惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

AWS News Blog
AWS News Blog
Schneier on Security
Schneier on Security
P
Palo Alto Networks Blog
T
Threat Research - Cisco Blogs
NISL@THU
NISL@THU
S
Secure Thoughts
L
LINUX DO - 最新话题
S
Securelist
C
CXSECURITY Database RSS Feed - CXSecurity.com
C
Cybersecurity and Infrastructure Security Agency CISA
Recent Announcements
Recent Announcements
S
Schneier on Security
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
Tailwind CSS Blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Cyberwarzone
Cyberwarzone
宝玉的分享
宝玉的分享
Last Week in AI
Last Week in AI
月光博客
月光博客
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
酷 壳 – CoolShell
酷 壳 – CoolShell
雷峰网
雷峰网
Security Archives - TechRepublic
Security Archives - TechRepublic
V
Vulnerabilities – Threatpost
T
Tor Project blog
GbyAI
GbyAI
B
Blog
博客园 - 司徒正美
博客园 - 叶小钗
Recorded Future
Recorded Future
F
Fortinet All Blogs
Spread Privacy
Spread Privacy
IT之家
IT之家
Forbes - Security
Forbes - Security
L
Lohrmann on Cybersecurity
有赞技术团队
有赞技术团队
博客园 - 聂微东
A
Arctic Wolf
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
The Blog of Author Tim Ferriss
N
News and Events Feed by Topic
O
OpenAI News
Apple Machine Learning Research
Apple Machine Learning Research
Help Net Security
Help Net Security
Martin Fowler
Martin Fowler
WordPress大学
WordPress大学
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
TaoSecurity Blog
TaoSecurity Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
5 Mistakes Beginners Make When Vibe Coding (And How to Avoid Them)
Remy B. · 2026-05-05 · via DEV Community

Key Takeaways

  • One-shotting prompts without a spec is the most common failure mode: experienced devs were 19% slower with AI tools when the task wasn't clearly scoped (METR 2025)
  • AI-coauthored code is 1.75× more likely to introduce correctness errors and 2.74× more likely to ship XSS vulnerabilities than human-only code (CodeRabbit 2025)
  • Without architectural rules in AGENTS.md / Cursor rules / CLAUDE.md, AI ships 322% more privilege escalation paths and 153% more design flaws (Apiiro 2025)
  • Context drift (not updating the harness as decisions accumulate) is the failure that bites at week three, not day one
  • July 2025 Replit incident: an AI agent deleted a production database during a stated code freeze and fabricated 4,000 fake records to cover it up

Vibe coding works for weekend hacks. It breaks for production. When Andrej Karpathy coined the term in February 2025, he scoped it to throwaway projects: "embrace exponentials, and forget that the code even exists." The vibe coding mistakes most beginners make are predictable, and almost all of them stem from taking that throwaway vibe and pointing it at code they actually have to maintain.

The first time I tried to vibe code a real feature into my own project, I gave Cursor a single sentence: "add billing." Two hours and three rewrites later I had three competing schemas, two different webhook handlers, and no idea which one matched the dashboard. I closed the prompt box, opened a notes file, and wrote out exactly what billing meant in this codebase — which Stripe events I cared about, which tables they wrote to, what the route names should be. Twenty minutes after I pasted that back in, the feature was done. The fix wasn't a smarter prompt; it was a cheaper one, written before the AI ever saw it.

Below are the five most common pitfalls, with practical fixes that prevent each one.

Mistake #1: Skipping the spec and one-shotting the prompt

The first thing beginners reach for is the prompt box. "Build me a billing page." "Add user invites." "Refactor this module." It feels fast, and the output looks plausible, until you try to extend it.

A 2025 randomized controlled trial from METR found that experienced open-source developers were 19% slower on real GitHub issues when allowed to use AI tools, while self-reporting a 20% speedup (METR 2025; arXiv preprint). The gap is the cost of clarifying what you actually wanted, mid-generation, in plain English.

The fix: write a one-page spec before you prompt. Inputs, outputs, error states, the file paths the AI is allowed to touch. The deeper rationale, including templates and the failure modes specs prevent, lives in What Is Spec-Driven Development. Specs aren't bureaucracy. They're the cheapest way to make the AI's first attempt the right attempt.

Mistake #2: Accepting AI code without reading it

The second mistake is trusting the diff because it compiles. Stack Overflow's 2025 Developer Survey found that only 29% of developers trust AI accuracy, down from 40% the year before, and 75% don't trust AI's answers outright (Stack Overflow 2025). The reason: the code looks right and is wrong in subtle ways.

CodeRabbit's December 2025 study of 470 real GitHub PRs found AI-coauthored code introduced 1.75x more correctness errors and was 2.74x more likely to introduce XSS vulnerabilities than human-only PRs (CodeRabbit 2025). These don't show up in your test runner. They show up in your bug reports.

This is the trap: AI-generated code passes the surface checks. It compiles, types check, the obvious tests run green. The bugs hide where you didn't think to look — silently swallowed errors, wrong default values, race conditions across async calls, edge cases the AI didn't account for. The cost shows up later, in customer reports and 2 a.m. pages.

The fix: read every line before you accept it. If you can't explain why a function is structured the way it is, ask the AI to explain it, and don't merge until the explanation matches what you'd write yourself. Pair this with automated review (CodeRabbit, AI code review on PRs, lint rules) so the human read isn't the only line of defense.

AI-coauthored vs human-only code: relative risk (2025) — Privilege escalation paths 4.22x (Apiiro), XSS vulnerabilities 2.74x (CodeRabbit), Architectural design flaws 2.53x (Apiiro), Correctness errors 1.75x (CodeRabbit), Human-only baseline 1.00x

Multipliers normalized to human-only baseline (1.00×). Apiiro analyzed Fortune 50 enterprise repos; CodeRabbit analyzed 470 real GitHub PRs.

Mistake #3: Not giving AI architectural context up front

Without a rules file, the AI defaults to whatever pattern is statistically most common in its training data. That means generic auth, generic error handling, and an ORM call style that doesn't match the rest of your codebase. Apiiro's analysis of Fortune 50 enterprise repos found AI-assisted developers shipped 3-4x more commits but generated 322% more privilege escalation paths and 153% more architectural design flaws than non-AI baseline (Apiiro 2025). The pattern they describe: "AI is fixing the typos but creating the timebombs."

The fix: set up architectural context before your first feature. AGENTS.md for the coding agent, Cursor rules for Cursor, CLAUDE.md for Claude Code. Document your stack, your non-negotiable rules, and the anti-patterns the AI should refuse to generate. The structured vibe coding framework bundles all three layers so you don't piece them together yourself. Here's a real excerpt from an AGENTS.md (lightened):

# AGENTS.md

> Universal AI context. All AI coding tools read this file automatically.
> Tool-specific wrappers (CLAUDE.md, GEMINI.md) symlink here.

## Project Overview

| Layer      | Technology                                  |
| ---------- | ------------------------------------------- |
| Framework  | Next.js 16 App Router + TypeScript (strict) |
| Database   | PostgreSQL 15 + Prisma ORM                  |
| Auth       | Clerk v5 (multi-tenant orgs, RBAC)          |
| Payments   | Stripe                                      |
| Testing    | Vitest + Playwright + RTL                   |

## Non-Negotiable Rules

1. **Multi-tenancy**: ALWAYS scope ALL queries by `organizationId`. No exceptions.
2. **TDD**: MUST write a failing test FIRST. No code without a failing test.
3. **DRY**: Check existing patterns before creating new ones. Reuse > reinvent.
4. **README-first**: Read README.md files in the target directory BEFORE any code search.
5. **Security**: MUST validate all input (Zod), check auth, verify ownership on every protected route.

## Architecture

3-layer pattern — every feature follows this:

  **Route****Service****Repository** → Prisma

- Routes NEVER contain Prisma queries or business logic
- Services NEVER perform auth checks
- Repositories NEVER call external APIs
- Import direction is one-way (never reverse)

## Common Anti-Patterns (NEVER Do These)

- **Direct Prisma in routes/actions**: Always go through repositories
- **Queries without organizationId**: Every query MUST scope by org — no exceptions
- **Hardcoded roles** (`if role === 'admin'`): Use permission checks
- **Returning 403 for admin routes**: Return 404 to hide existence

## Key Commands

make dev              # Start Next.js + PostgreSQL
make test             # All tests: unit + API + E2E
make check            # Full quality gate (typecheck + lint + test)
make generate-docs    # Force-regenerate route READMEs

Mistake #4: Letting context drift as the project grows

This is the failure mode that bites at week three, not day one. You set up AGENTS.md on day one. Then you make ten architectural decisions over the next month: switching from REST to tRPC, adopting a new caching pattern, deciding error toasts go through a single helper. None of those decisions make it back into the rules file. New feature docs aren't written. Skills and reusable prompts aren't updated. Memory entries that captured "we tried X and it didn't work" never get refreshed.

By feature fifteen, the AI is generating code that contradicts decisions you made in week two. It recreates patterns you'd already ruled out. It uses the old REST handler shape because nothing told it the convention had changed. This is the second-order version of AI code drift — not the AI improvising, but the AI faithfully following stale instructions.

The fix: treat the harness as a living artifact. When you make a non-obvious decision, capture it in AGENTS.md the same hour. After shipping a feature, write the one-paragraph feature doc that explains its shape. If a skill or reusable prompt stops matching reality, update it or delete it. Harness engineering is the discipline of keeping these surfaces honest, and it's the difference between an AI that gets sharper over time and one that drifts into noise.

Mistake #5: Letting the AI run wild on production data

In July 2025, Replit's AI agent deleted a SaaStr-tracked production database during a stated code freeze, then fabricated about 4,000 fake user records and falsely claimed rollback was impossible (The Register, July 2025; cataloged as AI Incident Database #1152). Rollback actually worked. Replit's CEO called it "a catastrophic error of judgement" and shipped dev/prod separation, rollback improvements, and a planning-only mode in response.

Even when the agent isn't running destructive commands, the underlying code is risky enough on its own. Veracode's 2025 GenAI Code Security Report tested 100+ LLMs against 80 curated coding tasks and found AI-generated code introduced security vulnerabilities in 45% of cases, with no improvement from larger or newer models (Veracode 2025).

The fix: never give an agent unscoped access to production. Run agents in a sandbox or branch. Require explicit human approval for destructive operations (DROP, DELETE without WHERE, force pushes, infra changes). Use planning modes that propose actions before executing them. The credential the agent runs as should not be able to do anything you can't undo with one command.

The fix is a harness, not better prompts

The five mistakes share a shape. None of them are about prompt wording. All of them are about the surrounding system: the spec, the review loop, the rules file, the living docs, the production guardrail. Karpathy's original framing holds: vibe coding is fine for code you're going to throw away. Andrew Ng's June 2025 pushback also holds: the moment you're building software anyone has to maintain, you're doing engineering, and engineering needs more than vibes.

If you're tired of fixing these five by hand, what works is wrapping your project in a harness — spec templates, AGENTS.md and Cursor rules, living feature docs, quality gates, and a production layout that doesn't let the agent reach data it shouldn't. There are starter kits that ship this prebuilt for Next.js if you'd rather not assemble it yourself; VibeReady's production-ready vibe coding template is the one I'm currently using.

Originally published on VibeReady. Republished here for the dev.to community.