React & Next.js Maintenance & Management

Vercel for teams that want the default experience, Cloudflare Pages and Workers for teams that want edge-first and predictable pricing at scale, and self-hosted Node or Docker for teams that need full control. Build pipelines reviewed against actual cold-start behaviour, not the marketing numbers.

Preview environment hygiene counts as part of the work. Feature branches that spin up real infrastructure with stale env vars, mismatched secrets, or unbounded preview counts quietly run up bills and leak credentials. The retainer covers that too.

ISR and on-demand revalidation configured against the real cadence of content changes, not the framework default. Edge runtime work for routes that genuinely benefit from the edge, and a Node runtime for routes that do not, because pretending everything belongs on the edge is a common and expensive mistake.

Middleware reviewed for weight, because middleware runs on every request and the cost compounds. Route handler patterns kept consistent across the app so that caching behaviour is predictable and error handling does not differ from one handler to the next.

Env var management across development, preview, and production, with the build-time versus runtime boundary reviewed properly so that server-only secrets do not accidentally surface in the client bundle. Secret rotation documented and actually performed on a schedule, not promised and deferred.

CSP headers configured deliberately, not copied from a template, and maintained as the third-party script footprint changes. Middleware rate limits on the endpoints that actually need them, auth flow review across App Router patterns, and API route protection that does not rely on the obscurity of the URL.

Dependency audits run on a cadence rather than when something breaks. Transitive dependency surface in a modern React app is wider than most teams track. The work is keeping it honest.

Headless front-ends talking to WordPress via REST or GraphQL, Sanity and Contentful for content-led stacks, and Shopify’s Storefront API where the storefront is in Next.js rather than Liquid. Preview mode reliability gets attention, because editors lose trust in a CMS the first time a preview fails silently.

Bundle analysis that identifies the libraries actually responsible for client-side weight, client component boundary review so that interactivity does not leak into components that should render on the server, and font and image optimisation configured against the real set of assets the site ships.

Core Web Vitals measured from the field, not the lab, and regressions chased down the week they appear rather than at the next quarterly review.

The classic failure is a revalidateTag or revalidatePath call whose argument has drifted out of sync with the tag that was actually used at the fetch layer, often because a rename happened in one file and not the other. Nothing throws. The page silently serves stale data, and the first sign is usually a customer email. Tests rarely catch this because they hit the route fresh each time. The fix is a tag and path contract that lives in a single module, asserted at both the fetch and revalidation call sites, with a CI check that breaks on drift instead of waiting for production to surface it.

The middleware.config.matcher gets written carefully on day one. Six months and several feature branches later, new protected routes have been added without touching the matcher, and the auth or rewrite logic that was supposed to guard every protected route is quietly only running on the old ones. There is no type error, no warning, and no failing test, because the framework does not know what you intended the matcher to cover. The fix is treating the matcher as a contract diffed against the actual route tree on a cadence, not as a config file written once and trusted forever.

A misconfigured images.loader, a custom loader that skips the optimisation pipeline, or an unoptimized flag that leaked into production from a workaround nobody circled back to remove, all end up serving full-resolution images straight from origin. The home page still looks fine because the hero is hand-crafted. The rest of the catalogue is paying for it in LCP, origin egress, and Vercel bandwidth spend that looks vaguely high and gets waved through. This is usually a ten-minute config fix that can recover hundreds of megabytes per month on a mid-sized catalogue, once somebody actually looks.