​🌐 Read Online ​

Hi everyone! Filip and Krzysztof from Software Mansion here! 👋

It’s been another challenging week for the React ecosystem. Developers worldwide have been rushing to update their React versions to patch two new vulnerabilities. This serves as a good reminder for all of us to prioritize security during testing.

Fortunately, React Native remains mostly unaffected by these threats, as Server Components aren’t yet widely used in the mobile environment.

We are taking a well-deserved Christmas break 🎄 so this will be our last issue until January 14th.
Merry Christmas and a Happy New Year to everyone! Thank you for reading our newsletter throughout the year. See you in 2026! 👋

💸 Sponsor

​Internationalizing your Next.js app in 2026​

Next.js 16 just landed — and with the new year around the corner, it’s the perfect time to take the pain out of your i18n setup and turn it into your competitive advantage. In learn.next-intl.dev, you’ll learn all the practical patterns you can apply immediately:

• 🌍 I18n ≠ translations: Understand the pieces that make a truly localized experience
• 🏗️ Architecture that scales: Routing, locales, time zones & currencies done right
• ⚙️ The full picture: Backend, CMS, SEO, dev tooling, AI translations & more

Enjoy 30% off for the holidays!

⚛️ React

​Denial of Service and Source Code Exposure in React Server Components​

Another week, another set of React vulnerabilities - it’s a tough time for the React ecosystem. While these issues are less severe than the last one (allowing Remote Code Execution), they are still serious, and it’s recommended to upgrade React 19 again. Both are related to RSC and Server Actions.

The first (CVE-2025-55184) is a denial-of-service flaw. Attackers can crash your server by sending a payload with a cyclical reference in the React Flight Protocol. This causes React to loop indefinitely until the server times out. The second vulnerability (CVE-2025-55183) involves code exposure due to a lack of user input validation. Under certain conditions, this can lead to the source code of your implementation being leaked.

The maintainers reacted quite fast, and we have received several patch releases: React 19.2.3, Next.js 16.0.10, Vercel/SWR 2.3.8​

More resources about the recent React vulnerabilities here:

• 📜 Next.js Security Update - The necessary steps to secure your Next.js app against all the recent vulnerabilities.
• 🎥 Ankita Kulkarni - 2 More React Security Issues​
• 🎥 Shruti Kapoor - React RCE Attack Explained - Critical Vulnerability CVSS 10.0​
• 🎥 Theo - The latest React vulnerabilities explained​
• 🎥 Wes Bos - I’m gonna crash out (react2shell vulnerability)​
• 🎙️ PodRocket - React got hacked with David Mytton​

​React Server Components Explorer​

If recent security headlines had a silver lining, it’s the renewed interest in how React Server Components actually work under the hood. And Dan Abramov showed up just in time with RSC Explorer, an interactive tool to help you visualize the wire format and master the mental model.

​Base UI​

Where components are rendered is not the only thing that should receive attention this week, as Base UI 1.0 is now stable, marking the official release of the unstyled primitives developed by the original creators of Radix UI, Floating UI and MUI. It’s a significant addition to the "headless" ecosystem, offering a refined alternative to Radix UI or React Aria. All the shadcn/ui components have already been rebuilt to support Base UI (tweet).

• 💸 Next.js 16 Route Handlers Explained: 3 Advanced Use Cases​
• 🔐 Storybook Security Advisory - CVE-2025-68429: Another security issue 😅 This time .env variables can inadvertently be exposed when publishing your Storybook v7+ to the web.
• 📖 Brand new React Aria documentation with interactive examples.
• 📜 Intro to performance of React Server Components - A deep and fair analysis of how RSC can improve page load time by shifting data fetching and rendering to the server, while also not keeping silent about the architectural trade-offs.
• 📜 How AI Coding Agents Hid a Timebomb in Our App - Fun story where an infinite recursion bug was not immediately visible because it happened in the background due to leveraging the new component.
• 📜 React Compiler’s Silent Failures (And How to Fix Them) - When the Compiler can’t compile a component, it fails silently. The author discovered a secret ESLint rule react-hooks/todo that permits to fail-fast on patterns the Compiler doesn’t support yet.
• 📜 Driving 3D scenes in Blender with React - A custom React reconcilier translates React operations into Python commands to communicate with the Blender API.
• 💸 React Certification – Junior, Mid, and Senior level certification. Exam only or full prep bundle with trial exam & labs. Choose your path.​
• 📦 shadcn 3.6 - npx shadcn create - With this new CLI, you can now create your own customized shadcn component library, using either Radix UI or Base UI. Theo also released a video about this if you want to learn more about what has changed.
• 📦 TanStack Start 1.141 - Vue Start: After React and Solid, TanStack Start adds support for Vue. TanStack Start really is a… framework-agnostic meta-framework? 🤪
• 📦 React Router 7.11 - vite preview support, stabilize onError API, new unstable_defaultShouldRevalidate opt-out API​
• 📦 Format.JS for React - Multiple releases, breaking changes and a conversion to ESM​
• 📦 Recharts 3.6 - New BarStack component, support for ranged stacked BarChart​
• 📦 React Grid Layout 2.1 - Support for large-scale layouts and custom constraints - you can test it in the interactive docs’ showcase.
• 📦 Slot JSX - Custom JSX pragma for powering asChild or render function prop patterns​
• 🎙️ PodRocket - TanStack, TanStack Start, and what’s coming next with Tanner Linsley​

💸 Sponsor

​When your app become a floating window - RN in VR​

VR pushes React Native developers to think more like adaptive-layout designers. Instead of working with fixed viewports and predictable screen sizes, you’re designing for flexible windows that users can move, resize, and interact with in new ways. In this article, Jan Jaworski from Callstack breaks down how to bring mobile experience patterns into VR safely: where they map well and where you’ll need to rethink typography, spacing, accessibility, and interaction models.

If you want to build for Meta Quest with confidence, explore this step-by-step React Native VR series:

• Get Started With Expo on Meta Quest
• Use Expo Libraries on Horizon OS: A Guide to Compatibility
• How to Release a React Native App on the Meta Horizon Store

…and more.

​

📱 React-Native

​State of React Native​

The State of React Native survey is back and ready to accept your responses!
It has been slimmed down to avoid overlap the State of React survey, focusing more on the React Native side of things. Please answer and help the core maintainers and library authors understand what they should focus on next year! 🙏

• 💸 PostHog - Track errors and resolve issues with error tracking for React Native. Get your first 100k exceptions free every month.​
• 👀 React-Navigation 8.0 docs PR: We heard v8 alpha is dropping very soon! It should come with better TypeScript types, native Bottom Tabs by default, access to the params of parent screens, a new pushParams() API, and more.
• 👀 React Native RFC - iOS Migration to SceneDelegate - A plan to adopt iOS UIScene lifecycle APIs instead of using AppDelegate.
• 🐦 Sneak peek of Live Activities and Widgets in Expo UI, coming with SDK 55​
• 📜 Official Hermes team blog - The Hermes team decided to collect articles about Hermes published on X over the last few years into a structured GitHub repository. There, you can find interesting insights into Hermes internals and JSI. The most recent one is Tzvetan Mikov explaining how JSI extensions make it easier to contribute to the Hermes engine.
• 📜 How to implement iOS widgets in Expo apps - A case study on using Swift UI Widgets with Expo, and how they can benefit your project by providing subtle, low-friction content for the user. This perfectly aligns with the latest signals from Expo that they are working on implementing Widgets for Expo UI components to make it even easier.
• 📜 Debug Like a Senior - React Native Performance Panel - JS performance profiling in React Native used to be painful, but the new Performance Panel in React DevTools finally fills the DX gap. This article describes the panel's features and reveals some hidden gems you probably weren't aware of.
• 📜 You can use the latest React Native DevTools without upgrading - While it's more of a workaround than a formal solution, you can still use the new Performance profiler even if your project is stuck on an older version of React Native.
• 📜 Expo now supports Maestro Cloud testing in your CI workflow - This is interesting, as Maestro is becoming an increasingly reliable testing solution in the mobile application world.
• 📜 Why You Don’t Have to Minify JavaScript Code in React Native Apps - Thanks to Hermes.
• 📜 AI-powered code reviews for your Expo projects with CodeRabbit​
• 📦 Screens 4.19 - Support for iOS bottomAccessory in native tabs, enhanced bottom tab bar customization on Android​
• 📦 Radon IDE 1.14 - React Native 0.83 support, Radon AI, and Network Inspector improvements​
• 📦 True Sheet 3.4 - Custom dim view with smooth interpolation​
• 📦 Pager View 8.0 - Full rewrite in Swift UI​
• 📦 Zoom Grid - Zoomable grid component built on top of Shopify FlashList​
• 📦 Nitro MLX 0.1 - Run LLMs on-device in React Native using MLX Swift​
• 📦 Nitro Markdown - High-performance parser using Nitro and md4c (C++)​
• 🎥 Software Mansion - A Deep Dive into Shared Element Transitions (Reanimated 4.2)​
• 🎥 Code with Beto - What’s new in React Native 0.83, React 19.2, new DevTools features​
• 🎥 Expo - How to add native iOS Widgets to your Expo app (SwiftUI + Expo Apple Targets)​
• 🎙️ Rocket Ship 87 - React Native 0.83, Security Vulnerability, Faster Builds, Expo Router Sneak​
• 🎙️ RNR 349 - How 2025 changed the React Native job market​

🇫🇷 En français

• 💸 Shotgun recrute en CDI remote/hybrid un dev fullstack senior React / React Native​
• 📜 Prendre en compte les Web Components dans vos scripts​
• 🎥 Naleo - Il m’a suffi d’un JSON pour construire une UI en React​
• 🎥 Melvynx - shadcn/ui change tout : Base UI / Theme / presets ​

🔀 Other

• 👀 CSS scroll-triggered animations - a new version of Chrome will arrive in 2026 with scroll-triggered animations definable by CSS.
• 📊 State of HTML 2025 - Survey results​
• 📜 Why are my view transitions blinking? - A deep dive into the view-transition-name CSS property.
• 📜 Symbol.iterator Is Pretty Neat, Actually - An interesting use case where getting control over the spread operator improves DX.
• 📦 Safari 26.2 - commandfor, Navigation API, Map Upsert, auto-expanding textareas, scrollbar-color, and more - A massive release, also unlocking cool APIs like the Navigation API that is now supported across all browsers!
• 📦 Node 24.12 - Type stripping is now stable: TypeScript support is officially stable in Node LTS!

🤭 Fun

See ya! 👋