本周 React #262: React2Shell, Fate | React Native 0.83, Reanimated 4.2, RN 状态 | CSS, Temporal
Source: Dev.to
Hi everyone!
React Server Components vulnerability
In case you missed my email, a 10.0‑scored vulnerability affecting React Server Components was unveiled last week. It enables unauthenticated remote code execution with a simple HTTP request, affecting many meta‑frameworks and custom setups, especially Next.js (v14‑canary, v15, v16). If your app is affected, you really need to upgrade now!
Although no exploit was initially shared, researchers quickly reverse‑engineered the patch, and an exploit has been circulating online only ~30 hours after disclosure. Hackers are already exploiting it at scale, and there are even browser extensions to detect and exploit vulnerable sites.
Helpful links
- 🐦 Vercel CEO Guillermo Rauch explains how the exploit works
- 👀 React PR – Patch FlightReplyServer with fixes from ReactFlightClient
- 📜 Red Herrings and AI Slop: Debunking React2Shell Misinformation
- 📜 Cloudflare outage on December 5, 2025 (due to mitigation measures)
- 🔐 Next.js Security Advisory (CVE‑2025‑66478) – includes a command‑line tool to help patch your Next.js app. Also see the Vercel Security Bulletin.
- 📦 Original Proof‑of‑Concepts for React2Shell
- 🎥 Theo – “React got hacked. It’s really, really bad”
- 🐦 React Fiber explained (thread)
- 🗓 React Paris 2026 – 26 & 27 March, with speakers including Una Kravets, Gabriel Pichot, and Kitze. Use code TWIR for a 10 % discount.
- 📜 React 19.2 – Further Advances in INP Optimization
- 📜 Skeletons in My Codebase: TanStack in Production
- 📜 Do’s and Don’ts of
useEffectEventin React - 📜 TanStack Start: New competitor to Next.js
- 📜 Bundle Size Investigation: A Step‑by‑Step Guide to Shrinking Your JavaScript
- 📜 Reatom – State Management That Grows With You
- 📜 React Elements, Children as Props, and Re‑Renders
- 📜 Controlled vs Uncontrolled Components in React
React Native 0.83 and Reanimated 4.2
It’s hotter than ever on the React Native side. After a patient wait, React Native 0.83 is now released. You can now use the new “ component. In addition, Reanimated 4.2 ships with Shared Elements Transition support.
Surveys
Don’t forget to answer the two most important surveys that are currently open:
Fate alpha
- 📦 Fate alpha – A modern data client for React & tRPC – A new declarative data‑fetching and state‑management solution for React, created by former Meta employee Christoph Nakazawa. Inspired by Relay, it offers state co‑location, data normalization, view composition, and data masking without requiring GraphQL.
TanStack AI Alpha
- 📦 TanStack AI Alpha – TanStack’s new AI package is framework, language, and service agnostic. The official intro is brief, but this community article compares it to the Vercel AI SDK. It should integrate well with TanStack Start and includes a headless chat UI library. Watch the walkthrough video from creator Alem Tuzlak.
React Grab for Agents
- 📦 React Grab for Agents – Allows you to assign concurrent UI‑related tasks to AI agents directly from your browser. The tool automatically shares the right context (file path, component stack, etc.) so the agents understand your intent without losing track.