π¨ #282: Security, Fate, TanStack, Redux, Jotai, Base UI, Relay, Storybook | Hermes-node, Expo, Rozenite, Harness, VR, Nitro, Skia, Redraw | TC39, Bun, pnpm, npm, Yarn, Node, Webpack
Hi everyone, Seb and Jan here π!
It looks like security is going to be a hot topic this year! π
More packages are being compromised, and blog posts are also covering recent RSC vulnerabilities.
Maybe weβre reaching a tipping point, and better security practices will consolidate this year.
On the React Native side, Hermes-node is quite exciting, although itβs very early.
An exciting TC39 meeting is currently underway, and several proposals have already progressed.
Yarn and npm are improving on the security side.
Bun and pnpm are being ported to Rust.
Let's dive in!
As always, thanks for supporting us on your favorite platform:
- π¦ Bluesky
- βοΈ X / Twitter
- π LinkedIn
- π½ Reddit
Don't miss the next email!
πΈ Sponsorβ
Ship AI generated code safely with Meticulous.
Claude writes your code. ClaudeΒ reviews your code. Claude fixes the review comments. And somehow, you're the one getting paged at 2am when it breaks in prod.
Fortunately, top AI-driven teams like Dropbox, Notion, LaunchDarkly, and WizΒ rely onΒ MeticulousΒ to runΒ 1000s of e2e UI tests autonomously, coveringΒ every user flow, edge case, role and permutation. Built by ex-Palantir engineers,Β Meticulous gives you near-exhaustive coverage in weeks, without any developerΒ effort.Β
It works like magic in the background:
- Near-exhaustive coverage on every test run
- No test creation
- No maintenance (seriously)
- Zero flakes (built on a deterministic browser)
Check it out -Β and see why one engineering leader at Dropbox said that βonce we started using Meticulous, we couldnβt imagine working without it.β
βοΈ Reactβ
Mini Shai-Hulud worm keeps digging
Remember last weekβs TanStack Router compromise? The dangerous worm from TeamPCP keeps compromising users and maintainers across ecosystems, affecting popular packages such as echarts-for-react and @antv, and GitHub actions such as actions-cool/issues-helper. OpenAI employees got compromised, leading them to regenerate code signing certificates. Grafana has been blackmailed by a ransomware group.The Million.js repository was also briefly compromised, but they seem to have gotten lucky: it apparently didnβt affect anyone.
Rumors also link this worm to the Nx Console VSCode extension compromise, and possibly connected to a major GitHub internal repo breach. This story isnβt over β βMiniβ feels like a very questionable name π !
- πΈ PlanetScale - Faster apps start with a faster database. Get started with the fastest benchmarked Postgres and MySQL.
- ποΈ React Norway - π³π΄ Oslo - 5 June - Experience the "Rock & React" atmosphere in a unique one-track full-stack festival with 350+ passionate developers. -10% with code "TWIR".
- π React Server Components in TanStack - A pragmatic intro to TanStackβs flexible RSC model, CompositeComponent, and how much it could save in terms of client bundle size.
- π Structural sharing, selectAtom, and why your jotai atoms re-render too much - Explains how deriving atoms, decomposing into primitive atoms, and structural sharing can help avoid re-renders.
- π The React2Shell Story - 2 articles from the duo who reported the security flaw allowing remote code execution in RSC.
- π The Flight Protocol Made Your DoS My Problem - React/Next.js recently patched various CVEs. One of them could block your Node process in a single HTTP request.
- πΈ Certificates.dev - React Free Weekend is coming. Get unlimited access to mid-level training, incl. coding challenges + trial exam for 48H.
- π¦ Fate 1.0 - The first full Async React Metaframework - Fate is a Relay-inspired framework (not based on GraphQL) supporting view composition, normalized caching, data masking, Async React features, live views through Server-Sent Events, Drizzle, garbage collection, and more.
- π¦ TanStack Router releases - Deferred hydration capabilities, route matching priority - Deferred Hydration (experimental, docs) could help improve your page's perceived performance by making it interactive sooner. They also recently introduced CSS inlining and a CSRF middleware.
- π¦ TanStack AI releases -
useChat()supports streaming structured output - π¦ React Redux 9.3 -
connectAPI deprecated, Trusted Publishing fixed - The old HOC API is not removed, but itβs recommended to migrate touseSelector/useDispatch - π¦ Redux Toolkit 2.12 - TypeScript Improvements, Skills
- π¦ Base UI 1.5 - Major mount perf improvements for popovers/dialogs/tooltips/menus
- π¦ React Hook Form 7.76 - Improved
isDirtyanduseFieldArray - π¦ Relay 21.0 - First-party TypeScript support, experimental RSC support, improved error handling
- π¦ Storybook 10.4 - TanStack React, React Native isolation, agentic setup, review filters
- π¦ React Doctor 0.2 - Your agent writes bad React. This catches it.
- π¦ React Router 7.15.1 - New
unstable_useRouterStateconsolidation API - π₯ Nuno Maduro - Why React Developers Are Leaving Next.js for TanStack, with Tanner Linsley
- π₯ Fireship - A single PR just hijacked the NPM registry...
- ποΈ Syntax.fm 1005 - Programatic and Skill based Video Creation with Remotion
Don't miss the next email!
πΈ Sponsorβ
Tomorrow Only: Next.js Debugging Workshop
Most Next.js bugs don't fail loudly. They fail in a webhook handler at 3am, in a server component nobody touched, in an auth flow that worked yesterday. Sentry's hands-on workshop shows you how to catch them with high-context logs and distributed tracing.
Last chance to save your spot. Register today.
π± React-Nativeβ
- πΈ PostHog - The 7 best session replay tools for mobile apps
- π Unlocking Expo Updates in an Isolated Brownfield Architecture with SDK 55 - Running Expo Updates in Isolated Brownfield was always a challenge. Thanks to recent updates, it is a thing of the past.
- π Changes to project loading behavior in Expo Go - Breaking change for EAS Update users: Expo Go now enforces ownership checks. Self-hosted updates can no longer serve Hermes bytecode bundles.
- π WTF does
.box()do in Nitro Modules? - It convertsNativeState-backed objects intoHostObjectsso they can cross worklet runtime boundaries. - π Build fast, no matter what: how Expo is optimizing for speed (and how you can, too) - Deep dive into Expo's build speed optimizations: hardware scaling, Gradle caching, prebuilt binaries, and fingerprint-based workflows that avoid full rebuilds for JS-only changes.
- π Using TurboModule Substitution to Build Safer React Native Plugin Systems - Explains how React Native Sandbox 0.6 offers granular sandboxing capabilities.
- π¦ Hermes Node - Node.js built-in module compatibility layer for the Hermes JS engine - The creator of Hermes published an AI-driven prototype of a new JS/TS runtime built on Hermes, compatible with Node.js. It wonβt outperform Node.js/V8 today, but Static Hermes could make it way faster in the future.
- π¦ Skia Lab - Beautiful react-native-skia demo - A collection of painting, physics, shaders, and gesture interactions demos.
- π¦ ViroReact 2.55 - Ship as a native VR experience on Meta Quest
- π¦ Harness 1.2 - iOS code coverage, permission automation, external xctest commands
- π¦ Expo Speech Recognition 56 - Expo SDK 56 support
- π¦ TypeGPU Confetti 0.3 - Rewritten to use TypeGPU
- π¦ Nitro Fetch 1.3 - Removed box/unbox, fixed binary responses, performance improvements
- π¦ Agent Device 0.15 - Faster boot and test replay, iOS replay speedup, MCP discovery-only
- π¦ View Shot 5.1 - iOS 17 compatibility, Windows support + example, Android ScrollView fix
- π¦ Rozenite DevTools 1.10 - Network, Performance, Vite plugin improvements
- π₯ William Candillon - Debriefing Redraw & TypeGPU
- π₯ Beto - Everything new in Expo SDK 56
- π₯ React Native Live Ep 11 - Building High-Performance UI with React Native Skia / William Candillon
- ποΈ RNR 353 - Building React Native Apps in the AI Era
π Otherβ
- π Explicit Resource Management reached TC39 stage 4 - A TC39 meeting is in progress, and many proposals have progressed. The most βuser-facingβ one β
usingβ is going to be part of the standard and simplify your resource cleanup logic. I take the opportunity to show you how to leverage it immediately in Vitest/Jest tests. - π npm RFC - Make install scripts opt-in - Itβs great to see npm finally looking to catch up on security! Theyβd like to introduce an
allowScriptsmap inpackage.jsonto help mitigate the recent supply chain attacks. - π Bun PR - Rewrite Bun in Rust - The bold, AI-driven PR landed in just one week, making Bunβs migration from Zig to Rust official. π€―
- π Declarative partial updates - New exciting APIs may come to the web platform: out-of-order streaming, and new HTML insertion methods supporting streaming. Already available in Chrome 148 behind an experimental flag.
- π QUIC and HTTP/3 Come To Node.js (finally) - A 5-part deep dive on the experimental
node:quicAPI. - π¦ pnpm 11.12 - Experimental Rust install engine - pnpm is also migrating to Rust, with an incremental strategy. This release introduces an opt-in for the new Rust engine to power the install phase.
- π¦ Yarn 4.15 - Add
npmMinimalAgeGate: 1drelease cooldown by default - Another package manager adopts better security defaults. BTW, Yarn is also being rewritten in Rust. - π¦ Node 26.2 -
stream.composestable,fs.stat()returnsTemporal.Instant - π¦ Webpack 5.107 - Experimental HTML modules, experimental native TS support
π€ Funβ
See ya! π
Don't miss the next email!
