This Week In React #282 : Security, Fate, TanStack, Redux, Jotai | Hermes-node, Expo, Rozenite, Harness | TC39, Bun, pnpm, npm, Yarn, Node

#react #reactnative

Hi everyone, Seb and Jan here 👋!

It looks like security is going to be a hot topic this year! 😅

More packages are being compromised, and blog posts are also covering recent RSC vulnerabilities.

Maybe we’re reaching a tipping point, and better security practices will consolidate this year.

On the React Native side, Hermes-node is quite exciting, although it’s very early.

An exciting TC39 meeting is currently underway, and several proposals have already progressed.

Yarn and npm are improving on the security side.

Bun and pnpm are being ported to Rust.

💡 Subscribe to the official newsletter to receive an email every week!

💸 Sponsor

Ship AI generated code safely with Meticulous.

Claude writes your code. Claude reviews your code. Claude fixes the review comments. And somehow, you're the one getting paged at 2am when it breaks in prod.

Fortunately, top AI-driven teams like Dropbox, Notion, LaunchDarkly, and Wiz rely on Meticulous to run 1000s of e2e UI tests autonomously, covering every user flow, edge case, role and permutation. Built by ex-Palantir engineers, Meticulous gives you near-exhaustive coverage in weeks, without any developer effort.

It works like magic in the background:

Near-exhaustive coverage on every test run
No test creation
No maintenance (seriously)
Zero flakes (built on a deterministic browser)

Check it out - and see why one engineering leader at Dropbox said that “once we started using Meticulous, we couldn’t imagine working without it.”

⚛️ React

Mini Shai-Hulud worm keeps digging

Remember last week’s TanStack Router compromise? The dangerous worm from TeamPCP keeps compromising users and maintainers across ecosystems, affecting popular packages such as echarts-for-react and @antv, and GitHub actions such as actions-cool/issues-helper. OpenAI employees got compromised, leading them to regenerate code signing certificates. Grafana has been blackmailed by a ransomware group.The Million.js repository was also briefly compromised, but they seem to have gotten lucky: it apparently didn’t affect anyone.

Rumors also link this worm to the Nx Console VSCode extension compromise, and possibly connected to a major GitHub internal repo breach. This story isn’t over — “Mini” feels like a very questionable name 😅!

💸 PlanetScale - Faster apps start with a faster database. Get started with the fastest benchmarked Postgres and MySQL.
🗓️ React Norway - 🇳🇴 Oslo - 5 June - Experience the "Rock & React" atmosphere in a unique one-track full-stack festival with 350+ passionate developers. -10% with code "TWIR".
📜 React Server Components in TanStack - A pragmatic intro to TanStack’s flexible RSC model, CompositeComponent, and how much it could save in terms of client bundle size.
📜 Structural sharing, selectAtom, and why your jotai atoms re-render too much - Explains how deriving atoms, decomposing into primitive atoms, and structural sharing can help avoid re-renders.
📜 The React2Shell Story - 2 articles from the duo who reported the security flaw allowing remote code execution in RSC.
📜 The Flight Protocol Made Your DoS My Problem - React/Next.js recently patched various CVEs. One of them could block your Node process in a single HTTP request.
💸 Certificates.dev - React Free Weekend is coming. Get unlimited access to mid-level training, incl. coding challenges + trial exam for 48H.
📦 Fate 1.0 - The first full Async React Metaframework - Fate is a Relay-inspired framework (not based on GraphQL) supporting view composition, normalized caching, data masking, Async React features, live views through Server-Sent Events, Drizzle, garbage collection, and more.
📦 TanStack Router releases - Deferred hydration capabilities, route matching priority - Deferred Hydration (experimental, docs) could help improve your page's perceived performance by making it interactive sooner. They also recently introduced CSS inlining and a CSRF middleware.
📦 TanStack AI releases - useChat() supports streaming structured output
📦 React Redux 9.3 - connect API deprecated, Trusted Publishing fixed - The old HOC API is not removed, but it’s recommended to migrate to useSelector/useDispatch
📦 Redux Toolkit 2.12 - TypeScript Improvements, Skills
📦 Base UI 1.5 - Major mount perf improvements for popovers/dialogs/tooltips/menus
📦 React Hook Form 7.76 - Improved isDirty and useFieldArray
📦 Relay 21.0 - First-party TypeScript support, experimental RSC support, improved error handling
📦 Storybook 10.4 - TanStack React, React Native isolation, agentic setup, review filters
📦 React Doctor 0.2 - Your agent writes bad React. This catches it.
📦 React Router 7.15.1 - New unstable_useRouterState consolidation API
🎥 Nuno Maduro - Why React Developers Are Leaving Next.js for TanStack, with Tanner Linsley
🎥 Fireship - A single PR just hijacked the NPM registry...
🎙️ Syntax.fm 1005 - Programatic and Skill based Video Creation with Remotion

💸 Sponsor

Tomorrow Only: Next.js Debugging Workshop

Most Next.js bugs don't fail loudly. They fail in a webhook handler at 3am, in a server component nobody touched, in an auth flow that worked yesterday. Sentry's hands-on workshop shows you how to catch them with high-context logs and distributed tracing.

Last chance to save your spot. Register today.

📱 React-Native

💸 PostHog - The 7 best session replay tools for mobile apps
📜 Unlocking Expo Updates in an Isolated Brownfield Architecture with SDK 55 - Running Expo Updates in Isolated Brownfield was always a challenge. Thanks to recent updates, it is a thing of the past.
📜 Changes to project loading behavior in Expo Go - Breaking change for EAS Update users: Expo Go now enforces ownership checks. Self-hosted updates can no longer serve Hermes bytecode bundles.
📜 WTF does .box() do in Nitro Modules? - It converts NativeState-backed objects into HostObjects so they can cross worklet runtime boundaries.
📜 Build fast, no matter what: how Expo is optimizing for speed (and how you can, too) - Deep dive into Expo's build speed optimizations: hardware scaling, Gradle caching, prebuilt binaries, and fingerprint-based workflows that avoid full rebuilds for JS-only changes.
📜 Using TurboModule Substitution to Build Safer React Native Plugin Systems - Explains how React Native Sandbox 0.6 offers granular sandboxing capabilities.
📦 Hermes Node - Node.js built-in module compatibility layer for the Hermes JS engine - The creator of Hermes published an AI-driven prototype of a new JS/TS runtime built on Hermes, compatible with Node.js. It won’t outperform Node.js/V8 today, but Static Hermes could make it way faster in the future.
📦 Skia Lab - Beautiful react-native-skia demo - A collection of painting, physics, shaders, and gesture interactions demos.
📦 ViroReact 2.55 - Ship as a native VR experience on Meta Quest
📦 Harness 1.2 - iOS code coverage, permission automation, external xctest commands
📦 Expo Speech Recognition 56 - Expo SDK 56 support
📦 TypeGPU Confetti 0.3 - Rewritten to use TypeGPU
📦 Nitro Fetch 1.3 - Removed box/unbox, fixed binary responses, performance improvements
📦 Agent Device 0.15 - Faster boot and test replay, iOS replay speedup, MCP discovery-only
📦 View Shot 5.1 - iOS 17 compatibility, Windows support + example, Android ScrollView fix
📦 Rozenite DevTools 1.10 - Network, Performance, Vite plugin improvements
🎥 William Candillon - Debriefing Redraw & TypeGPU
🎥 Beto - Everything new in Expo SDK 56
🎥 React Native Live Ep 11 - Building High-Performance UI with React Native Skia / William Candillon
🎙️ RNR 353 - Building React Native Apps in the AI Era

🔀 Other

👀 Explicit Resource Management reached TC39 stage 4 - A TC39 meeting is in progress, and many proposals have progressed. The most “user-facing” one – using – is going to be part of the standard and simplify your resource cleanup logic. I take the opportunity to show you how to leverage it immediately in Vitest/Jest tests.
👀 npm RFC - Make install scripts opt-in - It’s great to see npm finally looking to catch up on security! They’d like to introduce an allowScripts map in package.json to help mitigate the recent supply chain attacks.
👀 Bun PR - Rewrite Bun in Rust - The bold, AI-driven PR landed in just one week, making Bun’s migration from Zig to Rust official. 🤯
📜 Declarative partial updates - New exciting APIs may come to the web platform: out-of-order streaming, and new HTML insertion methods supporting streaming. Already available in Chrome 148 behind an experimental flag.
📜 QUIC and HTTP/3 Come To Node.js (finally) - A 5-part deep dive on the experimental node:quic API.
📦 pnpm 11.12 - Experimental Rust install engine - pnpm is also migrating to Rust, with an incremental strategy. This release introduces an opt-in for the new Rust engine to power the install phase.
📦 Yarn 4.15 - Add npmMinimalAgeGate: 1d release cooldown by default - Another package manager adopts better security defaults. BTW, Yarn is also being rewritten in Rust.
📦 Node 26.2 - stream.compose stable, fs.stat() returns Temporal.Instant
📦 Webpack 5.107 - Experimental HTML modules, experimental native TS support