JS devs - Time to celebrate 🎊 🥂 All modern package managers will block postinstall scripts by default : 📦 npm v12 🆕 📦 pnpm 10 📦 Yarn 4.14 📦 Bun 📦 Deno 📦 Aube This doesn't solve everything, but should greatly reduces the ability for supply chain worms to spread

React Compiler: Rust edition is coming soon. We've ported the majority of the passes using AI. When the initial port finishes we'll do some updates to get the code in a state we're happy to maintain, then extensive testing and look at performance. More to come soon

❤️ npm Supply chain security => improving now! 🤩 📦 npm v11.16 - Phase 1 - PR merged - package.allowScripts = [] - Warns on unapproved postinstall script 📦 npm v12.0 - Phase 2 - Upcoming PR 👀 - Blocks unapproved postinstall scripts by default 🚀

This Week In React 282 ⚛️ - Security - Fate - TanStack - Redux - Base UI - Relay - Storybook - Jotai 📱 - Hermes-node - Expo - Rozenite - Harness - VR - Nitro - Skia - Redraw 🍿 Read: thisweekinreact.com/newslett… ✍️ @jaworek3211 & I

ECMAScript excitement 😉 Congrats to @rbuckton on meeting the conditions for Explicit Resource Management to be Stage 4 at @TC39 today 🎉 It introduces `using` declarations and the Symbol.dispose protocol to deterministically and ergonomically release resources 👍

TL;DR for open-source maintainers 🚫 NEVER use "pull_request_target" workflows 🚫 NEVER use shared caches in your publish pipeline Combining these 2 in particular is extremely dangerous I've repeated this countless times over the years, but another reminder is always useful

This Week In React 281 ⚛️ - Next.js CVE - TanStack Router compromise - Security - Redact - React Router - Waku - HTML Parser 📱 - Redraw - Expo 56 beta - Tabs - Screens - Pressable - Activity - Strict DOM - Rock - SWC - AI 🍿 Read: thisweekinreact.com/newslett… ✍️ @jaworek3211 & I

TL;DR for open-source maintainers 🚫 NEVER use "pull_request_target" workflows 🚫 NEVER use shared caches in your publish pipeline Combining these 2 in particular is extremely dangerous I've repeated this countless times over the years, but another reminder is always useful

SECURITY ADVISORY — TanStack npm packages A supply-chain compromise affecting 42 @tanstack/* packages (84 versions total) was published to npm earlier today at approximately 19:20 and 19:26 UTC. Two malicious versions per package. Status: ACTIVE — packages are deprecated, npm security engaged, publish path being shut down. Severity: HIGH — payload exfiltrates AWS, GCP, Kubernetes, and Vault credentials, GitHub tokens, .npmrc contents, and SSH keys. If you installed any @tanstack/* package between 19:20 and 19:30 UTC today, treat the host as potentially compromised: • Rotate cloud, GitHub, and SSH credentials immediately • Audit cloud audit logs for the last several hours • Pin to a prior known-good version and reinstall from a clean lockfile Detection — the malicious manifest contains: "optionalDependencies": { "@tanstack/setup": "github:tanstack/router#79ac49ee..." } Any version with this entry is compromised. The payload is delivered via a git-resolved optionalDependency whose prepare script runs router_init.js (~2.3 MB, smuggled into each tarball at the package root). Unpublish is blocked by npm policy for most affected packages due to existing third-party dependents. All 84 versions are being deprecated with a SECURITY warning, and npm security has been engaged to pull tarballs at the registry level. Full technical breakdown, complete package and version list, and rolling status updates: github.com/TanStack/router/i… Credit to the security researcher for responsible disclosure.

This Week In React 280 ⚛️ - TanStack - Remotion - React Router - Remix - Trees - Pracht - shadcn 📱 - Expo Go - Ease - Screen Transitions - LegendList - JSI - Gradle - Radon - AI - DevTools 🍿 Read/subscribe: thisweekinreact.com/newslett… ✍️ @jaworek3211 & I

Node.js v26.0.0 is out 💚 Temporal API enabled by default, V8 14.6, Undici 8, and key deprecations as we keep modernizing the platform. Check it out nodejs.org/en/blog/release/v…

This Week In React 279: ⚛️ - React Compiler - TSRX - StyleX - TanStack - XState - shadcn - Hook Form - Inertia 📱 - Swift Package Manager - JSI - SimCam - Enriched Markdown - MLX - Jail Monkey 🍿 Read/subscribe: thisweekinreact.com/newslett… ✍️ @kacperkapusciak @Konrad_Armatys

This Week In React 278 ⚛️ - React Email - TSRX - ESLint plugin - Rspack RSC - TanStack Store - TanStack Blog - Hook Form 📱 - Vision Camera - Expo - Nano Icons - ExecuTorch - Argent - Audio API - RNSec - CSS 🍿 Read/subscribe: thisweekinreact.com/newslett… ✍️ @piaskowyk @f_solecki

This Week In React 277 - Exciting week 🤩 ⚛️ - TanStack RSC - React2Dos - Next.js - MUI - BaseUI - StyledComp - React Aria - Storm - Unhead 📱 - Pulsar - Nitro Fetch - Agent React Devtools - Pretext - Metro - Voltra 🍿 Read/subscribe: thisweekinreact.com/newslett… ✍️ @jaworek3211

New React CVE just dropped 😆 DOS vulnerability in Server Functions Patched versions already out: - 19.0.5 - 19.1.6 - 19.2.5

I rarely get any replies to my newsletter emails Once in a while, I get one that really makes me happy 😊 If you like something, please be loud about it! Authors will appreciate it more than you think

This Week In React 276 ⚛️ - Boneyard - Ink - MUI - React Router - Next.js - shadcn - Docusaurus - Comark - Forms - Shaders 📱 - RN 0.85 - ViewTransition - Skia - Windows - CRNL - Maestro - Nitro Player - RNGH 🍿 Read/subscribe: thisweekinreact.com/newslett… ✍️ @jaworek3211 & I