Pains

LangChain exhibits difficult-to-predict behavior with undocumented or poorly explained default settings and intricacies. Developers report erratic behavior such as ConversationRetrievalChain unexpectedly rephrasing input questions, leading to unstable production environments and costly downtime.

Developers ship OAuth client secrets inside single-page applications or mobile apps where they can be extracted from JavaScript bundles or binaries, compromising the confidentiality of the secret.

When copying root modules without updating backend configuration (key/prefix), Terraform can reference the wrong state file, resulting in destructive plans that delete infrastructure belonging to another environment or project.

LangChain releases updates at an aggressive pace with frequent breaking changes and backward incompatibility, forcing developers to constantly refactor existing code. The break-first, fix-later approach has destroyed developer trust in upgrading packages.

Changes are deployed directly to production without apparent dev/test/staging environments, causing widespread bugs to affect all users simultaneously. The lack of canary deployments and feature flags prevents quick rollback of breaking changes.

APIs frequently validate only that a token is present rather than performing full server-side validation of signature, issuer, audience, expiry, and required scopes, leaving the system vulnerable to forged or expired tokens.

Next.js API routes are vulnerable to injection attacks (SQL, NoSQL, command injection), rate limiting bypass, information disclosure through error messages, and missing input validation.

SQL injection vulnerabilities from unescaped user input interpolation remain the perennial top contender for most financially damaging application security vulnerability. Developers continue to make mistakes in this area.

When multiple team members and CI/CD pipelines run Terraform in parallel, concurrent writes to shared state can cause conflicting updates and painful recovery work. The terraform.tfstate file serves as the source of truth, and unreliable storage or simultaneous modifications lead to state corruption.

Users report deployments sometimes fail without obvious reasons or adequate error information, making debugging frustrating. Build steps can be interrupted if they exceed a 45-minute limit, leaving developers without clarity on what went wrong.

User accounts have been suspended without warning within minutes of deployment with vague 'fair use violation' emails. Appeals go unanswered for weeks, resulting in lost access to production sites with no recourse or clear explanation.

Persistent security vulnerabilities exist in OpenAI's platform, with documented instances of account hijacking and authentication exposure. Developers lack clear security protocols and data privacy safeguards.

Google removed free tier access to Gemini 2.5-Pro entirely and slashed Gemini 2.5-Flash daily limits by 92% (250 to 20 requests) with no advance notice, email alerts, or grace period. Production applications broke overnight with 429 quota exceeded errors.

Anthropic restricted subscription OAuth tokens to work only with the official Claude Code CLI, blocking tools like OpenCode, Moltbot, and integrations in Cursor. Users who built workflows around third-party tools were locked out mid-project, forcing them to either downgrade subscriptions or abandon the platform entirely.

Common vulnerabilities include insecure session management, weak token validation, missing authorization checks on API routes, and client-side only authentication without server-side validation.

XSS attacks can occur in Next.js through improper use of dangerouslySetInnerHTML, unvalidated user input in dynamic content, third-party scripts, and server-side rendering of malicious content.

GitHub Actions has no lockfile system to pin exact versions of third-party actions. Every workflow run re-resolves dependencies from the manifest without recording what was actually chosen, creating non-deterministic builds and enabling supply chain attacks. This is a fundamental gap compared to mature package managers.

AWS IAM's core design prioritizes deterministic permission evaluation over security usability, resulting in a system where CRUD-style permissions cannot be implemented auditably. The architecture uses low-level API action lists with boolean logic complexity ('deny sandwich'), strict character limits forcing wildcard usage, and unpredictable new actions added without warning, making it impossible to implement basic security expectations.

Deploying containers with insecure settings (root user, 'latest' image tags, disabled security contexts, overly broad RBAC roles) persists because Kubernetes doesn't enforce strict security defaults. This exposes clusters to container escape, privilege escalation, and unauthorized production changes.

Next.js exhibits slow page rendering performance in production: basic pages take 200-400ms, large dynamic pages exceed 700ms, and crawlers hitting multiple pages simultaneously cause site crashes. Caching is unpredictable across replicas.

Terraform stores real secret values (API tokens, database passwords) in plaintext state files and plan output despite showing (sensitive value) in the CLI. When plan files are uploaded as CI/CD artifacts, they become security liabilities if accessible to unauthorized parties.

Critical security vulnerabilities like React2Shell (CVE-2025-55182, CVSS 10.0) in Next.js RSC serialization revealed that full-stack JavaScript and TypeScript lack secure serialization models. These runtime CVEs forced developers to reassess security assumptions in TypeScript/React stacks.

v0 experiences frequent service outages, request processing failures, and data loss issues including deleted conversations, disappearing messages, and erased deployments. Users report being unable to rely on the tool for production work despite paying subscription fees.

In multi-tenant or SSO scenarios, client applications often fail to verify that authorization data (email, user profile) actually comes from the OAuth server configured for that user's account. A malicious OAuth server can return forged credentials, enabling account takeover.