y'all are on a well deserved sabbatical and retreat — or at least the slowdown — but Vercel and Next.js were recently compromised in a significant supply chain attack. The incident, covered by SecurityWeek, involved attackers gaining access to Vercel's infrastructure in a way that raises serious questions about the integrity of the broader Next.js supply chain - the kind of attack that can silently poison downstream end users who have no idea anything is wrong."
We're not going to suggest this attack was in any way coordinated to weaken or discredit the original, but it sounds familiar in light of what happened to GitHub alternatives at critical times (DDoS attacks).
"What makes the timing especially worth noting," said the reader, is that "we literally just co-published coverage of the Next.js slopfork that Cloudflare put out - Vinext — like a few DAYS ago."
We did indeed. That was about a month ago.
"It's a strange moment to have both pieces land so close together, and together they paint a fairly unsettling picture of the Next.js and React ecosystem right now. On one hand, you have a major cloud vendor essentially forking and rebranding a popular framework with minimal transparency or attribution with ethically ambiguous tools. On the other, you have the original framework's steward - Vercel itself - getting compromised nonstop. Neither story reflects well on either of the projects, and together they raise serious questions about whether the ecosystem has the governance and security posture that its widespread adoption demands. It may be time for the FLOSS community to collectively move on from React and coordinate a migration toward more community-aligned alternatives - like Svelte or SolidJS - that haven't been compromised at their foundation. I'm talking about the same kind of collective push to abandon this pseudo-"open-core," oligopoly driven framework - the same way many of us have already distanced ourselves from things like GitHub (under Microslop) and other BSL/SSPL licensed projects for the betterment of society."
"This feels squarely in your wheelhouse — it touches on corporate stewardship of FLOSS projects, the risks of centralized infrastructure in what many treat as a "community" framework, and the broader tension between venture-backed 'open source' and the trustworthiness users implicitly extend to it. I'd be curious whether you see this as part of a larger pattern you've been tracking, or whether the supply chain angle opens up a new thread worth pulling on - do you see a solution to this?"
In 2022 we began developing our own SSG so that we depend on no vendor with self-serving interests (like Automattic) and instead choose our own destiny though depending on Perl libraries/modules.
All those so-called 'ecosystems' - a term that RMS has long objected to - are nothing but giant risks. They let other entities pull their users in their own direction, like Windows users being subjected to lots of slop by Microslop.
Computer security is not the only risk here; it's complicated.
"Both Svelte and SolidJS have received significant donations from Vercel," we got told, "and SolidJS has taken money from Cloudflare as well. The JavaScript ecosystem outside of entirely static sites is a case study in what happens to FLOSS when Big Tech gets its hooks in - almost funny, really, given that Silicon Valley was built on exactly this pattern: flashy frameworks that promise the world and perpetually under-deliver."
I began using WordPress in 2004 when the software was young and simple - still not much different from b2, which it was based on. Look at what has happened since then. WordPress, at least its back end, is bloated JavaScript that pulls in loads of dependencies and almost a thousand files (not a few dozens like a couple of decades ago).
WordPress and other "modern" Web 'frameworks' are undesirable for a plethora of legitimate reasons. That those bits of software gets scooped up by companies like Silver Lake (or get attacked by them) may seem inevitable. It can end up a disaster - an issue we've long cautioned about.
The aim of GAFAM or Clownflare (as a company, not a service) is to control everything and everyone. They want "captives", not communities. █