Payload 3.72, Next.js 16, and Claude Code updates headline this week’s breakdown of essential web development news and security vulnerabilities. We explore Payload's new experimental per-locale publishing and the addition of depth parameters to MCP tools. On the performance side, Next.js continues its relentless focus on Turbopack and memory management.
The industry is also grappling with significant security scares: a two-character filtering error that nearly compromised the AWS console and a Cloudflare firewall bug related to certificate renewal. Meanwhile, OpenAI introduces the ChatGPT Go plan at $8 USD/month, powered by GPT 5.2 instant, while pivoting toward an ad-supported model for free users. Finally, we compare the latest CLI enhancements from Cursor and Claude Code, and look at Railway’s intuitive CLI overhaul.
Transcript
What's up everyone?
Welcome to Next in Dev.
In this episode, I'll cover Payload version 3.72, Anthropic’s “Constitution” for Claude, some squashed bugs, and more.
After such a large update last week, the Payload team released a measly update with only two new features.
I hope you can tell I'm being sarcastic here.
Version 3.72 introduced an experimental feature that allows you to publish and unpublished content on a per locale basis.
I explore this feature toward the end of my most recent live stream from this week.
It's an experimental feature, so expect breaking changes in the future as the team prepares it for general availability.
Regardless, this is a great step forward in Payload’s progress with localization.
The team also added the depth parameter to all MCP find resource tools.
Now you can control how much data your AI assistant populates.
Shadcn announced the full documentation of their base UI components.
They allowed the ability to choose between Radix and Base UI when running `npx shadcn create`, but documentation was missing.
Shadcn has since added that documentation.
The abstraction is the same between Base UI and Radix, so they should be interchangeable regardless of your component library.
Next.js recently released version 16 .1.3 and 16 .1.4, along with several canary updates.
These changes improve how the system tracks errors and manages memory so your site stays fast and reliable.
The team also updated Turbopack to help your code run faster.
This seems to have been the primary focus of the Next.js team for weeks now.
Cloudflare fixed a bug where their security firewall would turn itself off for specific web addresses used to renew security certificates.
This happened because the system tried to stay out of the way of certificate robots, but forgot to check if the person asking for access actually owned the website.
Thankfully, researchers found the issue before any bad actors could use this vulnerability to attack private servers.
On the topic of security, researchers discovered a major flaw in the AWS console that could have allowed hackers to take over important pieces of Amazon's code.
By finding a mistake in just two characters of a filtering rule, attackers could have snuck into the system and changed the software that millions of people use.
Amazon fixed the problem immediately, and there is no evidence that any hackers actually used this vulnerability to cause trouble.
OpenAI launched a new subscription plan called ChatGPT Go that costs 8 USD a month and is now available everywhere.
This plan gives users much more room to chat, upload files, and create images.
Compared to the free version, It uses OpenAI's new GPT 5.2 instant to help people get answers quickly.
It's a more affordable plan for individuals who want to use AI more frequently.
One other reason they launched ago OpenAI is planning to show ads to people who use the free version or the new go subscription of ChatGPT.
They promise that these ads won't change the answers the AI gives you, and that your private conversations will never be sold to advertisers.
We've heard this song and dance before, and it always ends.
And class action lawsuits.
We'll see if OpenAI holds up their end of the bargain.
The goal is to make enough money from ads so that everyone in the world can still use basic AI for free.
I'm starting to pick up on a trend from cursor.
They're investing a lot of time and energy into their CLI tools.
If I were a gambling man, I would hazard to guess that cursor seeks to compete against Claude Code in the CLI.
Cursor now allows plan mode in the CLI.
Simply use the slash command plan to get started.
It works as you'd expect.
Your AI assistant does the thinking based on your specs and comes up with a plan before doing any work.
Now, instead of existing in your IDE, it exists in your terminal.
Similarly, you can use the slash command ask to ask questions about your code.
Other changes include the ability to hand off to your cloud agents from the CLI, word level inline diff highlighting in the CLI, and one click MCP authentication using the MCP list slash command.
Claude Code is still boss in my book, though.
Anthropic is joining teach for all to bring Claude to over 100,000 teachers in 63 countries.
This partnership helps educators build their own digital classroom tools like math games and science lessons specifically for their students’ needs.
Instead of just using what their given teachers get to help design how the AI works for schools around the world.
I think it's incredibly important that teachers and educators lead the way in responsible use of AI as teachers begin adopting the tools, kids are already using, they'll be able to help form what usage can and should look like for education in the future.
One thing to consider is that this initiative is putting powerful coding tools into the hands of non developers, who will shape the future of coding and technology.
It's both scary and exciting.
Anthropic recently published a new “constitution” for Claude, which moves away from a simple list of rules to a more detailed explanation of values and goals.
This document helps Claude understand the why behind its instructions, so it can make better decisions in tricky or new situations.
By sharing this “Constitution” openly, Anthropic wants everyone to see exactly what kind of behavior they are trying to teach Claude.
I'm adding a new section just for Claude Code here.
I've recognized that I've missed some important news and features for Claude that I want to stay up to date on.
Anthropic released Claude Code version 2.1.14.
This version introduces helpful shortcuts like history based autocomplete in the terminal, and a search tool for finding your installed plugins.
It fixes a memory leak that caused crashes during long sessions, and solves a bug that was incorrectly blocking users from using their full message space.
The update also improves how you interact with files and folders using the @ symbol, and adds a way to check your plan usage directly in VS code if you use VS code.
They also released version 2.1.15, and this version adds a notice to users installing Claude Code with npm.
Now users will need to use another installation method such as the native installer, Homebrew or WinGet.
They also improved UI rendering and fixed a bug that left the context left until auto compact warning up even after running the compact slash command.
Railway has introduced the ability to require two factor authentication for all workspace members.
This is available to all on the Pro plan with an organization workspace.
As much as I hate two factor authentication as a user, I suppose it's something that should be enforced at the organization level.
This change does not affect API tokens.
You can make this change in your workspace settings.
The team overhauled Railway's CLI structure.
The old structure still works, but the new structure looks much more intuitive.
You're now going to use a pattern that starts with the object.
Then define the action.
For example railway variable set.
The goal of this change is to have a more consistent and predictable CLI as it grows.
Other changes the Railway team implemented include low latency storage in the Singapore region through buckets, improvements in the database UI, and the canvas arrows that we saw in beta last week are now generally available.
That was fast.
What did I miss?
There's so much happening in modern web dev that I'm sure I have missed something.
Please share your thoughts in the comments.
I want to address your suggestions and may include them in future episodes.
