π¨ #262: React2Shell, Fate, TanStack AI, React Grab, Formisch, Base UI | React Native 0.83, Reanimated 4.2, State of RN, Refined, Crypto, Worklets, Sheet Navigator | CSS, Temporal, Supply Chain, Firefox
Hi everyone!
This week, it remains important for me to raise awareness about the React Server Components vulnerability, since an exploit is now widely available. Thankfully, we also have more positive React news!
Itβs even hotter on the React Native side. We were patiently waiting for 0.83 to publish π and itβs now out. You can now use <Activity> in React Native π₯. Reanimated 4.2 is also out with Shared Elements Transition support π₯.
Itβs the survey season, donβt forget to answer the 2 most important ones that are currently open:
As always, thanks for supporting us on your favorite platform:
- π¦ Bluesky
- βοΈ X / Twitter
- π LinkedIn
- π½ Reddit
Don't miss the next email!
πΈ Sponsorβ
Learn how to build a TanStack Start project with Strapi
In this video tutorial, you'll learn how to create a fully dynamic, SEO-friendly landing page and blog website, which includes the following features:
- pagination
- search
- authentication
- comments
TanStack Start is an open source React framework built by and for the community.
βοΈ Reactβ
In case you missed my email, a 10.0-scored vulnerability affecting React Server Components was unveiled last week. And itβs a really nasty one, enabling unauthenticated remote code execution with a simple HTTP request. Many React meta-frameworks and custom setups are affected, in particular Next.js (v14-canary, v15, v16). If your app is affected, you really need to upgrade now!
Although no exploit was initially shared, infosec researchers and hackers quickly reverse-engineered the patch, and an exploit has been circulating online only ~30 hours after the initial disclosure. Hackers around the world have already been exploiting it at scale. There are even browser extensions to detect and exploit vulnerable sites. It wouldnβt be surprising to see a worm exploiting it.
Iβve found so many related links, so hereβs my top selection:
- π¦ Vercel CEO Guillermo Rauch explains how the exploit works: Itβs quite sophisticated and shows the talent of Lachlan and Sylvie, who disclosed it after hours of research. I learned a few things about βgadgetsβ in JS that could be exploited.
- π React PR - Patch FlightReplyServer with fixes from ReactFlightClient: The security patch that has been reverse-engineered.
- π Red Herrings and AI Slop: Debunking React2Shell Misinformation: Explains the patch PR above has been deliberately misleading to buy time and let the community upgrade ASAP.
- π Cloudflare outage on December 5, 2025: It was due to mitigation measures for the vulnerability π .
- π Next.js Security Advisory: Including a command-line tool to help you patch your Next.js app. Thereβs also a Vercel Security Bulletin.
- π¦ Original Proof-of-Concepts for React2Shell
- π₯ Theo - React got hacked. It's really, really bad
- πΈ STRICH - Add lightning-fast barcode scanning to your app with a lean JS lib. Built-in UI, simple, predictable pricing, free trial and demo!
- π¦ React Fiber explained: A fun but accurate explanation of how and why React re-implemented its own stack and scheduling system.
- π React Paris 2026 - π«π· Paris - 26 & 27 March. Full speaker lineup just dropped! Una Kravets, Gabriel Pichot and Kitze are part of the lineup, bringing cutting-edge React insights to the French capital. Get a 10% discount with code "TWIR".
- π React 19.2. Further Advances INP Optimization: Focusing on Activity and the new DevTools performance tracks.
- π Skeletons in My Codebase: Tanstack in Production: Pragmatic TanStack Router lessons learned through trial and error.
- π Do's and Don'ts of useEffectEvent in React
- π TanStack Start: New competitor to Next.js
- π Bundle Size Investigation: A Step-by-Step Guide to Shrinking Your JavaScript
- π Reatom: State Management That Grows With You
- π React Elements, Children as Props, and Re-Renders
- π Controlled vs Uncontrolled Components in React
- πΈ React Certification - Last chance to get React certified at a deep discount; Bootcamp training bundles start at 60% OFF. Offer ends soon.
- π¦ Fate alpha - A modern data client for React & tRPC: A new declarative data fetching and state management solution for React is now in alpha, created by former Meta employee Christoph Nakazawa. Inspired by the Relay client, it brings useful features such as state co-location, data normalization, view composition, and data masking, without needing GraphQL.
- π¦ TanStack AI Alpha: TanStack has unveiled its new AI package that is framework, language, and service agnostic. The official intro doesnβt share many details, but I liked this community article that compares it to the Vercel AI SDK. It should have a great integration with TanStack Start and also ship a headless chat UI library. Also watch this walkthrough video from one of its creator, Alem Tuzlak.
- π¦ React Grab for Agents: This lets you assign concurrent UI-related tasks to AI agents directly from your browser with a nice user experience. You automatically share the right context (file path, component stackβ¦) to clearly communicate your intent to AI agents so that they donβt lose time figuring things out.
- π¦ Formisch - Modular and type-safe form library for any framework: Initially built for Solid, now includes React bindings.
- π¦ SVAR React DataGrid - Fast, feature-rich React datagrid with sorting, filtering, virtual scrolling, and more
- π¦ Base UI 1.0 rc.0
- ποΈ PodRocket - Whats new in React 19.2 with Shruti Kapoor
Don't miss the next email!
πΈ Sponsorβ
Make your AI code guidelines stick with CodeRabbit
You already tuned your AI agents with .cursorrules, CLAUDE.md, Agents.md, and Copilot-instructions. CodeRabbit reads those guideline files and uses them to enforce code quality in every PR review, so comments line up with the rules you have already written.
π± React-Nativeβ
A new minor version of React Native has just been published. Without any user-facing breaking changes, it reflects the efforts to stabilize the framework, making it easier to upgrade and benefit from new, useful features.
The highlights are:
- React 19.2, enabling support for
<Activity>anduseEffectEvent - DevTools with Network and Performance panels, and a new desktop app
- Intersection Observers (Canary), another DOM API coming to React Native
- Web Performance APIs are now stable
- Hermes V1 performance improvements
- Experimental iOS feature flags to compile out the Legacy Architecture, and debug precompiled binaries
Reanimated 4.2 - Shared Element Transitions
Software Mansion devs have finally reimplemented Shared Element Transitions β the most requested feature β on top of Reanimated 4 and the New Architecture. It makes it possible to animate views between two different screens, giving a feeling of continuity when navigating. This feature and other performance improvements are gated behind feature flags to collect feedback and finalize the implementation.
- πΈ [Free Workshop] Improve React Native Performance using Tracing and Logs with Sentry
- π State of React Native 2025: The annual community survey is now live. Please answer it! π
- π Expo - Mitigating the Critical Security Vulnerability in React Server Components
- π¬ React Native issue - How to mitigate React2Shell in React Native: The community tried to update React after the vulnerability was revealed, which led to version mismatch issues with React Native. Ricky explains that React itself is not vulnerable, and only RSC packages are.
- π¬ React Native RFC - Library codegen as prefab on Android: A suggestion that could help improve Android build times, and benefit to recently launched RNRepo project.
- π¦ iOS bottom accessory support is coming: It should be released soon in Screens 4.19 and probably later in Expo Router 7 / SDK 55. Other features are coming to Expo Router, such as Zoom Transitions on iOS.
- π Kotlin Multiplatform: Benefits, Limitations & Our Contributions: Software Mansion created a team centered around KMP, which has already published a few open-source packages. They break down what it does well, where it falls short, and compare it to React Native.
- π What Changes When You Bring React Native to VR on Meta Quest: List of things to consider in terms of responsive design, accessibility, and interactivity.
- π How to swap between React Native Storybook 10 and your app
- π Large header title in Expo Router
- π¦ Sheet Navigator - Custom React Navigation navigator integration for True Sheet: Makes navigating to a sheet as seamless as if it were a stack screen.
- π¦ Refined - ESLint plugin for your React Native styles: This could help make your app look more polished.
- π¦ Worklets 0.7 - Register custom Serializable (useful for Nitro Objects), scheduling APIs, n new Synchronizable docs
- π¦ Quick Crypto 1.0 - Rewritten with Nitro Modules
- π¦ IAP 14.5 - Built-in Purchase Verification (aka Receipt Validation), IAPKit integration
- π¦ Expo Speech Transcriber 0.1.6 - Support for Android real-time transcriptions
- π¦ MMKV 4.1 - New instance APIs, existsMMKV, deleteMMKV, importAllFrom
- π¦ Uniwind 1.2 - Vite/RNW support, improve React Compiler support
- π₯ Beto - I Tried Snapβs Valdi β Is It Better Than React Native?
- ποΈ RNR 348 - From Ionic Evangelist to React Native Content Creator: Simon Grimm
π Otherβ
- π CSS Wrapped 2025: A greatly presented overview of all the new web/CSS features that landed in Chrome this year. Including cool things you've probably never heard of.
- π How We're Protecting Our Newsroom from npm Supply Chain Attacks: Using 3 layers of pnpm security controls.
- π Protect yourself from malicious NPM packages with a system-wide dev container
- π TypeScript Types as a Programming Language
- π The Case for Effect
- π¦ Chrome 144 beta: Includes the Temporal API!
- π¦ Bun 1.3.4 - URLPattern
- π¦ Oxlint Type-Aware Linting Alpha
- π¦ Firefox 146 - @scope, symbols as WeakMap keys, Navigation API (nightly), and more
π€ Funβ
See ya! π
