π¨ #227: Next.js, tRPC, React Query, React Router, StyledComponents, MUI, Base UI, Next Intl | React Native birthday, Lynx, EAS, Atlas, Reanimated, Audio, BottomTabs | CSS, Rsdoctor, Linters, Node
Hi everyone!
This week, you probably didn't miss the Next.js middleware drama, but that wasn't the only thing going on!
We also got many great releases such as tRPC, React Query, Rsdoctor and more!
Also, React Native is 10 years old today! π₯³
As always, thanks for supporting us on your favorite platform:
- π¦ Bluesky
- βοΈ X / Twitter
- π LinkedIn
- π½ Reddit
Ne manque pas le prochain email !
πΈ Sponsorβ
Convex: The Database Designed for AI Coding
In the age of code generation, you need a backend that you can confidently generate with AI platforms. Convex is by far and away best in class in this respect.
This is because Convex is just TypeScript, allowing you to writeΒ queries as codeΒ that are automatically transactional, cached, and realtime.
And thatβs just the beginning. With Convex, you can:
- Easily schedule functions and write cron jobs
- Set up file storage
- Write efficient server functions
- And so much moreβ¦
βοΈ Reactβ
Postmortem on Next.js Middleware bypass
A few days ago, Vercel announced a critical 9.1 vulnerability in Next.js middleware system. With a simple but malicious x-middleware-subrequest header, you can bypass the middleware, possibly exposing sensitive information. Patches are available for Next.js 12/13/14/15. Note that this vulnerability only affects self-hosted apps using output: βstandaloneβ and next start are affected. Customers of major serverless cloud providers are either not affected (Vercel, Netlify), or protection can be turned on (Cloudflare).
It's worth noting that even though Next.js middleware shouldnβt have this vulnerability, it is not the recommended place to manage user sessions and protect routes, and shouldnβt be the only line of defense in your Next.js app. The middleware is more designed to perform lightweight optimistic checks, eventually rewriting/redirecting without hitting any DB.
This security event has caused a lot of drama in the ecosystem, which I'd rather not comment on much. Vercel could have handled the situation better, and they plan to do better in the future. Iβll let you make your own opinion based on various resources, and thereβs too many, so this is just a subset:
- π Next.js and the corrupt middleware: the authorizing artifact: The original article from the security researchers who found the vulnerability.
- π How to Think About Security in Next.js: Older post but still a relevant read today.
- π Authorization in Next.js: Robin explains how he approaches authorization in Next.js projects, as close to the sensitive data as possible.
- π You should know this before choosing Next.js: The perspective from Netlifyβs Principal Engineer.
- π₯ Theo - Next.js security exploit: A 1h stream that on this topic, also explaining what Vercel did wrong.
- πΈ Product for Engineers - Don't make these feature flag mistakes
- π Next.js PR -
useLinkStatus(): New hook to provide pending feedback during navigation transitions. - π Next.js PR - Link
onNavigateprop - π£ Styled Components - Thank you: The popular old-gen CSS-in-JS library is now in maintenance mode and not recommended for new projects.
- π React-Summit - π³π± Amsterdam - 13 & 17 June. Creators of React Query (Tanner Linsley), Expo Router (Evan Bacon), Million.js (Aiden Bai) & more will share knowledge at React Summit! Use promo code TWIR for 10% off tickets.
- π Experimenting with React View Transitions: Explains what View Transitions are and how Reactβs experimental
<ViewComponent>API integrates this web feature. React starts view transitions automatically when using concurrent features, applies transition names automatically at the right time, and exposes convenient lifecycle props. - π Components Are Just Sparkling Hooks: Shows how a component can be transformed into a hook, how the 2 are related, and introduces the concept of hook-based headless components as a flexible primitive.
- π Writing static websites with Vite and React: Carlos created a Vite plugin to implement a simple React-based static site generator, using React only as a server-side templating system.
- π Next.js vs TanStack: Kyle is done with Next.js complexity and thinks TanStack Start is the right abstraction.
- π Passing TypeScript react components native HTML attributes: Shows how to wrap a native input while keeping the ability to pass any native input prop.
- π Storybook 9 sneak peek: Accessibility Addon refresh
- π React Trends in 2025
- π How does the use API work with Next 15 and React 19?
- πΈ Omlet for VS Code: Get React component usage insights in VS Code
- π¦ tRPC 11.0: This release brings many new React-related features, including TanStack Query v5 support, the new more native React Query integration based on
queryOptions, improved Next.js/RSC support, the ability to download/upload binaries, and more. - π¦ React Query 5.69 -
streamedQuery: React Query can now handleAsyncIterabletypes and receive chunks of data. It will bependingonly while waiting for the first chunk. This looks particularly useful for building AI/LLM chats. - π¦ Rsbuild Plugin React Router: Now available on npm, you can use React Router in framework mode with another bundler than Vite. It works well with all the React Router CLI templates and the Epic Stack.
- π¦ Material UI 7.0 - Improved ESM support, consitent slot pattern implementation,
enableCssLayer - π¦ Base UI 1.0.0-alpha.7: Another great release from the promising Radix UI challenger.
- π¦ Next Intl 4.0 - Type-safe locales, ICU arguments, format and more
- π¦ Merge Refs 2.0 - Merges React refs into one
- π¦ React-Admin 5.5 & 5.6 - March 2025 Update
- π¦ Ionic 8.5 - React 19 support
- π₯ React Paris 2025 Playlist: I was at the conf last Friday, great talks already available online, and it was nice to meet some of you there π!
Ne manque pas le prochain email !
πΈ Sponsorβ
Clerk's new experimental package for using Clerk in your AI agent workflows. Manage users, orgs, and more with Vercel AI SDK + LangChain support. Try it now: npm install @clerk/agent-toolkit
π± React-Nativeβ
React Native turns 10! ππ€―
Believe it or not, React Native was open-sourced exactly 10 years ago, and React Native is celebrating its first decade today!
A huge shoutout to everyone who made it happen! Letβs take the opportunity to listen again to this podcast episode with Christopher Chedeau (Vjeux, co-creator of React Native) where he explains the backstory of React Native, and how this great project could easily have died without ambitious people willing to bet on it.
Also a shoutout to the amazing React Native communityβtight-knit, always pushing forward, tackling challenges, and building the future of native declarative UI together π
To the next promising decade! π₯
- πΈ Codemagic - a great App Center alternative for React Native devs! 8x faster builds, CodePush, automated distribution. 1-month free trial!
- π Who's using Expo OSS in 2025: Evan just updated his list of 2,262 top apps using Expo or React Navigation.
- π Plugin Pro: Preview of upcoming CLI that records your native platform changes and then generates an Expo config plugin. This reminds how patch-package works.
- π Legend Photos - Open source photo viewing app - Built with React Native macOS
- π¦ Evan Bacon - βWhat if you could just build mobile appsβon the goβfrom a mobile app?β: This idea is quite interesting. Instead of using AI to generate server-driven UI, why not generating whole screens locally?
- π£ EAS Build & Workflows - Introducing M4 Pro - 1.85x faster iOS builds
- π Lynx Roadmap 2025: The React Native competitor plans to open source desktop support for Windows, macOS, and OpenHarmony. New capabilities, UI elements and improved tooling are coming.
- π Why Knowing Your Appβs Bundle Contents Matters for React Native Performance: Explains how to use Expo Atlas, and a trick to make it work even when not using Expo!
- π Migrating from Firebase Dynamic Links: a practical guide
- π React Native Modals in 2025
- π¦ Reanimated 4 beta.3 - CSS transitions shorthand, edge-to-edge, remove Old Arch code, depends on react-native-worklets
- π¦ Bottom Tabs 0.9 - Add
freezeOnBlur, removeignoresTopSafeArea(now itβs automatic) - π¦ Audio API 0.5 - RN 0.78, pitch correction, in-memory audio decoding
- π¦ Tanstack Query DevTools Expo Plugin
- π¦ React Native Auto Skeleton - Automatically generates skeleton based on your existing UI layout
- π¦ Expo Passkey - A Better Auth plugin enabling secure, passwordless authentication
- π¦ React Native Magic Scroll 0.1.25 - Manage keyboards and ScrollViews on long forms - New Arch, Expo 52 support
- ποΈ Rocket Ship 63 - From Idea to App using Replit with Matt Palmer
- π₯ Callstack Webinar - Using React Native in Existing Apps for Faster Cross-Platform Features
π Otherβ
- π Node PR - v24.0 release: New Node.js LTS is in RC and should be released on April 22. It upgrades V8 to 13.4, which should unlock new JS features such as
Promise.try,Intl.DurationFormatandAtomics.pause. - π One Thing @scope Can Do is Reduce Concerns About Source Order: TIL that
@scopeintroduces a new concept of βscope proximityβ to the CSS cascade! Itβs in Interop 2025 and should be in all browsers very soon. - π Chrome 135 - Carousels with CSS
- π Chrome 135 - The <select> element can now be customized with CSS
- π Hybrid Linters: The Best of Both Worlds
- π¦ Rsdoctor 1.0 - Build analyzer for webpack and Rspack: A great tool Iβm using on Docusaurus to find build time bottlenecks.
- π¦ Biome 2.0 beta - Plugins, domains, multi-file analysis and more
π€ Funβ
This week we have 2 videos, you need to click π
See ya! π
Ne manque pas le prochain email !
