π¨ #263: DoS, RSC Explorer, Base UI, shadcn, Blender, TanStack, Format.js | Hermes, Screens, Survey, React Navigation, ZoomGrid, Radon, TrueSheet, PagerView, Nitro | Node.js, TypeScript, Safari, State of HTML
Hi everyone! Filip and Krzysztof from Software Mansion here! π
Itβs been another challenging week for the React ecosystem. Developers worldwide have been rushing to update their React versions to patch two new vulnerabilities. This serves as a good reminder for all of us to prioritize security during testing.
Fortunately, React Native remains mostly unaffected by these threats, as Server Components arenβt yet widely used in the mobile environment.
We are taking a well-deserved Christmas break π so this will be our last issue until January 14th.
Merry Christmas and a Happy New Year to everyone! Thank you for reading our newsletter throughout the year. See you in 2026! π
As always, thanks for supporting us on your favorite platform:
- π¦ Bluesky
- βοΈ X / Twitter
- π LinkedIn
- π½ Reddit
Ne manque pas le prochain email !
πΈ Sponsorβ
Internationalizing your Next.js app in 2026
Next.js 16 just landed β and with the new year around the corner, itβs the perfect time to take the pain out of your i18n setup and turn it into your competitive advantage. In learn.next-intl.dev, youβll learn all the practical patterns you can apply immediately:
- π I18n β translations: Understand the pieces that make a truly localized experience
- ποΈ Architecture that scales: Routing, locales, time zones & currencies done right
- βοΈ The full picture: Backend, CMS, SEO, dev tooling, AI translations & more
Enjoy 30% off for the holidays!
βοΈ Reactβ
Denial of Service and Source Code Exposure in React Server Components
Another week, another set of React vulnerabilities - itβs a tough time for the React ecosystem. While these issues are less severe than the last one (allowing Remote Code Execution), they are still serious, and itβs recommended to upgrade React 19 again. Both are related to RSC and Server Actions.
The first (CVE-2025-55184) is a denial-of-service flaw. Attackers can crash your server by sending a payload with a cyclical reference in the React Flight Protocol. This causes React to loop indefinitely until the server times out. The second vulnerability (CVE-2025-55183) involves code exposure due to a lack of user input validation. Under certain conditions, this can lead to the source code of your implementation being leaked.
The maintainers reacted quite fast, and we have received several patch releases: React 19.2.3, Next.js 16.0.10, Vercel/SWR 2.3.8
More resources about the recent React vulnerabilities here:
- π Next.js Security Update - The necessary steps to secure your Next.js app against all the recent vulnerabilities.
- π₯ Ankita Kulkarni - 2 More React Security Issues
- π₯ Shruti Kapoor - React RCE Attack Explained - Critical Vulnerability CVSS 10.0
- π₯ Theo - The latest React vulnerabilities explained
- π₯ Wes Bos - Iβm gonna crash out (react2shell vulnerability)
- ποΈ PodRocket - React got hacked with David Mytton
React Server Components Explorer
If recent security headlines had a silver lining, itβs the renewed interest in how React Server Components actually work under the hood. And Dan Abramov showed up just in time with RSC Explorer, an interactive tool to help you visualize the wire format and master the mental model.
Where components are rendered is not the only thing that should receive attention this week, as Base UI 1.0 is now stable, marking the official release of the unstyled primitives developed by the original creators of Radix UI, Floating UI and MUI. Itβs a significant addition to the "headless" ecosystem, offering a refined alternative to Radix UI or React Aria. All the shadcn/ui components have already been rebuilt to support Base UI (tweet).
- πΈ Next.js 16 Route Handlers Explained: 3 Advanced Use Cases
- π Storybook Security Advisory - CVE-2025-68429: Another security issue π
This time
.envvariables can inadvertently be exposed when publishing your Storybook v7+ to the web. - π Brand new React Aria documentation with interactive examples.
- π Intro to performance of React Server Components - A deep and fair analysis of how RSC can improve page load time by shifting data fetching and rendering to the server, while also not keeping silent about the architectural trade-offs.
- π How AI Coding Agents Hid a Timebomb in Our App - Fun story where an infinite recursion bug was not immediately visible because it happened in the background due to leveraging the new
<Activity>component. - π React Compilerβs Silent Failures (And How to Fix Them) - When the Compiler canβt compile a component, it fails silently. The author discovered a secret ESLint rule
react-hooks/todothat permits to fail-fast on patterns the Compiler doesnβt support yet. - π Driving 3D scenes in Blender with React - A custom React reconcilier translates React operations into Python commands to communicate with the Blender API.
- πΈ React Certification β Junior, Mid, and Senior level certification. Exam only or full prep bundle with trial exam & labs. Choose your path.
- π¦ shadcn 3.6 -
npx shadcn create- With this new CLI, you can now create your own customizedshadcncomponent library, using either Radix UI or Base UI. Theo also released a video about this if you want to learn more about what has changed. - π¦ TanStack Start 1.141 - Vue Start: After React and Solid, TanStack Start adds support for Vue. TanStack Start really is aβ¦ framework-agnostic meta-framework? π€ͺ
- π¦ React Router 7.11 -
vite previewsupport, stabilizeonErrorAPI, newunstable_defaultShouldRevalidateopt-out API - π¦ Format.JS for React - Multiple releases, breaking changes and a conversion to ESM
- π¦ Recharts 3.6 - New
BarStackcomponent, support for ranged stackedBarChart - π¦ React Grid Layout 2.1 - Support for large-scale layouts and custom constraints - you can test it in the interactive docsβ showcase.
- π¦ Slot JSX - Custom JSX pragma for powering asChild or render function prop patterns
- ποΈ PodRocket - TanStack, TanStack Start, and whatβs coming next with Tanner Linsley
Ne manque pas le prochain email !
πΈ Sponsorβ
When your app become a floating window - RN in VR
VR pushes React Native developers to think more like adaptive-layout designers. Instead of working with fixed viewports and predictable screen sizes, youβre designing for flexible windows that users can move, resize, and interact with in new ways. In this article, Jan Jaworski from Callstack breaks down how to bring mobile experience patterns into VR safely: where they map well and where youβll need to rethink typography, spacing, accessibility, and interaction models.
If you want to build for Meta Quest with confidence, explore this step-by-step React Native VR series:
- Get Started With Expo on Meta Quest
- Use Expo Libraries on Horizon OS: A Guide to Compatibility
- How to Release a React Native App on the Meta Horizon Store
β¦and more.
π± React-Nativeβ
The State of React Native survey is back and ready to accept your responses!
It has been slimmed down to avoid overlap the State of React survey, focusing more on the React Native side of things. Please answer and help the core maintainers and library authors understand what they should focus on next year! π
- πΈ PostHog - Track errors and resolve issues with error tracking for React Native. Get your first 100k exceptions free every month.
- π React-Navigation 8.0 docs PR: We heard v8 alpha is dropping very soon! It should come with better TypeScript types, native Bottom Tabs by default, access to the params of parent screens, a new
pushParams()API, and more. - π React Native RFC - iOS Migration to SceneDelegate - A plan to adopt iOS UIScene lifecycle APIs instead of using AppDelegate.
- π¦ Sneak peek of Live Activities and Widgets in Expo UI, coming with SDK 55
- π Official Hermes team blog - The Hermes team decided to collect articles about Hermes published on X over the last few years into a structured GitHub repository. There, you can find interesting insights into Hermes internals and JSI. The most recent one is Tzvetan Mikov explaining how JSI extensions make it easier to contribute to the Hermes engine.
- π How to implement iOS widgets in Expo apps - A case study on using Swift UI Widgets with Expo, and how they can benefit your project by providing subtle, low-friction content for the user. This perfectly aligns with the latest signals from Expo that they are working on implementing Widgets for Expo UI components to make it even easier.
- π Debug Like a Senior - React Native Performance Panel - JS performance profiling in React Native used to be painful, but the new Performance Panel in React DevTools finally fills the DX gap. This article describes the panel's features and reveals some hidden gems you probably weren't aware of.
- π You can use the latest React Native DevTools without upgrading - While it's more of a workaround than a formal solution, you can still use the new Performance profiler even if your project is stuck on an older version of React Native.
- π Expo now supports Maestro Cloud testing in your CI workflow - This is interesting, as Maestro is becoming an increasingly reliable testing solution in the mobile application world.
- π Why You Donβt Have to Minify JavaScript Code in React Native Apps - Thanks to Hermes.
- π AI-powered code reviews for your Expo projects with CodeRabbit
- π¦ Screens 4.19 - Support for iOS
bottomAccessoryin native tabs, enhanced bottom tab bar customization on Android - π¦ Radon IDE 1.14 - React Native 0.83 support, Radon AI, and Network Inspector improvements
- π¦ True Sheet 3.4 - Custom dim view with smooth interpolation
- π¦ Pager View 8.0 - Full rewrite in Swift UI
- π¦ Zoom Grid - Zoomable grid component built on top of Shopify FlashList
- π¦ Nitro MLX 0.1 - Run LLMs on-device in React Native using MLX Swift
- π¦ Nitro Markdown - High-performance parser using Nitro and md4c (C++)
- π₯ Software Mansion - A Deep Dive into Shared Element Transitions (Reanimated 4.2)
- π₯ Code with Beto - Whatβs new in React Native 0.83, React 19.2, new DevTools features
- π₯ Expo - How to add native iOS Widgets to your Expo app (SwiftUI + Expo Apple Targets)
- ποΈ Rocket Ship 87 - React Native 0.83, Security Vulnerability, Faster Builds, Expo Router Sneak
- ποΈ RNR 349 - How 2025 changed the React Native job market
π Otherβ
- π CSS scroll-triggered animations - a new version of Chrome will arrive in 2026 with scroll-triggered animations definable by CSS.
- π State of HTML 2025 - Survey results
- π Why are my view transitions blinking? - A deep dive into the
view-transition-nameCSS property. - π Symbol.iterator Is Pretty Neat, Actually - An interesting use case where getting control over the spread operator improves DX.
- π¦ Safari 26.2 -
commandfor, Navigation API, Map Upsert, auto-expanding textareas,scrollbar-color, and more - A massive release, also unlocking cool APIs like the Navigation API that is now supported across all browsers! - π¦ Node 24.12 - Type stripping is now stable: TypeScript support is officially stable in Node LTS!
π€ Funβ
See ya! π
Ne manque pas le prochain email !
