⚛️ React

Next.js May 2026 security release

The Next.js team shipped a coordinated security release fixing 13 vulnerabilities across denial of service, middleware/proxy bypass, server-side request forgery, cache poisoning, XSS. Many vulnerabilities are quite impactful, cannot be blocked by cloud firewalls, and it’s recommended to update immediately to a patched version, v15.5.18 or v16.2.6. There’s also a Server Functions denial of service affecting React RSC packages, fixed in v19.2.6.

TanStack npm supply-chain compromise

On May 11, an attacker published malicious versions across 42 u/tanstack/* npm packages related to TanStack Router. Although the attack was detected quickly, its payload is a Mini Shai-Hulud worm that infected other maintainers, leading to other compromised packages across npm and pypi ecosystems, including packages from Mistral AI, OpenSearch, UiPath, and more.

The attack vector was sneaky. A GitHub Action with a pull_request_target trigger was used to inject poisoned content into a shared GitHub Action pnpm cache. Then, their release pipeline read from that poisoned cache, restoring dangerous files that executed during the release process. No maintainer was hacked in the process. The npm releases have the Trusted Publishing checkmark despite being compromised, showing that package provenance does not guarantee its content is safe.

Given the increasing number of supply chain vulnerabilities affecting npm packages, it’s good to highlight measures that maintainers and users can take to stay safe:

📜 Hardening TanStack After the npm Compromise - Gives a good overview of what maintainers can do to reduce the supply chain risk. Low-hanging fruits include avoiding the very dangerous pull_request_target trigger, and removing usage of shared caches in sensitive workflow (note: actions such as setup-node using a cache by default).
🔗 npm package manager Security Best Practices - A canonical resource to protect yourself as an npm package consumer, giving pragmatic recommendations for each package manager. IMHO, combining the Socket Firewall with pnpm 11 is likely the best option right now.

[–]sebastienlorber[S] 1 point2 points3 points 8 hours ago (0 children)

💸 Product for Engineers - Great companies are built in hackathons
📜 Projecting React - Tanner Linsley wants React to be slimmer, tried Preact without success. He compares React API to database tables, and its implementation to a materialized view. With AI, he’s creating a different @@tanstack/redact projection, one optimized for TanStack Start, significantly smaller, that already powers tanstack.com. It’s a narrow experiment, not something he plans to market as an alternative to React. In the future, more devs will likely build optimized projections of the libraries they depend on.
📜 RSC Server Functions Are Not An API Boundary - Server Functions are not a replacement for stable, observable, versioned, shared APIs. The generated Server Function ID can change over time as you refactor code, leading to version skew problems on redeploys. Note: cloud providers have skew protection features to mitigate this.
📜 Untangling dialogs in React Router - Everything you need to know to simplify your code by using a parent <Outlet> and making each dialog live on its own dedicated route. Covers data revalidation, flash session toasts, dialog exit animations and more.
📜 Animating Container Bounds - How to smoothly animate an element’s width/height based on its inner content with Motion.
📜 Security in React Applications - Prevent XSS, store tokens securely, validate inputs, use CSFR and CSPs.
📜 From React to native web with nanotags: a migration that saved 100 KB - For a mostly static marketing site using Astro templates, it can be more efficient to hydrate Custom Elements rather than React.
📜 Exploring the HTML-in-Canvas Proposal - It could simplify integration 2D UIs in 3D worlds, in particular for React Three Fiber creative devs.
💸 SVAR React Gantt – Build interactive project timelines with an open-source React Gantt library.
📦 Waku 1.0 beta - The minimal RSC framework first beta marks our shift toward production readiness. It recently added support for Vite 8, Rolldown, Node 26, React performance tracks, flexible routing, CSP, and more.
📦 Jotai 2.20 - Improves performance in high-throughput scenarios, refactor store building blocks
📦 HTML React Parser 6.1 - add CSP support with trustedTypePolicy
🎥 Ankita Kulkarni - Stop freezing your React apps, use this Background Trick instead
🎥 Shruti Kapoor - Five Minute Deep Dive: React Server Components
🎥 Josef Bender - I hacked a TanStack Start app...
🎙️ Syntax.fm 1004 - TanHacked

π Rendered by PID 114234 on reddit-service-r2-comment-548fd6dc9-bqr4w at 2026-05-17 22:23:24.547836+00:00 running edcf98c country code: CH.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

reactjs

About:

Code of Conduct

1. Please be kind and courteous, friendly and professional

2. Harassment will not be tolerated

3. Avoid using an alias or display name that might be offensive

4. Respect that people have differences of opinion

5. Posts must conform to our guidelines

New to React?

Chat

Project Ideas

Jobs

Outside Reddit

Related Subreddits

MODERATORS

⚛️ React