This Week In React
736 posts
@ThisWeekInReact
• ⚛️ Stay up-to-date with React • 📡 High signal, no drama • 🔥 Join 42k React devs - 1 email/week • 📨 https://t.co/ymeDmOmnYt • By @sebastienlorber
This Week In React 233 =>>> thisweekinreact.com/newsletter/233 ⚛️ - Server Components - Next.js - Unhead - Compiler - Shadcn - Relay - Mantine 📱 - Expo - WebGPU / Skia Graphite - Apple fees - Reanimated
This Week In React 281 ⚛️ - Next.js CVE - TanStack Router compromise - Security - Redact - React Router - Waku - HTML Parser 📱 - Redraw - Expo 56 beta - Tabs - Screens - Pressable - Activity - Strict DOM - Rock - SWC - AI 🍿 Read: thisweekinreact.com/newsletter/281 ✍️ @jaworek3211 & I
TL;DR for open-source maintainers 🚫 NEVER use "pull_request_target" workflows 🚫 NEVER use shared caches in your publish pipeline Combining these 2 in particular is extremely dangerous I've repeated this countless times over the years, but another reminder is always useful
SECURITY ADVISORY — TanStack npm packages A supply-chain compromise affecting 42 @tanstack/* packages (84 versions total) was published to npm earlier today at approximately 19:20 and 19:26 UTC. Two malicious versions per package. Status: ACTIVE — packages are deprecated, npm security engaged, publish path being shut down. Severity: HIGH — payload exfiltrates AWS, GCP, Kubernetes, and Vault credentials, GitHub tokens, .npmrc contents, and SSH keys. If you installed any @tanstack/* package between 19:20 and 19:30 UTC today, treat the host as potentially compromised: • Rotate cloud, GitHub, and SSH credentials immediately • Audit cloud audit logs for the last several hours • Pin to a prior known-good version and reinstall from a clean lockfile Detection — the malicious manifest contains: "optionalDependencies": { "@tanstack/setup": "github:tanstack/router#79ac49ee..." } Any version with this entry is compromised. The payload is delivered via a git-resolved optionalDependency whose prepare script runs router_init.js (~2.3 MB, smuggled into each tarball at the package root). Unpublish is blocked by npm policy for most affected packages due to existing third-party dependents. All 84 versions are being deprecated with a SECURITY warning, and npm security has been engaged to pull tarballs at the registry level. Full technical breakdown, complete package and version list, and rolling status updates: github.com/TanStack/route… Credit to the security researcher for responsible disclosure.
This Week In React 280 ⚛️ - TanStack - Remotion - React Router - Remix - Trees - Pracht - shadcn 📱 - Expo Go - Ease - Screen Transitions - LegendList - JSI - Gradle - Radon - AI - DevTools 🍿 Read/subscribe: thisweekinreact.com/newsletter/280 ✍️ @jaworek3211 & I
Node.js v26.0.0 is out 💚 Temporal API enabled by default, V8 14.6, Undici 8, and key deprecations as we keep modernizing the platform. Check it out nodejs.org/en/blog/releas…
This Week In React 279: ⚛️ - React Compiler - TSRX - StyleX - TanStack - XState - shadcn - Hook Form - Inertia 📱 - Swift Package Manager - JSI - SimCam - Enriched Markdown - MLX - Jail Monkey 🍿 Read/subscribe: thisweekinreact.com/newsletter/279 ✍️ @kacperkapusciak @Konrad_Armatys
This Week In React 278 ⚛️ - React Email - TSRX - ESLint plugin - Rspack RSC - TanStack Store - TanStack Blog - Hook Form 📱 - Vision Camera - Expo - Nano Icons - ExecuTorch - Argent - Audio API - RNSec - CSS 🍿 Read/subscribe: thisweekinreact.com/newsletter/278 ✍️ @piaskowyk @f_solecki
This Week In React 277 - Exciting week 🤩 ⚛️ - TanStack RSC - React2Dos - Next.js - MUI - BaseUI - StyledComp - React Aria - Storm - Unhead 📱 - Pulsar - Nitro Fetch - Agent React Devtools - Pretext - Metro - Voltra 🍿 Read/subscribe: thisweekinreact.com/newsletter/277 ✍️ @jaworek3211
I rarely get any replies to my newsletter emails Once in a while, I get one that really makes me happy 😊 If you like something, please be loud about it! Authors will appreciate it more than you think
This Week In React 276 ⚛️ - Boneyard - Ink - MUI - React Router - Next.js - shadcn - Docusaurus - Comark - Forms - Shaders 📱 - RN 0.85 - ViewTransition - Skia - Windows - CRNL - Maestro - Nitro Player - RNGH 🍿 Read/subscribe: thisweekinreact.com/newsletter/276 ✍️ @jaworek3211 & I
👀 Sneak peek of TanStack Start RSC from @tannerlinsley at React Paris I'm sold on the vision: - flexible primitives, composable - looks more lib than fwk, unopinionated - opt-in incrementally - composite components => no 'use client' directive - no Server Actions, on purpose
👀 React / JS / TS trick Use symbols instead of null/undefined to represent missing values This React provider example: - makes it possible to provide "null" - still checks that the user didn't forget the <Provider> There are cases where "null" is a perfectly valid ctx value
This Week In React 273 ⚛️ - RedwoodSDK - Next.js - TanStack - RSC - Async React - SSR perf - Base UI - AI 📱 - Expo UI / APIs - Ease - Keyboard - Flow type stripping - DnD - AI 🍿 Read/subscribe: thisweekinreact.com/newsletter/273 ✍️ @jaworek3211 & I
