When a service in our catalog has a security incident, we post a dated advisory here with the vendor’s official bulletin linked, a plain-English summary of the scope, and a concrete action list for affected customers. We don’t speculate on impact beyond what the vendor has stated, and we don’t use incidents to push migration — we surface facts so developers can decide.
Advisories are published only with a primary source (vendor blog, status page, or official disclosure). Each entry lists the date we first published the advisory and the date we last verified it against the vendor’s current statement.
Vercel disclosed a security incident on April 19, 2026 involving a third-party AI tool compromise that escalated to internal systems. Customer credentials for a limited subset were affected; non-sensitive environment variables should be rotated.