React gets a security update for RSC-supporting apps

Plus Vite 8 beta, the State of TanStack, and a Franco-German React app collaboration. |

#​454 — December 3, 2025 Read on the Web Together with   React Status ⚠️ A Critical Security Vulnerability in React Server Components — Breaking news from the React team for anyone whose app supports RSCs, even if it's not using them. v19.0, 19.1.0, 19.1.1, and 19.2.0 of react-server-dom-webpack, react-server-dom-parcel and react-server-dom-turbopack are susceptible to a remote code execution vulnerability and you need to upgrade. However, "if your app's React code does not use a server, your app is not affected by this vulnerability." The React Team 💡 React 19.0.1, 19.1.2 and 19.2.1 have just been released as part of this. Ship High-Performance React Apps — Join Steve Kinney for this detailed video course on React performance. You'll cover hydration, suspense, resource loading, server actions and more, coming away with the know-how to build apps that look and feel fast. Frontend Masters sponsor Vite 8 Beta: The Rolldown-Powered Vite — The first beta of Vite 8, powered by Rolldown, is now available promising significantly faster production builds and a better platform for extending Vite into the future. VoidZero Inc. React Router's Take on React Server Components — "Did you know React Router is adding React Server Components support? It's still experimental, but it's very close to landing, and I think React Router's take on RSC is really great. Here's what you need to know." Kent C. Dodds 📄 The State of TanStack, Two Years of Full-Time OSS – Telling the story of building one of the most successful families of open source libraries in our community right now. Tanner Linsley 📺 It's Not New: How 'The New Architecture' Unlocks React Native's Future – It's no longer new, it's the way, a React Native core team member explains. Cipolleschi and Chludziński 📄 Taking Down Next.js Servers for 0.0001 Cents a Pop – Explains an attack that has since been patched; upgrading to Next.js 15.5.5 or 16+ addresses the issue. Alex Browne 📄 Next.js 16: What's New for Authentication and Authorization Will Johnson (Auth0) 📄 Designing Design Systems Dominik Dorfmeister 🛠  Code, Tools & Libraries 🔒 Better Auth: A Comprehensive Authentication Framework — An authentication and authorization framework that provides email and password-based auth, OAuth and social sign-in, account and session management, 2FA, and more. v1.4 was just released with stateless/database-free session management support. Better Auth react-native-quick-crypto 1.0: Node's crypto But for React Native — A fast implementation of Node's Crypto module written in C/C++ JSI for fast cryptography functions in React Native apps. Margelo GmbH Tuple - The Fastest Way to Review AI Slop — Wasting hours debugging AI code? Tuple brings your team together to figure it out, clean it up, and ship. Tuple sponsor 📸 React Web Camera: A Component for Capturing Multiple Photos Directly from the Browser — Improves on the experience of similar solutions by allowing multiple captures without the need to reopen the camera. You can integrate it seamlessly with your app via custom styling. There is, of course, a demo. shivantra Docs: A React-Powered Collaborative Writing Environment — Built by a collaboration between the French and German governments, Docs is a full-featured collaborative note-taking, wiki, and documentation app built on top of React, Django, and BlockNote. – GitHub repo. The Government of France 🗓️ FullCalendar: A Full Sized JavaScript Calendar Control — Get a Google Calendar-style experience in your own apps. Has connectors for React, Vue and Angular, but can be used with plain JavaScript too. The base version is MIT licensed, but there's a commercial version too with extra features. Adam Shaw Custom React Directives (a.k.a. use nemo) — Custom directives are increasingly popping up all over the place, so why not join the party and create your own? 😅 Adem Kouki 📊 React Spectrum Charts v1.22.0 – Adobe's declarative charting library for composing accessible, Spectrum-styled data visualizations. React Markdown Editor v4.0.10 – Simple Markdown editor component with preview and syntax highlighting support. (Demos.) markdown-to-jsx v9.3.0 – Customizable toolchain for converting Markdown to JSX. React Uploady 1.13 – Components and hooks for file uploading. Berry v51.0 – Material UI admin dashboard template for React. Reactylon 3.5 – Babylon.js-powered XR framework for React. React Three Fiber 9.4.2 – React renderer for Three.js. Prettier 3.7 – The popular opinionated code formatter. Preact 10.28.0 – The fast, tiny alternative to React. 📢  Elsewhere in the ecosystem Some other interesting stories in the broader landscape: Anthropic, best known for its line of Claude large language models, has acquired the company behind Bun, the server-side JavaScript runtime. Jarred Sumner, the creator of Bun, tells the story really well, and stresses that Bun remains as open as ever. The Electron project has entered a 'quiet month' to give the maintainers a rest before getting back to full steam in January. They also use the post to review what happened with Electron in 2025. Node 24 LTS is now available for builds and functions on Vercel. DepX's badge generator gives you a graphical badge you can include in your README or on your project site to show how many (or how few!) dependencies your npm package has.

Curated by Peter Cooper and Terence C. Gannon. A Cooperpress publication. Change your email address or Stop getting this newsletter © Cooper Press Ltd · Fairfield Enterprise Centre, Louth, LN11 0LS, United Kingdom