Let's talk vibecoding

For the love of all things compile-able, please just stop. I've started a drinking game where I skull every time someone says they "vibe coded" something, and now I'm too drunk to comprehend the depravity. (Joke. Mostly. I am writing this on my phone at 9pm, so future-me will not be able to read whatever my thumbs just committed to the internet. Future me: I hate you.)

Vibecoding: the layman's best friend, the second coming of sliced bread, the answer to every hackathon prayer.

No more gatekeepers!

Build anything in a day (or 15 minutes, if you've really got the vibes going) and call it an MVP. Sounds incredible, right?

Sit down, child.

Behind every "good thing" is a spectacularly stupid implementation waiting to explode. Yes, we can build fast. But a lot of what's being built is the most half-baked garbage I've seen in my entire career.

And before you @ me: I use AI constantly. Tests, bug fixes, de-spicing angry emails, even edits on this very rant. It's a brilliant tool - and like a chainsaw, it's also a nightmare in the wrong hands. (Texas Chainsaw Massacre wasn't a documentary about arborists)

The line gets crossed when you outsource thinking. If you're pasting model answers into prod and shrugging "good enough," congratulations: you've turned a tool into a loaded nail gun pointed at your compliance department.

I grew up with kids who'd dump their English into Google Translate, spit out Franken-French, and hand it to Madame like they'd just spat into her baguette. Same energy here - except replace the baguette with a server on fire, and the homework with data breaches, leaked API keys, and a lifetime supply of tech debt that detonates two years after your "launch" goes stale.

The password-reset horror story

Actual quote from a proud vibecoder (names redacted because I'm merciful):

"We didn't implement password reset for two months. It was easier to change passwords directly in the database."

Mate. No.

I love poking around a database as much as the next nerd - spent years knee-deep in data science. But this? Nuclear red flag.

Why is that bad, beyond the obvious?

• Compliance: Maybe no one asks for SOC 2/ISO until a big fish shows up, but you're building future liabilities right now.

• GDPR/Privacy: "We're in Australia, who cares" is not a legal strategy.

• Access hygiene: If you can "just change it in the DB," who else can? And what else can they see?

• Plain text risk: You do realise that sentence hints you stored passwords in plain text, right? Please tell me I'm wrong. Please.

This is why scaffolds exist. Laravel Jetstream/Fortify/Passport - pick your poison. They ship secure authentication defaults: hashed passwords, email verification, 2FA, password resets - the boring, essential stuff. Or use a proper Auth0/Entra ID (Azure AD) setup. Want enterprise? SCIM's right there. The fact you skipped all of that tells me you're either reinventing auth from scratch (why) or you duct-taped something cursed together.

That's not "hustle." That's a breach waiting to happen.

"But I can vibe code an app in a day!"

Cool. Can you actually code?

If you can spell téléphone in French but can't conjugate être, you don't "speak French." Same here. If you can paste together an app that seems to work but have no idea about paradigms, standard practices, compliance, CRUD, auth, migrations, secrets, logging, monitoring, incident response, you didn't build a product - you assembled a trap.

Coding looks like magic to non-coders. You can spew jargon - event-driven, CQRS, idempotent, orthogonal, eleven herbs and spices - and watch eyes glaze. That mystique lets bullsh*t pass as brilliance. And we've just opened the floodgates.

It's terrifying.

I "actually code," which means I can smell nonsense a suburb away. You show me a "15-minute MVP that will save baby gorillas," I'm asking:

• Where are your keys stored? (ENV? KMS? Or… GitHub config.js?)

• How are you doing DB migrations? (Pray-driven deployments don't count.)

• What's auth? (Sessions? JWT? Rotation? Revocation?)

• Are passwords hashed? (Bcrypt/Argon2, not "MD5 because it's fast".)

• Is your API locked down? (CORS? Rate limits? RBAC? Audit trails?)

• Any front-end secrets? (I've literally seen a "waitlist" stored in a public JSON on the front end. Yes, really.)

If your answer is "uhhh," then no, it's not fine - it's a liability.

The real danger

The danger isn't that vibecoding creates trash apps. We've always had trash apps. (Shoutout to every PHPBB forum still limping along from 2006.)

The danger is false confidence. People now believe they are developers after two nights with ChatGPT and some YouTube shorts. They skip the "understanding" part and go straight to "deployment." And that's how you end up with:

• An "AI SaaS" that's just an API key pasted into a Next.js template.

• Startups storing customer health data in Notion.

• Founders emailing around CSV exports of production databases because "we didn't have time to build an admin panel."

• Codebases that are basically haunted houses: looks fine from outside, but step inside and every door leads to a new curse.

This isn't "move fast and break things." This is move fast and break everything, including trust, security, and probably the law.

I'm not gatekeeping - I'm begging you to learn the basics

I love this craft. It's wizardry that turns thought into working reality. I want more devs, especially here on the Gold Coast - we're a rare breed.

But please, for the love of uptime:

• Learn what a function is and what pure means.

• Know the difference between const, let, and var.

• Write a for loop, then learn map/filter/reduce.

• Understand CRUD, HTTP verbs, and why idempotency matters.

• Hash passwords. Use migrations. Don't put secrets in the front end.

• Read logs. Add tests. Use staging. Touch prod with gloves.

• Recognise that technical debt is a credit card: fun today, bankruptcy later.

If you refuse to learn, I can't respect the work. And I'll be the poor sod rewriting it in five years when you're fired and the startup's burning cash trying to become "enterprise-ready."

The likely future

• Vibe coders will vibe.

• Actual engineers will fix, harden, and scale - and invoice accordingly.

• Juniors? I sincerely hope you survive the noise. Find mentors who care about fundamentals, not just TikTok demos.

If you're a founder

When someone says "just vibe code it," don't. Talk to someone who's done this properly. Better: bring on a technical founder who can plan an application, design a system, and ship secure, compliant, maintainable software on day one.

Do you need perfection for an MVP? Not remotely. Ship ugly. Learn fast. But be honest that your MVP is a prototype you will throw away. Don't stack a company on duct tape and vibes, then act shocked when the roof caves in.

Build fast, learn faster, and when it works - rebuild it right.