📜 Launching the first ever State of Devs survey

📜 Securing Your GitHub Actions

📜 An Introduction to JavaScript Bundler Rspack

📦 tsdown - The Elegant Library Bundler - Powered by Rolldown

📦 Node 22.15

🔐 React Router vulnerabilities and v7.5.2 fixes: React Router v7 has 2 important security vulnerabilities that could lead to DOS and XSS attacks. They have been fixed in the latest v7.5.2 release. Various cloud providers have deployed a mitigation already (Vercel, Netlify, Cloudflare), but it remains useful to upgrade.

👀 Next.js Docs PR - Remove Vercel mentions: The Next.js docs should now be less biased toward Vercel, and include its competitors more fairly. Personally, I think there's nothing wrong with offering your OSS software to the community and using it as a marketing vector for your paid offer (this is how many OSS projects become sustainable). Even for a larger company like Vercel, it's fair play to do that, but probably necessary to restore the broken trust with some of you.. A reminder that Vercel is not “taking over” the React team, and various client-side-only React Labs features announced last week are implemented by Vercel employees (such as <ViewTransition>).

👀 Vite RSC Plan: A Vite contributor is taking over the development of an upcoming react-server-dom-vite package. Many integration PRs have been sent to frameworks like Waku or RedwoodSDK.

📜 What Does "use client" Do?: Dan Abramov explains RSCs have no API surfaces. The directives are module system features that open doors between 2 worlds and could even make sense beyond React. Speaking of Dan, he just re-launched his YouTube channel, in case you want him to walk you through his blog posts.

📜 You can serialize a promise in React: A great interactive article that explains how React is able to forward a Promise from the server to the client through a stream. To do so, it re-creates a tiny version of this mechanism.

📜 React Internals: Which useEffect runs first?: A good reminder that useEffect callbacks run bottom-up, from the deepest child to the root (unless you use <Activity>, but that’s a story for another time 🙈).

📜 Concurrent Optimistic Updates in React Query: Dominik shares interesting patterns to avoid displaying an inconsistent UI when using React Query with concurrent mutations and optimistic updates. Tip: only call invalidateQueries() when there’s a single in-flight mutation.

📜 Parents & Owners in React: Context Providers: Explains the difference between parent and owner components. By restructuring the owner tree without changing the parent tree, we create more targeted “units of update”.

📜 From Next.js to Astro: A Page Size Comparison: A quite fair numbers comparison after porting a small static Next.js site to Astro, reducing bundle size.

📜 Per-Route Documents in RedwoodSDK: Total Control Over Your HTML

📜 React-admin With Shadcn UI

📦 React MCP Server (experimental): It’s in the React repo, but for now, it’s just a one-person fun experiment by Lauren (React Compiler team).

📦 Radix UI 1.3 - OneTimePasswordField: In case you missed it (we did!), there’s now a radix-ui package to consolidate all Radix primitives under a single roof (instead of @radix-ui/* imports). It’s likely that shadcn/ui will adopt it and provide a codemod in the future.

📦 Storybook 9 beta: The new version is now feature complete, with a good focus on testing (components, interaction, accessibility, visual tests). The tag-based organization should help improve UX. Also includes first-class support for React Native Web.

📦 Lexical 0.31 - Extensible text editor with React bindings

📦 Frimousse - A lightweight, unstyled, and composable emoji picker for React