<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Devam Chaudhari</title>
    <description>The latest articles on DEV Community by Devam Chaudhari (@chaudharidevam).</description>
    <link>https://dev.to/chaudharidevam</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F715412%2Fd3a15f78-d0f5-412f-97aa-06565f31298d.jpeg</url>
      <title>DEV Community: Devam Chaudhari</title>
      <link>https://dev.to/chaudharidevam</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/chaudharidevam"/>
    <language>en</language>
    <item>
      <title>Why We Pair Next.js with Umbraco 17 ?</title>
      <dc:creator>Devam Chaudhari</dc:creator>
      <pubDate>Wed, 08 Jul 2026 07:49:11 +0000</pubDate>
      <link>https://dev.to/chaudharidevam/why-we-pair-nextjs-with-umbraco-17--842</link>
      <guid>https://dev.to/chaudharidevam/why-we-pair-nextjs-with-umbraco-17--842</guid>
      <description>&lt;p&gt;When building a content-driven website, there are two goals that are often in tension: give visitors a fast, modern, SEO-friendly site, and give the content team a CMS they can actually use without calling a developer every time a page needs to change.&lt;/p&gt;

&lt;p&gt;Our answer is to split the problem in two and let each half of the stack do what it's best at:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Umbraco 17&lt;/strong&gt;, running on &lt;strong&gt;.NET 10&lt;/strong&gt;, as the content backend&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Next.js 16&lt;/strong&gt; with &lt;strong&gt;React 19&lt;/strong&gt;, running on the App Router, as the presentation layer&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Here's why we made that call, and how it plays out in practice.&lt;/p&gt;

&lt;h2&gt;
  
  
  Two apps, one clean contract
&lt;/h2&gt;

&lt;p&gt;Rather than bolting a headless CMS onto an existing site, we build the two halves as genuinely independent applications that only talk to each other over HTTP:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;The Umbraco installation is the backoffice, the content types, the media library, the database. This is where content editors log in, build pages out of reusable blocks, and manage content like blog posts.&lt;/li&gt;
&lt;li&gt;The Next.js app is a standalone frontend. It never touches the Umbraco database directly, every piece of content it renders comes from an HTTP call.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;That separation is the whole point of a "headless" CMS: the people managing content and the people managing the website's code can move independently. CMS upgrades don't require a frontend deploy, and frontend releases don't require touching the CMS.&lt;/p&gt;

&lt;h2&gt;
  
  
  The content pipeline: Umbraco's Delivery API
&lt;/h2&gt;

&lt;p&gt;Umbraco 17 ships with a Content Delivery API a built-in, versioned JSON API that exposes published content without any custom plumbing. We lean on it heavily rather than building a bespoke API from scratch, which saves real development time.&lt;/p&gt;

&lt;p&gt;A page fetch from Next.js looks like this in practice:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight http"&gt;&lt;code&gt;&lt;span class="err"&gt;GET /umbraco/delivery/api/v2/content/item/home?expand=properties[$all[properties[$all[properties[$all]]]]]
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;That &lt;code&gt;expand&lt;/code&gt; parameter is doing a lot of work: pages are built by editors dragging and dropping content blocks (hero sections, feature grids, image-and-text panels, calls to action) using Umbraco's Block Grid editor, and those blocks can be nested. The expansion query lets us pull an entire page blocks inside blocks inside blocks in a single round trip instead of chasing references with follow-up requests.&lt;/p&gt;

&lt;p&gt;On the Next.js side, a small typed fetch helper wraps every one of these calls, attaches an API key, and lets Next's own data cache handle short-lived revalidation. There's no GraphQL client, no heavyweight SDK just &lt;code&gt;fetch()&lt;/code&gt;, TypeScript types that mirror the Umbraco content model, and a short cache window so published changes show up almost immediately without hammering the CMS on every request.&lt;/p&gt;

&lt;h2&gt;
  
  
  Rendering: server-rendered, block by block
&lt;/h2&gt;

&lt;p&gt;Generic content pages funnel through a single catch-all route that renders server-side on each request. Instead of one big template, rendering is driven by content type: a dispatcher component looks at what kind of block came back from Umbraco a feature section, an image gallery, a testimonial, a two-column layout and hands it off to the matching React component.&lt;/p&gt;

&lt;p&gt;The effect is that adding a new content block is mostly a two-sided change: define the element type in Umbraco, add a matching case in the renderer. Editors get a new building block to compose pages with; developers don't have to build new pages from scratch every time a new layout is needed.&lt;/p&gt;

&lt;h2&gt;
  
  
  Beyond the CMS defaults
&lt;/h2&gt;

&lt;p&gt;The Delivery API covers page content well, but a few features need more than "fetch a page and render it":&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Filtering and search.&lt;/strong&gt; Category pages, tag pages, and "previous/next" navigation are backed by custom API endpoints that walk the content tree directly, and free-text search runs on Umbraco's built-in Lucene-based indexer rather than an external search service. That avoids standing up and paying for a separate search product just to let visitors search content.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Forms.&lt;/strong&gt; Submissions are validated in the browser, sent through a Next.js API route, and stored by a small custom endpoint on the Umbraco side with a lightweight dashboard added to the Umbraco backoffice so the team can review submissions without leaving the CMS they already use every day.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Media handling.&lt;/strong&gt; Images uploaded into Umbraco's media library are served through Next.js's image optimizer, so editors don't need to think about responsive image sizes or formats that's handled automatically on the way out.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  What this stack gets you
&lt;/h2&gt;

&lt;p&gt;Putting it together, the architecture gives:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Speed&lt;/strong&gt;, from server rendering and Next.js's image and asset optimization&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;SEO control that lives with content&lt;/strong&gt;, since page titles, descriptions, and indexing rules are authored directly in Umbraco and flow straight into page metadata no separate SEO tooling to keep in sync&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;A content team that isn't blocked by developers&lt;/strong&gt;, because new pages are built from existing blocks rather than new code&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;A frontend that isn't blocked by the CMS release cycle&lt;/strong&gt;, because the two halves deploy independently&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Trade-offs worth naming
&lt;/h2&gt;

&lt;p&gt;Being candid, this approach isn't free. Running on Umbraco 17 and Next.js 16 means running close to the front of both ecosystems fewer battle-tested examples to lean on, but a stack that stays current for years rather than needing a rewrite in one. And a headless setup means CMS preview/draft workflows, sitemaps, and secrets/hosting management all need to be built or configured deliberately they don't come for free just because the CMS has them out of the box in a traditional, non-headless setup.&lt;/p&gt;

&lt;p&gt;For a site with a real content operation behind it, splitting "where content lives" from "how it's presented" is worth the extra moving part. It lets each side of the team content and engineering work at their own pace, without waiting on each other.&lt;/p&gt;

</description>
      <category>umbraco</category>
      <category>nextjs</category>
      <category>react</category>
      <category>webdev</category>
    </item>
    <item>
      <title>MCP vs API: Why Traditional APIs Are Failing AI Agents</title>
      <dc:creator>Devam Chaudhari</dc:creator>
      <pubDate>Sat, 04 Jul 2026 04:15:29 +0000</pubDate>
      <link>https://dev.to/chaudharidevam/mcp-vs-api-why-traditional-apis-are-failing-ai-agents-28m8</link>
      <guid>https://dev.to/chaudharidevam/mcp-vs-api-why-traditional-apis-are-failing-ai-agents-28m8</guid>
      <description>&lt;p&gt;As a frontend and full-stack developer who has spent the last four years building modern web applications, I’ve wired up more REST and GraphQL endpoints than I care to count. I know how to optimize a payload, handle state, and read a Swagger doc.&lt;/p&gt;

&lt;p&gt;But over the last year, as the industry shifted from building deterministic web apps to deploying autonomous AI agents, I noticed a frustrating trend: &lt;strong&gt;Our battle-tested APIs are making our AI agents slow, expensive, and surprisingly brittle.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;We’ve been treating LLMs like human frontend developers who just need an API endpoint to fetch data. That is a fundamental architecture mistake.&lt;/p&gt;

&lt;p&gt;Enter the &lt;strong&gt;Model Context Protocol (MCP)&lt;/strong&gt;—an open standard originally introduced by Anthropic and now backed by the Linux Foundation. If you are still building AI features by manually wrapping traditional REST endpoints in custom glue code, you are accumulating technical debt. Here is why traditional APIs are failing AI agents, and why MCP is the universal adapter we actually need.&lt;/p&gt;




&lt;h2&gt;
  
  
  The Root Problem: The $N \times M$ Integration Nightmare
&lt;/h2&gt;

&lt;p&gt;When building traditional apps, if you want your frontend or backend to talk to GitHub, Slack, and Jira, you write three distinct integration layers. You map their custom JSON payloads, handle their specific authentication, and hardcode the execution paths.&lt;/p&gt;

&lt;p&gt;This works because human-written code is deterministic.&lt;/p&gt;

&lt;p&gt;But AI agents operate on reasoning and intent. If you have 5 different LLM frameworks (LangChain, LlamaIndex, or custom agent setups) and you want them to interact with 5 different enterprise tools, you are suddenly stuck writing and maintaining $5 \times 5 = 25$ custom connectors.&lt;/p&gt;

&lt;p&gt;This is the classic &lt;strong&gt;$N \times M$ integration problem&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;MCP collapses this into an &lt;strong&gt;$N + M$&lt;/strong&gt; architecture. Every tool implements &lt;em&gt;one&lt;/em&gt; MCP server. Every AI agent framework implements &lt;em&gt;one&lt;/em&gt; MCP client. The protocol acts as a universal adapter—the USB-C port for LLMs.&lt;/p&gt;




&lt;h2&gt;
  
  
  3 Reasons Traditional APIs Fail AI Agents
&lt;/h2&gt;

&lt;p&gt;To understand why we need a new protocol, we have to look at where traditional REST/GraphQL APIs fall short when an LLM is the one consuming them.&lt;/p&gt;

&lt;h3&gt;
  
  
  1. APIs are Static; Agents Require Runtime Discovery
&lt;/h3&gt;

&lt;p&gt;When we write code against a REST API, we hardcode the endpoint: &lt;code&gt;GET /api/v1/users/{id}&lt;/code&gt;. The application cannot deviate from this path.&lt;/p&gt;

&lt;p&gt;An AI agent, however, needs to look at a situation, evaluate its options, and decide &lt;em&gt;at runtime&lt;/em&gt; what tool to use.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;The REST Way:&lt;/strong&gt; You have to feed the entire API schema into the LLM's system prompt so it knows what endpoints exist. If you add a new endpoint or update a parameter, you must update the prompt or code and re-deploy.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;The MCP Way:&lt;/strong&gt; MCP features dynamic discovery. When an MCP client connects to an MCP server, it issues a &lt;code&gt;tools/list&lt;/code&gt; request. The server replies with a machine-readable list of available capabilities, natural-language descriptions, and structural constraints. The agent discovers what it can do &lt;em&gt;on the fly&lt;/em&gt;.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  2. The "Token Tax" and Context Bloat
&lt;/h3&gt;

&lt;p&gt;In the frontend world, over-fetching is a minor performance nuisance. If a JSON payload returns 50 fields when you only need 2, your JavaScript objects handle it in microseconds.&lt;/p&gt;

&lt;p&gt;In the AI world, &lt;strong&gt;tokens are literal currency&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;If you pass a massive, bloated enterprise REST response directly to an LLM, you are wasting money, increasing latency, and worse—causing &lt;strong&gt;context rot&lt;/strong&gt;. LLMs lose focus when drowned in irrelevant metadata. They miss critical data buried deep within deeply nested JSON objects.&lt;/p&gt;

&lt;p&gt;Traditional APIs are designed for human developers who want comprehensive payloads. MCP servers are designed specifically to return data optimized for LLM context windows, separating &lt;em&gt;executable tools&lt;/em&gt;, &lt;em&gt;readable resources&lt;/em&gt;, and &lt;em&gt;prompt templates&lt;/em&gt;.&lt;/p&gt;

&lt;h3&gt;
  
  
  3. Stateless vs. Stateful Architecture
&lt;/h3&gt;

&lt;p&gt;REST APIs are deliberately stateless. Each request is an isolated event.&lt;/p&gt;

&lt;p&gt;AI agents do not operate in a vacuum; they work via a continuous loop of thought, action, observation, and refinement.&lt;/p&gt;

&lt;p&gt;MCP runs over a stateful JSON-RPC 2.0 session (typically via &lt;code&gt;stdio&lt;/code&gt; for local tools or WebSockets/SSE for remote services). This allows the MCP server and the agent to engage in a stateful negotiation, allowing context to persist and influence subsequent actions without re-sending massive payloads back and forth across the wire.&lt;/p&gt;




&lt;h2&gt;
  
  
  The Architecture of MCP
&lt;/h2&gt;

&lt;p&gt;MCP defines a clean separation of concerns across three core primitives:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Tools:&lt;/strong&gt; Executable actions the model can take (e.g., "Run this git commit," "Execute this SQL query").&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Resources:&lt;/strong&gt; Read-only data sources that provide raw context to the model (e.g., log files, local markdown docs, API responses).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Prompts:&lt;/strong&gt; Reusable templates that help guide the model's reasoning workflow.
&lt;/li&gt;
&lt;/ol&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;+-------------------------------------------------------------+
|                         Host App                            |
|  (e.g., Cursor, Claude Desktop, Custom Agent Framework)     |
|                                                             |
|       +---------------------------------------------+       |
|       |                 MCP Client                  |       |
|       +---------------------------------------------+       |
+------------------------------|------------------------------+
                               |
                        JSON-RPC 2.0 
                  (stdio / WebSockets / SSE)
                               |
+------------------------------v------------------------------+
|                         MCP Server                          |
|  (Exposes: Tools, Resources, and Prompt Templates)          |
|                                                             |
|   Under the hood: Translates to Postgres, GitHub API, etc.  |
+-------------------------------------------------------------+

&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;An important clarification: &lt;strong&gt;MCP does not replace your database or backend APIs.&lt;/strong&gt; Your MCP server will still call your internal REST APIs or databases under the hood. What MCP replaces is the &lt;em&gt;brittle, custom glue code&lt;/em&gt; we've been writing to expose those services to an LLM.&lt;/p&gt;




&lt;h2&gt;
  
  
  Moving Forward: Stop Wrapping, Start Structuring
&lt;/h2&gt;

&lt;p&gt;If you're still writing custom JavaScript or Python functions to stringify JSON payloads and forcing them into a &lt;code&gt;tools&lt;/code&gt; array inside your LLM API calls, you are building debt that you'll have to pay off later.&lt;/p&gt;

&lt;p&gt;The industry is rapidly consolidating around MCP. Major IDEs, orchestration frameworks, and AI providers have adopted it as the standard.&lt;/p&gt;

&lt;p&gt;As developers, our job isn't just to make things work; it's to build architectures that scale. Traditional APIs were built for deterministic, human-written software. MCP was built for the probabilistic, agentic future. It's time to update our stack.&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;What are your thoughts?&lt;/strong&gt; Have you migrated any internal tooling to MCP yet, or are you still sticking with traditional custom function calling? Let’s discuss in the comments below!&lt;/p&gt;

</description>
      <category>ai</category>
      <category>webdev</category>
      <category>programming</category>
      <category>mcp</category>
    </item>
    <item>
      <title>The Vulnerability: CVE-2026-2441</title>
      <dc:creator>Devam Chaudhari</dc:creator>
      <pubDate>Sun, 22 Feb 2026 15:31:42 +0000</pubDate>
      <link>https://dev.to/chaudharidevam/the-vulnerability-cve-2026-2441-2hj1</link>
      <guid>https://dev.to/chaudharidevam/the-vulnerability-cve-2026-2441-2hj1</guid>
      <description>&lt;p&gt;CVE-2026-2441 is a Use-After-Free (UAF) vulnerability found within the Google Chrome "Blink" rendering engine. Specifically, it resides in how the browser handles CSS font feature values.&lt;/p&gt;

&lt;p&gt;In memory-managed environments like a browser engine, "Use-After-Free" occurs when a program continues to use a pointer after the memory it points to has been released (freed). This is a classic memory corruption bug that can lead to arbitrary code execution.&lt;/p&gt;




&lt;h3&gt;
  
  
  What Causes the Issue?
&lt;/h3&gt;

&lt;p&gt;The root of the problem lies in the manual memory management of C++, the language used to build the Blink engine.&lt;/p&gt;

&lt;p&gt;1) &lt;strong&gt;Memory Allocation:&lt;/strong&gt; When a website utilizes specific font features (like @font-feature-values), the browser allocates a block of memory to store those objects.&lt;/p&gt;

&lt;p&gt;2) &lt;strong&gt;Premature Freeing:&lt;/strong&gt; Due to a bug in the logic, Chrome may release this memory while the CSS engine still thinks the data is active.&lt;/p&gt;

&lt;p&gt;3) &lt;strong&gt;The Dangling Pointer:&lt;/strong&gt; The browser retains a "dangling pointer"—a reference that points to a now-empty or reallocated memory address.&lt;/p&gt;

&lt;p&gt;4) &lt;strong&gt;Exploitation:&lt;/strong&gt; An attacker can use JavaScript to "spray" the heap, filling that recently freed memory with malicious code. When the CSS engine eventually tries to access the font feature via the dangling pointer, it inadvertently executes the attacker's code instead.&lt;/p&gt;




&lt;h3&gt;
  
  
  Insights from the Proof of Concept (PoC)
&lt;/h3&gt;

&lt;p&gt;The public PoC for this vulnerability targets the @font-feature-values CSS rule. By rapidly creating and removing stylesheets or manipulating DOM elements associated with these font features, the script triggers the memory corruption.&lt;/p&gt;

&lt;p&gt;In a successful PoC execution, the browser tab typically crashes (often showing an "Error code: 11" or "Aw, Snap!" page). While a tab crash is a simple denial-of-service, in a real-world "in-the-wild" exploit, this is used as the first step in a chain to escape the browser sandbox and gain control over the underlying operating system.&lt;/p&gt;




&lt;h3&gt;
  
  
  Why Some Browsers Are Immune
&lt;/h3&gt;

&lt;p&gt;A notable takeaway from this vulnerability is the difference in engine architecture. Firefox, for example, is largely unaffected by this specific class of CSS vulnerability because its styling engine (Stylo) is written in Rust.&lt;/p&gt;

&lt;p&gt;Unlike C++, Rust’s compiler enforces "ownership" and "borrowing" rules that prevent Use-After-Free bugs at compile-time. If a developer tries to use a pointer after the data has been freed, the code simply won't compile, effectively neutralizing this entire category of security risks&lt;/p&gt;




&lt;h3&gt;
  
  
  Developer Takeaway
&lt;/h3&gt;

&lt;p&gt;As developers, we often assume that vulnerabilities only live in our JavaScript logic or backend APIs. CVE-2026-2441 is a reminder that the platform itself—the browser—is a complex piece of software with its own attack surface.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Action Required:&lt;/strong&gt; Ensure your browser is updated to the latest version. If you are running a version of Chrome or a Chromium-based browser (like Edge or Brave) older than &lt;strong&gt;145.0.7632.275,&lt;/strong&gt; you are likely vulnerable to this exploit.&lt;/p&gt;




&lt;h3&gt;
  
  
  References:
&lt;/h3&gt;

&lt;p&gt;Vulnerability Report: CVE-2026-2441&lt;/p&gt;

&lt;p&gt;Research &amp;amp; PoC: &lt;a href="https://github.com/huseyinstif/CVE-2026-2441-PoC" rel="noopener noreferrer"&gt;huseyinstif/CVE-2026-2441-PoC&lt;br&gt;
&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Technical Deep Dive: &lt;a href="https://www.google.com/search?q=https://youtu.be/I7gy_aA90Jk" rel="noopener noreferrer"&gt;CSS Got Hacked! - Mehul Mohan&lt;/a&gt;&lt;/p&gt;

</description>
      <category>webdev</category>
      <category>security</category>
      <category>css</category>
    </item>
    <item>
      <title>Understanding CVE-2025-59471: Out-of-Memory DoS in Next.js</title>
      <dc:creator>Devam Chaudhari</dc:creator>
      <pubDate>Thu, 12 Feb 2026 10:46:47 +0000</pubDate>
      <link>https://dev.to/chaudharidevam/understanding-cve-2025-59471-out-of-memory-dos-in-nextjs-2a95</link>
      <guid>https://dev.to/chaudharidevam/understanding-cve-2025-59471-out-of-memory-dos-in-nextjs-2a95</guid>
      <description>&lt;p&gt;If you are running Next.js in a self-hosted environment and have configured &lt;code&gt;remotePatterns&lt;/code&gt;for image optimization, a newly disclosed vulnerability (CVE-2025-59471) could put your application's availability at risk.&lt;/p&gt;

&lt;p&gt;This vulnerability allows an attacker to trigger a Denial of Service (DoS) by exhausting your server's memory.&lt;/p&gt;




&lt;h3&gt;
  
  
  The Vulnerability: Uncontrolled Resource Consumption (CWE-400)
&lt;/h3&gt;

&lt;p&gt;The Next.js Image Optimization endpoint (/_next/image) is designed to resize images from allowed external domains.&lt;/p&gt;

&lt;h4&gt;
  
  
  The Root Cause
&lt;/h4&gt;

&lt;p&gt;The vulnerability exists because the Image Optimizer loads external images entirely into memory without enforcing a maximum size limit.&lt;/p&gt;

&lt;p&gt;An attacker can exploit this by:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Identifying a domain you have whitelisted in your remotePatterns.&lt;/li&gt;
&lt;li&gt;Hosting an extremely large image file on that domain (or gaining control of a path on that domain).&lt;/li&gt;
&lt;li&gt;Requesting that large image through your /_next/image endpoint.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Because the server attempts to pull the entire large file into RAM to process it, it can trigger an Out-of-Memory (OOM) condition, causing your Node.js process to crash and take your site offline.&lt;/p&gt;




&lt;p&gt;You are at risk if:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;You are self-hosting (the vulnerability does not affect Vercel's managed infrastructure).&lt;/li&gt;
&lt;li&gt;You have images.remotePatterns configured in next.config.js.&lt;/li&gt;
&lt;li&gt;You are running one of the following versions:

&lt;ul&gt;
&lt;li&gt;Next.js 10.0.0 through 15.5.9&lt;/li&gt;
&lt;li&gt;Next.js 15.6.0-canary.0 through 16.1.4&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ol&gt;




&lt;h3&gt;
  
  
  How to Fix It
&lt;/h3&gt;

&lt;p&gt;The official fix involves upgrading to versions where Next.js now enforces limits on the resources consumed during optimization.&lt;/p&gt;

&lt;p&gt;1 . Update your dependencies immediately&lt;br&gt;
Update your project to the first patched versions or higher:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Next.js 15.x: Upgrade to v15.5.10&lt;/li&gt;
&lt;li&gt;Next.js 16.x (Canary/Pre-release): Upgrade to v16.1.5
&lt;/li&gt;
&lt;/ul&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;npm install next@15.5.10
# or
yarn add next@15.5.10
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;2 . Audit your remotePatterns&lt;/p&gt;

&lt;p&gt;As a security best practice, ensure your remotePatterns are as specific as possible. Avoid using broad wildcards that might allow an attacker to serve large images from unexpected subdomains of a trusted provider.&lt;/p&gt;




</description>
      <category>nextjs</category>
      <category>webdev</category>
      <category>security</category>
    </item>
    <item>
      <title>Node.js January 2026 DoS Vulnerability in Async Hooks</title>
      <dc:creator>Devam Chaudhari</dc:creator>
      <pubDate>Thu, 15 Jan 2026 03:02:40 +0000</pubDate>
      <link>https://dev.to/chaudharidevam/nodejs-january-2026-dos-vulnerability-in-async-hooks-nic</link>
      <guid>https://dev.to/chaudharidevam/nodejs-january-2026-dos-vulnerability-in-async-hooks-nic</guid>
      <description>&lt;p&gt;If you are running Node.js in production, it’s time to check your version numbers.&lt;/p&gt;

&lt;p&gt;Earlier today, the Node.js team released a critical security update regarding a Denial of Service (DoS) vulnerability tied to the &lt;code&gt;async_hooks&lt;/code&gt;module. If you use observability tools, tracing libraries, or &lt;code&gt;AsyncLocalStorage&lt;/code&gt;your application might be at risk.&lt;/p&gt;

&lt;p&gt;In this post, we’ll break down what happened, why &lt;code&gt;async_hooks&lt;/code&gt;is involved, and how to fix it.&lt;/p&gt;




&lt;h3&gt;
  
  
  What is async_hooks anyway?
&lt;/h3&gt;

&lt;p&gt;Before we dive into the vulnerability, let’s recap. The async_hooks API is a powerful, low-level built-in module in Node.js that allows you to track the lifetime of asynchronous resources (like promises, timeouts, or TCP wraps).&lt;/p&gt;

&lt;p&gt;It’s the engine behind many things we love:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;AsyncLocalStorage: Used for keeping track of request IDs across different functions.&lt;/li&gt;
&lt;li&gt;APM Tools: New Relic, Datadog, and OpenTelemetry use it to trace requests.&lt;/li&gt;
&lt;li&gt;Logging Frameworks: To inject context into your logs.
Because it hooks into the very core of Node.js’s event loop, any inefficiency or bug here can have massive performance implications.&lt;/li&gt;
&lt;/ul&gt;




&lt;h3&gt;
  
  
  The Vulnerability: The "January 2026" DoS
&lt;/h3&gt;

&lt;p&gt;The security team identified a flaw in how Node.js manages memory and resource tracking when async_hooks are enabled.&lt;/p&gt;

&lt;h4&gt;
  
  
  The Exploit
&lt;/h4&gt;

&lt;p&gt;A malicious actor could craft specific asynchronous patterns likely involving deeply nested or recursive async calls that cause the internal resource tracking mechanism to consume an unbound amount of memory or CPU cycles.&lt;/p&gt;

&lt;p&gt;The result? An Out-of-Memory (OOM) crash or a CPU spike that makes the server unresponsive. Because this happens at the internal level, standard application-level try-catch blocks won't save you.&lt;/p&gt;

&lt;h4&gt;
  
  
  Who is affected?
&lt;/h4&gt;

&lt;p&gt;You are likely affected if:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;You are using an unpatched version of Node.js (v20.x, v22.x, or v24.x).&lt;/li&gt;
&lt;li&gt;Your application (or its dependencies) uses async_hooks or AsyncLocalStorage.&lt;/li&gt;
&lt;li&gt;Your server processes untrusted user input that triggers asynchronous logic.&lt;/li&gt;
&lt;/ul&gt;




&lt;h4&gt;
  
  
  The Fix: Update Now
&lt;/h4&gt;

&lt;p&gt;The Node.js team has released patched versions for all active Long-Term Support (LTS) and Current branches.&lt;/p&gt;

&lt;p&gt;1) Identify your version&lt;br&gt;
Check your current Node.js version:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;node -v
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;2) Update to the patched versions&lt;br&gt;
Depending on your release line, you should update to at least:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Node.js v24.x -&amp;gt; Update to v24.X.X (Latest)&lt;/li&gt;
&lt;li&gt;Node.js v22.x (LTS) -&amp;gt; Update to v22.X.X&lt;/li&gt;
&lt;li&gt;Node.js v20.x (LTS) -&amp;gt; Update to v20.X.X&lt;/li&gt;
&lt;/ul&gt;

&lt;blockquote&gt;
&lt;p&gt;(Note: Replace the X with the specific version numbers mentioned in the official advisory)&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;3) How to update&lt;br&gt;
If you use nvm (Node Version Manager):&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;nvm install 22 --reinstall-packages-from=22
nvm use 22
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;If you use Docker, update your base image:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;# From
FROM node:22-slim
# To the latest patch
FROM node:22.14.0-slim (or similar)
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;p&gt;I just finished upgrading my project, to the latest LTS version. Here is the exact workflow I used to secure the environment.&lt;/p&gt;

&lt;p&gt;If you are on Windows and using nvm-windows, follow these steps to move to the latest, most secure Long-Term Support (LTS) version.&lt;/p&gt;

&lt;p&gt;1) Update your Node Runtime&lt;br&gt;
First, we need to grab the latest LTS version (currently v24.13.0) and tell our system to use it&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;# Install the latest Long-Term Support version
nvm install lts

# Switch your active version to LTS
nvm use lts

&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Pro Tip: You can verify you are on the right version by running node -v. You should see v24.13.0.&lt;/p&gt;

&lt;p&gt;2) Align your TypeScript Definitions&lt;br&gt;
Updating Node isn't enough if you're using TypeScript. Your @types/node package needs to match your runtime so your editor knows about the latest APIs and security features.&lt;/p&gt;

&lt;p&gt;Check your package.json. If you're on Node 24 but your types are still on ^20, you're essentially "type-blind" to the new version's features.&lt;/p&gt;

&lt;p&gt;Run this to sync them up:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;npm install --save-dev @types/node@^24
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;3) The Final Security Sweep&lt;br&gt;
Once your environment is updated, it's time to check your actual project dependencies. Thousands of packages are updated daily to patch vulnerabilities—npm audit is your best friend here.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;npm audit
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;If you see vulnerabilities, you can attempt an automatic fix:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;npm audit fix
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Temporary Mitigation (If you can't update immediately)
&lt;/h3&gt;

&lt;p&gt;If for some reason you cannot update your Node.js runtime today, consider these steps:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;&lt;p&gt;Audit Dependencies: Check if you are using libraries like cls-hooked or older tracing agents that rely heavily on async_hooks and see if they have issued their own workarounds.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Disable Non-Essential Tracing: If you are using AsyncLocalStorage only for non-critical logging, consider disabling it temporarily in high-risk environments.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Rate Limiting: Implement aggressive rate limiting at the Reverse Proxy (Nginx/Cloudflare) level to prevent attackers from flooding your event loop with complex async requests&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;




&lt;p&gt;For more details, read the full official security blog post at &lt;a href="https://nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-hooks" rel="noopener noreferrer"&gt;nodejs.org&lt;/a&gt;.&lt;/p&gt;

</description>
      <category>node</category>
      <category>javascript</category>
      <category>security</category>
      <category>webdev</category>
    </item>
    <item>
      <title>Next.js at the Speed of Bun: Why the Runtime is Your New Performance Bottleneck</title>
      <dc:creator>Devam Chaudhari</dc:creator>
      <pubDate>Fri, 19 Dec 2025 07:21:03 +0000</pubDate>
      <link>https://dev.to/chaudharidevam/nextjs-at-the-speed-of-bun-why-the-runtime-is-your-new-performance-bottleneck-24a3</link>
      <guid>https://dev.to/chaudharidevam/nextjs-at-the-speed-of-bun-why-the-runtime-is-your-new-performance-bottleneck-24a3</guid>
      <description>&lt;p&gt;For years, we’ve optimized our Next.js apps at the framework level—we’ve moved to Turbopack, adopted React Server Components (RSC), and fine-tuned our caching strategies. But there’s a fundamental layer we’ve ignored: the runtime.&lt;/p&gt;

&lt;p&gt;In a recent talk at Vercel, Lydia Hallie (Head of Propaganda at Bun) made a compelling case for why the future of Next.js isn't just about the framework—it's about the engine under the hood.&lt;/p&gt;



&lt;h2&gt;
  
  
  The Node.js Bottleneck
&lt;/h2&gt;

&lt;p&gt;Node.js was a revolution when it launched in 2009. However, it was designed for a different era of hardware (limited cores, slow storage). In 2025, our hardware is 50x faster, yet Node still pushes everything through an architecture that requires multiple layers of abstraction (V8 -&amp;gt; C++ Bindings -&amp;gt; libuv -&amp;gt; OS) just to read a file or make a network request.&lt;/p&gt;

&lt;p&gt;In modern environments like serverless functions and hot-reloading dev servers, these milliseconds of overhead add up to significant latency.&lt;/p&gt;



&lt;h2&gt;
  
  
  Enter Bun: Re-engineered for 2025
&lt;/h2&gt;

&lt;p&gt;Bun isn't just a "faster Node." It’s a runtime built from the ground up in Zig. By using Apple’s JavaScriptCore (the engine powering Safari), Bun prioritizes fast startup and low memory usage—perfect for the short-burst tasks typical of modern web development.&lt;/p&gt;

&lt;p&gt;Key advantages of running Next.js on Bun include:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;&lt;p&gt;Direct System Calls: Bun eliminates layers of abstraction, making file access and HTTP streaming significantly faster.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Built-in Tooling: You get a package manager (up to 17x faster than Yarn), a bundler, a transpiler, and a test runner (up to 23x faster than Jest) out of the box. &lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;The "Batteries Included" API: Need to connect to PostgreSQL or S3? Instead of installing heavy NPM packages, Bun provides native APIs that are up to 11x faster than their Node/NPM counterparts.&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;



&lt;h2&gt;
  
  
  How to Use Bun with Next.js Today
&lt;/h2&gt;

&lt;p&gt;The transition is designed to be seamless. Because Bun aims for 100% Node compatibility, you can start using it incrementally:&lt;/p&gt;

&lt;p&gt;Step 1: Swap npm install for bun install. It’s faster and changes nothing in your codebase.&lt;/p&gt;

&lt;p&gt;Step 2: Run your dev server with Bun:&lt;br&gt;
&lt;/p&gt;

&lt;p&gt;&lt;code&gt;bun run --bun next dev&lt;/code&gt;&lt;br&gt;
&lt;/p&gt;

&lt;p&gt;The --bun flag tells Bun to use its own runtime even if the script specifies Node.&lt;/p&gt;

&lt;p&gt;Step 3: Use Bun's native APIs (like bun.sql or Bun.S3) inside your Server Components to reduce bundle size and latency.&lt;/p&gt;



&lt;h2&gt;
  
  
  Deployment: Vercel + Bun
&lt;/h2&gt;

&lt;p&gt;The most exciting news from the talk? Native Bun support is coming to Vercel. Internal tests have already shown up to a 30% drop in CPU usage just by switching the runtime. This means your apps won't just be faster; they'll be cheaper and more efficient to run.&lt;/p&gt;



&lt;h2&gt;
  
  
  Conclusion
&lt;/h2&gt;

&lt;p&gt;We’ve spent a decade optimizing our JavaScript. Now, it’s time to optimize the environment where that JavaScript lives. By combining the developer experience of Next.js with the raw speed of Bun, we’re entering a new era of web performance.&lt;/p&gt;

&lt;p&gt;Watch the full talk here: &lt;a href="https://www.youtube.com/watch?v=f--3aG0XfCw" rel="noopener noreferrer"&gt;Next.js at the speed of Bun&lt;br&gt;
&lt;/a&gt;&lt;/p&gt;

</description>
      <category>webdev</category>
      <category>nextjs</category>
    </item>
    <item>
      <title>CRITICAL: New React Server Component Vulnerabilities - Denial of Service and Source Code Exposure</title>
      <dc:creator>Devam Chaudhari</dc:creator>
      <pubDate>Fri, 12 Dec 2025 03:51:08 +0000</pubDate>
      <link>https://dev.to/chaudharidevam/critical-new-react-server-component-vulnerabilities-denial-of-service-and-source-code-exposure-1g2c</link>
      <guid>https://dev.to/chaudharidevam/critical-new-react-server-component-vulnerabilities-denial-of-service-and-source-code-exposure-1g2c</guid>
      <description>&lt;p&gt;Heads up, React developers! The React team just announced two new vulnerabilities in React Server Components that could lead to a denial of service or expose your source code. If you are using React Server Components in production, you should patch your application immediately.&lt;/p&gt;

&lt;p&gt;This article covers the general React vulnerabilities and the specific impact on Next.js.&lt;/p&gt;

&lt;p&gt;Here’s a breakdown of what you need to know.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Vulnerabilities (React)
&lt;/h2&gt;

&lt;p&gt;The two vulnerabilities are:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;  &lt;strong&gt;Denial of Service (DoS)&lt;/strong&gt; - High Severity (CVSS 7.5, CVE-2025-55184)&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Source Code Exposure&lt;/strong&gt; - Medium Severity (CVSS 5.3, CVE-2025-55183)&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Denial of Service (DoS)
&lt;/h3&gt;

&lt;p&gt;A specially crafted HTTP request can trigger an infinite loop on your server. This will cause the server to become unresponsive, leading to a denial of service for your users. This is a high-severity vulnerability, and you should address it immediately.&lt;/p&gt;

&lt;h3&gt;
  
  
  Source Code Exposure
&lt;/h3&gt;

&lt;p&gt;This vulnerability allows a malicious actor to potentially access the source code of your Server Functions. By sending a specially crafted HTTP request, they could expose your code, including any hardcoded secrets or other sensitive information. This is a medium-severity vulnerability but can have serious consequences.&lt;/p&gt;

&lt;h2&gt;
  
  
  Are You Affected? (React)
&lt;/h2&gt;

&lt;p&gt;You are affected by these vulnerabilities if you are using React Server Components. This includes frameworks and bundlers such as:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;  Next.js&lt;/li&gt;
&lt;li&gt;  react-router&lt;/li&gt;
&lt;li&gt;  Waku&lt;/li&gt;
&lt;li&gt;  @parcel/rsc&lt;/li&gt;
&lt;li&gt;  @vite/rsc-plugin&lt;/li&gt;
&lt;li&gt;  rwsdk&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you are not using a server or your application does not support React Server Components, you are not affected.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Fix (React)
&lt;/h2&gt;

&lt;p&gt;The React team has released patched versions of the following packages:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;  &lt;code&gt;react-server-dom-webpack&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;code&gt;react-server-dom-parcel&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;code&gt;react-server-dom-turbopack&lt;/code&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;You should immediately upgrade to the latest versions (19.0.3, 19.1.4, 19.2.3) to patch these vulnerabilities.&lt;/p&gt;

&lt;p&gt;For React Native developers, the React team has provided specific instructions for updating the impacted packages in your monorepo.&lt;/p&gt;

&lt;h2&gt;
  
  
  What to Do Now (React)
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt; &lt;strong&gt;Check if you are affected:&lt;/strong&gt; Determine if your application uses React Server Components.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Upgrade your dependencies:&lt;/strong&gt; If you are affected, upgrade your &lt;code&gt;react-server-dom-*&lt;/code&gt; packages to the latest patched versions.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Audit your code:&lt;/strong&gt; Even after patching, it’s a good practice to audit your code for any hardcoded secrets and move them to a secure location.&lt;/li&gt;
&lt;/ol&gt;




&lt;h2&gt;
  
  
  Next.js Specific Information (Update)
&lt;/h2&gt;

&lt;p&gt;The Next.js team has released a security update addressing the downstream impact of the React Server Component vulnerabilities on applications using the App Router.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Important Note:&lt;/strong&gt; The initial fix for the Denial of Service vulnerability (CVE-2025-55184) was incomplete. A complete fix has been issued under &lt;strong&gt;CVE-2025-67779&lt;/strong&gt;. If you previously upgraded, you must upgrade again to the latest patched versions.&lt;/p&gt;

&lt;h3&gt;
  
  
  Affected and Fixed Next.js Versions
&lt;/h3&gt;

&lt;p&gt;Your Next.js application is affected if you are using the App Router. The &lt;code&gt;Pages Router&lt;/code&gt; is not affected.&lt;/p&gt;

&lt;p&gt;Here are the patched versions you need to upgrade to:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Version&lt;/th&gt;
&lt;th&gt;Fixed In&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&amp;gt;=13.3&lt;/td&gt;
&lt;td&gt;14.2.35&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;14.x&lt;/td&gt;
&lt;td&gt;14.2.35&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;15.0.x&lt;/td&gt;
&lt;td&gt;15.0.7&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;15.1.x&lt;/td&gt;
&lt;td&gt;15.1.11&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;15.2.x&lt;/td&gt;
&lt;td&gt;15.2.8&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;15.3.x&lt;/td&gt;
&lt;td&gt;15.3.8&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;15.4.x&lt;/td&gt;
&lt;td&gt;15.4.10&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;15.5.x&lt;/td&gt;
&lt;td&gt;15.5.9&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;15.x canary&lt;/td&gt;
&lt;td&gt;15.6.0-canary.60&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;16.0.x&lt;/td&gt;
&lt;td&gt;16.0.10&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;16.x canary&lt;/td&gt;
&lt;td&gt;16.1.0-canary.19&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h3&gt;
  
  
  Required Action for Next.js Users
&lt;/h3&gt;

&lt;p&gt;All users should upgrade to the latest patched version for their release line. There is no workaround.&lt;/p&gt;

&lt;p&gt;You can use &lt;code&gt;npm&lt;/code&gt; or &lt;code&gt;yarn&lt;/code&gt; to install the patched version, for example:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;npm &lt;span class="nb"&gt;install &lt;/span&gt;next@14.2.35  &lt;span class="c"&gt;# for 14.x&lt;/span&gt;
npm &lt;span class="nb"&gt;install &lt;/span&gt;next@15.0.7   &lt;span class="c"&gt;# for 15.0.x&lt;/span&gt;
npm &lt;span class="nb"&gt;install &lt;/span&gt;next@15.1.11  &lt;span class="c"&gt;# for 15.1.x&lt;/span&gt;
npm &lt;span class="nb"&gt;install &lt;/span&gt;next@15.2.8   &lt;span class="c"&gt;# for 15.2.x&lt;/span&gt;
npm &lt;span class="nb"&gt;install &lt;/span&gt;next@15.3.8   &lt;span class="c"&gt;# for 15.3.x&lt;/span&gt;
npm &lt;span class="nb"&gt;install &lt;/span&gt;next@15.4.10  &lt;span class="c"&gt;# for 15.4.x&lt;/span&gt;
npm &lt;span class="nb"&gt;install &lt;/span&gt;next@15.5.9   &lt;span class="c"&gt;# for 15.5.x&lt;/span&gt;
npm &lt;span class="nb"&gt;install &lt;/span&gt;next@16.0.10  &lt;span class="c"&gt;# for 16.0.x&lt;/span&gt;

npm &lt;span class="nb"&gt;install &lt;/span&gt;next@15.6.0-canary.60   &lt;span class="c"&gt;# for 15.x canary releases&lt;/span&gt;
npm &lt;span class="nb"&gt;install &lt;/span&gt;next@16.1.0-canary.19   &lt;span class="c"&gt;# for 16.x canary releases&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Alternatively, you can use the interactive &lt;code&gt;fix-react2shell-next&lt;/code&gt; tool to check your version and perform the upgrade:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;npx fix-react2shell-next
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Reference links:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components" rel="noopener noreferrer"&gt;https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://nextjs.org/blog/security-update-2025-12-11" rel="noopener noreferrer"&gt;https://nextjs.org/blog/security-update-2025-12-11&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

</description>
      <category>react</category>
      <category>webdev</category>
      <category>javascript</category>
      <category>security</category>
    </item>
    <item>
      <title>Critical RCE Vulnerability in React Server Components: Understanding and Mitigating CVE-2025-6678 (React2Shell)</title>
      <dc:creator>Devam Chaudhari</dc:creator>
      <pubDate>Mon, 08 Dec 2025 11:53:39 +0000</pubDate>
      <link>https://dev.to/chaudharidevam/critical-rce-vulnerability-in-react-server-components-understanding-and-mitigating-cve-2025-6678-3fjk</link>
      <guid>https://dev.to/chaudharidevam/critical-rce-vulnerability-in-react-server-components-understanding-and-mitigating-cve-2025-6678-3fjk</guid>
      <description>&lt;h2&gt;
  
  
  A Critical Vulnerability in the React Ecosystem
&lt;/h2&gt;

&lt;p&gt;A critical remote code execution (RCE) vulnerability, nicknamed &lt;strong&gt;React2Shell&lt;/strong&gt; and tracked as &lt;strong&gt;CVE-2025-6678&lt;/strong&gt;, has been discovered in React Server Components. This is a high-severity flaw that could allow an attacker to take control of your server.&lt;/p&gt;

&lt;p&gt;This post will break down what the vulnerability is, who is affected, and what you need to do immediately to protect your applications.&lt;/p&gt;

&lt;h2&gt;
  
  
  What is the React2Shell Vulnerability?
&lt;/h2&gt;

&lt;p&gt;The React2Shell vulnerability is a critical security issue that affects applications using React Server Components. It allows an unauthenticated attacker to execute arbitrary code on the server by sending a specially crafted HTTP request.&lt;/p&gt;

&lt;p&gt;The vulnerability resides in the &lt;code&gt;react-server-dom-webpack&lt;/code&gt;, &lt;code&gt;react-server-dom-parcel&lt;/code&gt;, and &lt;code&gt;react-server-dom-turbopack&lt;/code&gt; packages. The root cause is a deserialization issue in how React Server Components handle data from the client.&lt;/p&gt;

&lt;h2&gt;
  
  
  Are You Affected?
&lt;/h2&gt;

&lt;p&gt;The vulnerability impacts specific versions of React and frameworks that use React Server Components.&lt;/p&gt;

&lt;h3&gt;
  
  
  Affected React Versions:
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;code&gt;react-server-dom-webpack&lt;/code&gt;: 19.0, 19.1.0, 19.1.1, 19.2.0&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;react-server-dom-parcel&lt;/code&gt;: 19.0, 19.1.0, 19.1.1, 19.2.0&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;react-server-dom-turbopack&lt;/code&gt;: 19.0, 19.1.0, 19.1.1, 19.2.0&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Affected Frameworks:
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Next.js:&lt;/strong&gt; Versions 15.0.0 through 16.0.6, and some canary versions of 14.x.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;React Router:&lt;/strong&gt; Unstable RSC APIs.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Other frameworks and bundlers:&lt;/strong&gt; Waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  How to Check Your Application
&lt;/h2&gt;

&lt;p&gt;The community has quickly responded with tools to help you determine if your project is vulnerable.&lt;/p&gt;

&lt;p&gt;You can check your project by running the following command in your project's root directory:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;npx react2shell-guard
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This command will analyze your dependencies and inform you if your project is using an affected version.&lt;/p&gt;

&lt;h2&gt;
  
  
  How to Fix the Vulnerability
&lt;/h2&gt;

&lt;p&gt;The most critical step is to upgrade your dependencies to the patched versions.&lt;/p&gt;

&lt;h3&gt;
  
  
  For Next.js Applications
&lt;/h3&gt;

&lt;p&gt;If you are using Next.js, you should upgrade to the latest version of Next.js, which will include the patched version of React. The patched versions for Next.js are:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;15.0.x:&lt;/strong&gt; &lt;code&gt;15.0.5&lt;/code&gt; or newer&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;15.1.x:&lt;/strong&gt; &lt;code&gt;15.1.9&lt;/code&gt; or newer&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;15.2.x:&lt;/strong&gt; &lt;code&gt;15.2.6&lt;/code&gt; or newer&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;15.3.x:&lt;/strong&gt; &lt;code&gt;15.3.6&lt;/code&gt; or newer&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;15.4.x:&lt;/strong&gt; &lt;code&gt;15.4.8&lt;/code&gt; or newer&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;15.5.x:&lt;/strong&gt; &lt;code&gt;15.5.7&lt;/code&gt; or newer&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;16.0.x:&lt;/strong&gt; &lt;code&gt;16.0.7&lt;/code&gt; or newer&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;You can use the &lt;code&gt;fix-react2shell-next&lt;/code&gt; tool provided by Vercel to automatically upgrade your dependencies.&lt;/p&gt;

&lt;p&gt;Run the following command in your project's root directory:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;npx fix-react2shell-next
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This will update your &lt;code&gt;package.json&lt;/code&gt; to use a patched version of Next.js. After running the command, be sure to install the updated dependencies:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;npm &lt;span class="nb"&gt;install&lt;/span&gt;
&lt;span class="c"&gt;# or&lt;/span&gt;
yarn &lt;span class="nb"&gt;install&lt;/span&gt;
&lt;span class="c"&gt;# or&lt;/span&gt;
pnpm &lt;span class="nb"&gt;install&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  For other frameworks
&lt;/h3&gt;

&lt;p&gt;If you are not using Next.js, you need to manually update your React packages to the patched versions:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;React 19.0.x:&lt;/strong&gt; Upgrade to &lt;code&gt;19.0.1&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;React 19.1.x:&lt;/strong&gt; Upgrade to &lt;code&gt;19.1.2&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;React 19.2.x:&lt;/strong&gt; Upgrade to &lt;code&gt;19.2.1&lt;/code&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Rotate Your Secrets
&lt;/h2&gt;

&lt;p&gt;Because this vulnerability allows for remote code execution, it is crucial that you rotate any secrets and credentials that your application has access to. This includes API keys, database passwords, and any other sensitive information.&lt;/p&gt;

&lt;h2&gt;
  
  
  Conclusion
&lt;/h2&gt;

&lt;p&gt;The React2Shell vulnerability is a serious threat, but the fix is relatively straightforward. It is essential to act now to protect your applications and your users' data.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt; &lt;strong&gt;Check your application&lt;/strong&gt; for the vulnerability using &lt;code&gt;npx react2shell-guard&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Upgrade your dependencies&lt;/strong&gt; using &lt;code&gt;npx fix-react2shell-next&lt;/code&gt; for Next.js or by manually updating your React packages.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Rotate your secrets.&lt;/strong&gt;
&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Stay safe, and keep your applications secure!&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Disclaimer: This blog post is based on the information available from the official React and Vercel announcements. Please refer to the official sources for the most up-to-date information.&lt;/em&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components" rel="noopener noreferrer"&gt;React Blog: Critical Security Vulnerability in React Server Components&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://vercel.com/kb/bulletin/react2shell#upgrading-your-application" rel="noopener noreferrer"&gt;Vercel Knowledge Base: React2Shell Security Bulletin&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

</description>
      <category>react</category>
      <category>nextjs</category>
      <category>security</category>
      <category>webdev</category>
    </item>
    <item>
      <title>Solving React's "Zombie Children," Tearing, and Context Loss with Zustand</title>
      <dc:creator>Devam Chaudhari</dc:creator>
      <pubDate>Mon, 24 Nov 2025 06:42:55 +0000</pubDate>
      <link>https://dev.to/chaudharidevam/solving-reacts-zombie-children-tearing-and-context-loss-with-zustand-5d04</link>
      <guid>https://dev.to/chaudharidevam/solving-reacts-zombie-children-tearing-and-context-loss-with-zustand-5d04</guid>
      <description>&lt;p&gt;React is a powerful library for building user interfaces, but as applications grow in complexity, developers often run into a few tricky state management issues. Three of the most common are the "zombie child" problem, UI tearing in concurrent mode, and performance degradation from React's Context API.&lt;/p&gt;

&lt;p&gt;Fortunately, a lightweight and elegant state management library called &lt;strong&gt;Zustand&lt;/strong&gt; provides a simple solution to all three. Let's dive into what these problems are and how Zustand helps you sidestep them entirely.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Problems We Face
&lt;/h2&gt;

&lt;h3&gt;
  
  
  1. The "Zombie Child" Problem (Stale Props)
&lt;/h3&gt;

&lt;p&gt;The "zombie child" effect happens when a parent component re-renders, but a child component that has been unmounted (or is in the process of unmounting) still manages to trigger a state update. This child is a "zombie"—it's not really alive in the component tree, but its old logic (often from a closure with stale state) is still running.&lt;/p&gt;

&lt;p&gt;This can lead to unpredictable bugs, memory leaks, and state updates that are based on outdated information.&lt;/p&gt;

&lt;h3&gt;
  
  
  2. React Concurrency and Tearing
&lt;/h3&gt;

&lt;p&gt;React 18 introduced concurrent rendering, a powerful feature that allows React to pause and resume rendering work to keep the UI responsive. However, this can cause a problem called &lt;strong&gt;"tearing."&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Tearing is a visual glitch where different components on the screen display different values for the same state. This happens when a state update is read by one component, but before another component can read it, React pauses the render. The result is a temporarily inconsistent UI. Libraries that aren't built with concurrency in mind are susceptible to this.&lt;/p&gt;

&lt;h3&gt;
  
  
  3. Context Loss (The Performance Pitfall of React Context)
&lt;/h3&gt;

&lt;p&gt;React's built-in Context API is fantastic for passing state down the component tree without prop-drilling. However, it has a major performance drawback:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Any component consuming a context will re-render whenever &lt;em&gt;any&lt;/em&gt; value in that context changes.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Imagine a context holding user settings, a shopping cart, and theme information. If a user adds an item to the cart, every component connected to that context will re-render, even the ones that only care about the theme. This causes unnecessary renders and can slow down your application.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight jsx"&gt;&lt;code&gt;&lt;span class="c1"&gt;// Any component using this context will re-render if 'cart' or 'theme' changes.&lt;/span&gt;
&lt;span class="kd"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;AppContext&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nx"&gt;React&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;createContext&lt;/span&gt;&lt;span class="p"&gt;({&lt;/span&gt;
  &lt;span class="na"&gt;cart&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="p"&gt;[],&lt;/span&gt;
  &lt;span class="na"&gt;theme&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;dark&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="p"&gt;});&lt;/span&gt;

&lt;span class="c1"&gt;// This component only cares about the theme...&lt;/span&gt;
&lt;span class="kd"&gt;function&lt;/span&gt; &lt;span class="nf"&gt;ThemeToggler&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="kd"&gt;const&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt; &lt;span class="nx"&gt;theme&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nx"&gt;setTheme&lt;/span&gt; &lt;span class="p"&gt;}&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nf"&gt;useContext&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;AppContext&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt; &lt;span class="c1"&gt;// ...but it will re-render when the cart changes!&lt;/span&gt;
  &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="p"&gt;&amp;lt;&lt;/span&gt;&lt;span class="nt"&gt;button&lt;/span&gt; &lt;span class="na"&gt;onClick&lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="nx"&gt;toggleTheme&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="p"&gt;&amp;gt;&lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="nx"&gt;theme&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="p"&gt;&amp;lt;/&lt;/span&gt;&lt;span class="nt"&gt;button&lt;/span&gt;&lt;span class="p"&gt;&amp;gt;;&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  The Solution: Enter Zustand
&lt;/h2&gt;

&lt;p&gt;Zustand is a small, fast, and scalable state management solution. It leverages a simple hook-based API but keeps state &lt;em&gt;outside&lt;/em&gt; of the React component tree. This architectural choice is the key to solving all the problems above.&lt;/p&gt;

&lt;h3&gt;
  
  
  How Zustand Solves These Issues
&lt;/h3&gt;

&lt;h4&gt;
  
  
  1. Solving Context Loss with Selective Subscriptions
&lt;/h4&gt;

&lt;p&gt;Zustand avoids the context performance trap by allowing components to subscribe to only the specific pieces of state they need. This is done through &lt;strong&gt;selectors&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;A component will only re-render if the exact value returned by its selector function changes.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Creating a Zustand Store:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight javascript"&gt;&lt;code&gt;&lt;span class="k"&gt;import&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt; &lt;span class="nx"&gt;create&lt;/span&gt; &lt;span class="p"&gt;}&lt;/span&gt; &lt;span class="k"&gt;from&lt;/span&gt; &lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;zustand&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;

&lt;span class="kd"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;useStore&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nf"&gt;create&lt;/span&gt;&lt;span class="p"&gt;((&lt;/span&gt;&lt;span class="kd"&gt;set&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="o"&gt;=&amp;gt;&lt;/span&gt; &lt;span class="p"&gt;({&lt;/span&gt;
  &lt;span class="na"&gt;count&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
  &lt;span class="na"&gt;theme&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;light&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
  &lt;span class="na"&gt;increment&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="p"&gt;()&lt;/span&gt; &lt;span class="o"&gt;=&amp;gt;&lt;/span&gt; &lt;span class="nf"&gt;set&lt;/span&gt;&lt;span class="p"&gt;((&lt;/span&gt;&lt;span class="nx"&gt;state&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="o"&gt;=&amp;gt;&lt;/span&gt; &lt;span class="p"&gt;({&lt;/span&gt; &lt;span class="na"&gt;count&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="nx"&gt;state&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;count&lt;/span&gt; &lt;span class="o"&gt;+&lt;/span&gt; &lt;span class="mi"&gt;1&lt;/span&gt; &lt;span class="p"&gt;})),&lt;/span&gt;
  &lt;span class="na"&gt;toggleTheme&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="p"&gt;()&lt;/span&gt; &lt;span class="o"&gt;=&amp;gt;&lt;/span&gt; &lt;span class="nf"&gt;set&lt;/span&gt;&lt;span class="p"&gt;((&lt;/span&gt;&lt;span class="nx"&gt;state&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="o"&gt;=&amp;gt;&lt;/span&gt; &lt;span class="p"&gt;({&lt;/span&gt; &lt;span class="na"&gt;theme&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="nx"&gt;state&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;theme&lt;/span&gt; &lt;span class="o"&gt;===&lt;/span&gt; &lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;light&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt; &lt;span class="p"&gt;?&lt;/span&gt; &lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;dark&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="dl"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;light&lt;/span&gt;&lt;span class="dl"&gt;'&lt;/span&gt; &lt;span class="p"&gt;})),&lt;/span&gt;
&lt;span class="p"&gt;}));&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Using the Store with Selectors:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight jsx"&gt;&lt;code&gt;&lt;span class="c1"&gt;// This component ONLY subscribes to `count`.&lt;/span&gt;
&lt;span class="c1"&gt;// It will NOT re-render when the theme changes.&lt;/span&gt;
&lt;span class="kd"&gt;function&lt;/span&gt; &lt;span class="nf"&gt;Counter&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="kd"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;count&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nf"&gt;useStore&lt;/span&gt;&lt;span class="p"&gt;((&lt;/span&gt;&lt;span class="nx"&gt;state&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="o"&gt;=&amp;gt;&lt;/span&gt; &lt;span class="nx"&gt;state&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;count&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
  &lt;span class="kd"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;increment&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nf"&gt;useStore&lt;/span&gt;&lt;span class="p"&gt;((&lt;/span&gt;&lt;span class="nx"&gt;state&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="o"&gt;=&amp;gt;&lt;/span&gt; &lt;span class="nx"&gt;state&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;increment&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
  &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="p"&gt;&amp;lt;&lt;/span&gt;&lt;span class="nt"&gt;button&lt;/span&gt; &lt;span class="na"&gt;onClick&lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="nx"&gt;increment&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="p"&gt;&amp;gt;&lt;/span&gt;Count is: &lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="nx"&gt;count&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="p"&gt;&amp;lt;/&lt;/span&gt;&lt;span class="nt"&gt;button&lt;/span&gt;&lt;span class="p"&gt;&amp;gt;;&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="c1"&gt;// This component ONLY subscribes to `theme`.&lt;/span&gt;
&lt;span class="c1"&gt;// It will NOT re-render when the count changes.&lt;/span&gt;
&lt;span class="kd"&gt;function&lt;/span&gt; &lt;span class="nf"&gt;ThemeDisplay&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="kd"&gt;const&lt;/span&gt; &lt;span class="nx"&gt;theme&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nf"&gt;useStore&lt;/span&gt;&lt;span class="p"&gt;((&lt;/span&gt;&lt;span class="nx"&gt;state&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="o"&gt;=&amp;gt;&lt;/span&gt; &lt;span class="nx"&gt;state&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;theme&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
  &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="p"&gt;&amp;lt;&lt;/span&gt;&lt;span class="nt"&gt;div&lt;/span&gt;&lt;span class="p"&gt;&amp;gt;&lt;/span&gt;Current theme: &lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="nx"&gt;theme&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="p"&gt;&amp;lt;/&lt;/span&gt;&lt;span class="nt"&gt;div&lt;/span&gt;&lt;span class="p"&gt;&amp;gt;;&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h4&gt;
  
  
  2. Solving Concurrency Tearing and Zombie Children
&lt;/h4&gt;

&lt;p&gt;Because Zustand's state lives outside of React, it doesn't suffer from the same lifecycle issues. To safely connect this external state to React's concurrent rendering, Zustand uses the &lt;code&gt;useSyncExternalStore&lt;/code&gt; hook under the hood.&lt;/p&gt;

&lt;p&gt;This is a special hook provided by React specifically for this purpose. It guarantees that subscriptions to external data sources (like a Zustand store) are safe from tearing and that components always read the most up-to-date information.&lt;/p&gt;

&lt;p&gt;This completely eliminates tearing and makes the "zombie child" problem a non-issue, as any logic running from an unmounted component will be operating on a consistent, external state that won't cause inconsistent React renders.&lt;/p&gt;

&lt;h2&gt;
  
  
  Conclusion
&lt;/h2&gt;

&lt;p&gt;While React's built-in tools are powerful, they come with trade-offs. For applications with complex, shared state, the "zombie child" problem, tearing, and context performance issues can become significant hurdles.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Zustand offers a clean and effective solution by:&lt;/strong&gt;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt; &lt;strong&gt;Keeping state external&lt;/strong&gt; to the React component tree.&lt;/li&gt;
&lt;li&gt; Using &lt;strong&gt;selectors&lt;/strong&gt; to prevent unnecessary re-renders.&lt;/li&gt;
&lt;li&gt; Integrating with React's concurrent mode safely via &lt;code&gt;useSyncExternalStore&lt;/code&gt;.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;If you're looking for a state management solution that is both simple to use and highly performant, give Zustand a try in your next project. It provides the power you need without the common pitfalls.&lt;/p&gt;

</description>
      <category>webdev</category>
      <category>zustand</category>
      <category>react</category>
    </item>
    <item>
      <title>JSON vs. TOON: A Token-Saving Showdown for LLMs</title>
      <dc:creator>Devam Chaudhari</dc:creator>
      <pubDate>Sat, 08 Nov 2025 13:46:45 +0000</pubDate>
      <link>https://dev.to/chaudharidevam/json-vs-toon-a-token-saving-showdown-for-llms-1e6j</link>
      <guid>https://dev.to/chaudharidevam/json-vs-toon-a-token-saving-showdown-for-llms-1e6j</guid>
      <description>&lt;p&gt;In the world of Large Language Models (LLMs), every token counts. As developers, we're constantly seeking ways to optimize our prompts and reduce token consumption, which directly translates to lower costs and faster response times. While JSON has long been the king of data interchange, a new contender has emerged: TOON (Token Object Notation). But what is TOON, and can it really save you tokens? Let's dive in.&lt;/p&gt;

&lt;h2&gt;
  
  
  What is JSON?
&lt;/h2&gt;

&lt;p&gt;JSON (JavaScript Object Notation) is a lightweight data-interchange format that is easy for humans to read and write and easy for machines to parse and generate. It's built on two structures:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;  A collection of name/value pairs (e.g., an object, record, struct, dictionary, hash table, keyed list, or associative array).&lt;/li&gt;
&lt;li&gt;  An ordered list of values (e.g., an array, vector, list, or sequence).&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;A simple JSON example looks like this:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight json"&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"name"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"John Doe"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"age"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;30&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"isStudent"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;false&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"courses"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"title"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"History"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"credits"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;3&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="p"&gt;},&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"title"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"Math"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"credits"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;4&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;While JSON is ubiquitous and well-supported, its verbosity can be a drawback when working with LLMs. The repeated keys and structural characters (curly braces, brackets, commas, and quotes) all contribute to the total token count.&lt;/p&gt;

&lt;h2&gt;
  
  
  What is TOON?
&lt;/h2&gt;

&lt;p&gt;TOON (Token Object Notation) is a more compact, token-efficient data format designed with LLMs in mind. It aims to represent structured data with minimal overhead. TOON achieves this by using a more concise syntax that reduces the number of characters needed to represent the same information.&lt;/p&gt;

&lt;p&gt;Here's the same data from our JSON example, but in TOON format:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;(
  name: "John Doe",
  age: 30,
  isStudent: false,
  courses: [
    (title: "History", credits: 3),
    (title: "Math", credits: 4)
  ]
)
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;As you can see, TOON replaces the curly braces &lt;code&gt;{}&lt;/code&gt; with parentheses &lt;code&gt;()&lt;/code&gt; and eliminates the need for quotes around keys. This might seem like a small change, but it can lead to significant token savings, especially with large and complex datasets.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Token-Saving Advantage
&lt;/h2&gt;

&lt;p&gt;The primary benefit of TOON is its ability to reduce the number of tokens required to represent data. Let's break down the token counts for our examples:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;  &lt;strong&gt;JSON:&lt;/strong&gt;  The JSON example has 15 tokens (this can vary slightly based on the tokenizer used).&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;TOON:&lt;/strong&gt; The TOON example has 12 tokens.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;In this small example, we've already saved 3 tokens, a 20% reduction. Imagine a scenario where you're sending a large array of objects to an LLM. The savings from eliminating quotes around keys and using a more compact structure can quickly add up.&lt;/p&gt;

&lt;p&gt;Furthermore, to maximize token savings with TOON, it's often beneficial to flatten nested JSON structures before conversion. Nested objects and arrays, while semantically rich, can introduce redundant keys and structural overhead. By flattening the data into a more linear structure, you can reduce the overall complexity and the number of tokens required to represent the information, making your prompts even more efficient.&lt;/p&gt;

&lt;h2&gt;
  
  
  When to Use TOON
&lt;/h2&gt;

&lt;p&gt;While TOON offers clear advantages in token efficiency, it's not a universal replacement for JSON. Here are a few things to consider:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;  &lt;strong&gt;LLM-Specific Interactions:&lt;/strong&gt; TOON is ideal for direct communication with LLMs where token count is a primary concern.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Tooling and Support:&lt;/strong&gt; JSON is the industry standard and has vast support across languages, libraries, and APIs. TOON is newer and has a smaller ecosystem.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Readability:&lt;/strong&gt; While TOON is still human-readable, some developers might find JSON's syntax more familiar and easier to parse visually.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Conclusion
&lt;/h2&gt;

&lt;p&gt;TOON presents a compelling alternative to JSON for developers working with LLMs. Its token-efficient design can lead to significant cost and performance improvements. While it may not replace JSON entirely, it's a valuable tool to have in your arsenal for optimizing your LLM-powered applications. As the field of AI continues to evolve, we can expect to see more innovations like TOON that help us build more efficient and powerful applications.&lt;/p&gt;

</description>
      <category>webdev</category>
      <category>ai</category>
      <category>llm</category>
    </item>
    <item>
      <title>The Future of Web Development: A Deep Dive into React v19 and Next.js 16</title>
      <dc:creator>Devam Chaudhari</dc:creator>
      <pubDate>Tue, 04 Nov 2025 11:20:20 +0000</pubDate>
      <link>https://dev.to/chaudharidevam/the-future-of-web-development-a-deep-dive-into-react-v19-and-nextjs-16-8l0</link>
      <guid>https://dev.to/chaudharidevam/the-future-of-web-development-a-deep-dive-into-react-v19-and-nextjs-16-8l0</guid>
      <description>&lt;p&gt;The web development landscape is constantly evolving, and the latest releases of React and Next.js are set to push the boundaries once again. React v19 and Next.js 16 bring a host of new features and improvements that promise to enhance performance, streamline development workflows, and empower developers to build more powerful and engaging applications.&lt;/p&gt;

&lt;h2&gt;
  
  
  React v19: A New Era of React
&lt;/h2&gt;

&lt;p&gt;React v19 is a major release that introduces a number of long-awaited features and improvements. Here are some of the key highlights:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;  &lt;strong&gt;React Server Components (RSC):&lt;/strong&gt; This is arguably the most significant new feature in React v19. RSC allows developers to write components that render on the server, reducing the amount of JavaScript that needs to be sent to the client. This can lead to significant performance improvements, especially for complex applications.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Actions:&lt;/strong&gt; Actions provide a new way to handle data mutations and state updates. They automatically manage pending states, errors, and optimistic updates, making it easier to build robust and user-friendly forms.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;&lt;code&gt;useOptimistic&lt;/code&gt; Hook:&lt;/strong&gt; This new hook makes it easy to implement optimistic updates, where the UI is updated immediately after a user takes an action, even before the server has responded. This can create a much more responsive and engaging user experience.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;&lt;code&gt;useActionState&lt;/code&gt; Hook:&lt;/strong&gt; This hook is designed to simplify the handling of data mutations and state updates within Actions. It manages the pending state and returns the final result, making it easier to build complex forms and other data-driven components.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;React Compiler:&lt;/strong&gt; The React Compiler is a new tool that optimizes your React code behind the scenes. It can automatically memoize components and hooks, eliminating the need for manual optimizations and improving performance.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;&lt;code&gt;ref&lt;/code&gt; as a Prop:&lt;/strong&gt; In React v19, you can now pass a &lt;code&gt;ref&lt;/code&gt; to a function component as a prop, just like any other prop. This simplifies the process of working with refs and makes it easier to create reusable components.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Next.js 16: The Perfect Partner for React v19
&lt;/h2&gt;

&lt;p&gt;Next.js 16 is the latest version of the popular React framework, and it's packed with new features and improvements that make it the perfect partner for React v19. Here are some of the key highlights:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;  &lt;strong&gt;Turbopack as Default Bundler:&lt;/strong&gt; Next.js 16 now uses Turbopack as its default bundler. Turbopack is a new, high-performance bundler that's written in Rust. It's significantly faster than Webpack, which can lead to a much faster development experience.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Cache Components:&lt;/strong&gt; This new feature allows you to cache components on the server, which can lead to significant performance improvements.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;React Compiler Support:&lt;/strong&gt; Next.js 16 includes built-in support for the React Compiler. This means that you can take advantage of the compiler's performance optimizations without having to configure it yourself.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Enhanced Routing:&lt;/strong&gt; The routing system in Next.js 16 has been completely rebuilt. It's now faster and more flexible, and it includes a number of new features that make it easier to build complex routing scenarios.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;&lt;code&gt;proxy.ts&lt;/code&gt; (Replaces &lt;code&gt;middleware.ts&lt;/code&gt;):&lt;/strong&gt; The &lt;code&gt;middleware.ts&lt;/code&gt; file has been renamed to &lt;code&gt;proxy.ts&lt;/code&gt;. This change reflects the fact that middleware is now more powerful and can be used to proxy requests to other servers.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  The Future is Bright
&lt;/h2&gt;

&lt;p&gt;React v19 and Next.js 16 are two of the most exciting new releases in the web development world. They bring a host of new features and improvements that promise to enhance performance, streamline development workflows, and empower developers to build more powerful and engaging applications. If you're a web developer, you should definitely check out these new releases.&lt;/p&gt;

</description>
      <category>webdev</category>
      <category>react</category>
      <category>nextjs</category>
    </item>
    <item>
      <title>🚨 Largest NPM Compromise in History: A Deep Dive into the 2025 Supply Chain Attack</title>
      <dc:creator>Devam Chaudhari</dc:creator>
      <pubDate>Tue, 09 Sep 2025 06:57:52 +0000</pubDate>
      <link>https://dev.to/chaudharidevam/largest-npm-compromise-in-history-a-deep-dive-into-the-2025-supply-chain-attack-2nbj</link>
      <guid>https://dev.to/chaudharidevam/largest-npm-compromise-in-history-a-deep-dive-into-the-2025-supply-chain-attack-2nbj</guid>
      <description>&lt;ul&gt;
&lt;li&gt;In what is being hailed as the most extensive supply chain attack in the history of the npm ecosystem, 18 widely-used JavaScript packages—including chalk, debug, and ansi-styles—were compromised with malicious code. This breach affected packages with over 2 billion weekly downloads, highlighting a critical vulnerability in the open-source supply chain.&lt;/li&gt;
&lt;/ul&gt;



&lt;h3&gt;
  
  
  🧩 The Attack Unfolded
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;The breach was traced back to a phishing attack targeting qix, the primary maintainer of several popular npm packages. The attacker impersonated npm support, convincing qix to update their two-factor authentication settings. Once compromised, the attacker published malicious versions of 18 packages, embedding a cryptocurrency drainer malware designed to hijack Web3 wallet transactions&lt;/li&gt;
&lt;/ul&gt;



&lt;h3&gt;
  
  
  📦 Affected Packages
&lt;/h3&gt;

&lt;p&gt;The compromised packages included:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="mailto:chalk@5.6.1"&gt;chalk@5.6.1&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="mailto:debug@4.4.2"&gt;debug@4.4.2&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="mailto:ansi-styles@6.2.2"&gt;ansi-styles@6.2.2&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="mailto:strip-ansi@7.1.1"&gt;strip-ansi@7.1.1&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="mailto:supports-color@10.2.1"&gt;supports-color@10.2.1&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="mailto:wrap-ansi@9.0.1"&gt;wrap-ansi@9.0.1&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="mailto:color-convert@3.1.1"&gt;color-convert@3.1.1&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="mailto:color-name@2.0.1"&gt;color-name@2.0.1&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;These packages are deeply integrated into major frameworks and tools, including React, Next.js, and Express, making the attack's reach extensive&lt;/p&gt;



&lt;h3&gt;
  
  
  🔍 Technical Details
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;The malicious code was designed to monitor for Web3 wallet addresses and replace them with the attacker's own address, redirecting cryptocurrency transactions in real-time. This sophisticated approach allowed the attacker to intercept funds without alerting the user.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Security experts have advised developers to audit their dependencies for the presence of the malicious code. One method suggested is searching for the string _0x112fa8 within the project's dependency tree&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;



&lt;h3&gt;
  
  
  🛡️ Community Response and Mitigation
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;The npm community responded swiftly to the breach. The compromised versions were removed from the registry, and maintainers issued advisories to update to safe versions. Security tools like Semgrep and Aikido have been updated to detect the malicious code in affected packages.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Discussions on platforms like Reddit and Hacker News have highlighted the risks associated with deep dependency chains and the challenges of securing the open-source supply chain. Some community members have pointed out that the attack's focus on cryptocurrency transactions underscores the need for better security practices in handling sensitive data within the npm ecosystem &lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  🔗 Further Reading
&lt;/h3&gt;

&lt;p&gt;&lt;a href="https://github.com/chalk/chalk/issues/656" rel="noopener noreferrer"&gt;GitHub Issue #656 &lt;/a&gt;– Chalk&lt;/p&gt;

&lt;p&gt;&lt;a href="https://www.reddit.com/r/programming/comments/1nbqt4d/largest_npm_compromise_in_history_supply_chain/" rel="noopener noreferrer"&gt;Reddit Discussion&lt;/a&gt; on r/programming&lt;/p&gt;

&lt;p&gt;&lt;a href="https://www.securityalliance.org/news/2025-09-npm-supply-chain?utm_source=chatgpt.com" rel="noopener noreferrer"&gt;Security Alliance Report&lt;/a&gt;&lt;/p&gt;

</description>
      <category>npm</category>
      <category>supplychainattack</category>
      <category>opensourcesecurity</category>
      <category>javascript</category>
    </item>
  </channel>
</rss>
