React Status #454: Critical RSC Vulnerability, Vite 8 Beta, and Performance Insights

Web Development

React Status #454 features a critical security alert for React Server Components, the launch of Vite 8 Beta, new React Router RSC support, and performance insights.

Welcome to React Status #454, published on December 3, 2025. You can read this issue on the web.

โš ๏ธ Critical Security Vulnerability Discovered in React Server Components

Breaking news from the React team affects anyone whose application supports React Server Components (RSCs), even if they are not actively using them. Versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack are susceptible to a remote code execution vulnerability. An immediate upgrade is required.

However, the React team clarifies: "if your appโ€™s React code does not use a server, your app is not affected by this vulnerability."

๐Ÿ’ก As part of this disclosure, React 19.0.1, 19.1.2, and 19.2.1 have just been released.

The React Team

Ship High-Performance React Apps

Join Steve Kinney for this comprehensive video course on React performance. You'll delve into hydration, suspense, resource loading, server actions, and more, gaining the expertise to build applications that are both fast and responsive.

Frontend Masters (Sponsor)

Vite 8 Beta: The Rolldown-Powered Vite

The first beta of Vite 8, now powered by Rolldown, is here. It promises significantly faster production builds and establishes a robust platform for future extensions of Vite.

VoidZero Inc.

React Router's Take on React Server Components

Kent C. Dodds shares: "Did you know React Router is adding React Server Components support? Itโ€™s still experimental, but itโ€™s very close to landing, and I think React Routerโ€™s take on RSC is really great. Hereโ€™s what you need to know."

Kent C. Dodds

๐Ÿ“„ The State of TanStack, Two Years of Full-Time OSS

Tanner Linsley narrates the journey of building one of the most successful families of open-source libraries in the community today.

Tanner Linsley

๐Ÿ“บ It's Not New: How 'The New Architecture' Unlocks React Native's Future

It's no longer just 'new'; it's the way forward, explains a React Native core team member.

Cipolleschi and Chludziล„ski

๐Ÿ“„ Taking Down Next.js Servers for 0.0001 Cents a Pop

An explanation of a previously patched attack; upgrading to Next.js 15.5.5 or 16+ resolves the issue.

Alex Browne

๐Ÿ“„ Next.js 16: Whatโ€™s New for Authentication and Authorization

Will Johnson (Auth0)

๐Ÿ“„ Designing Design Systems

Dominik Dorfmeister

๐Ÿ› ๏ธ Code, Tools & Libraries

๐Ÿ”’ Better Auth: A Comprehensive Authentication Framework

An authentication and authorization framework offering email/password-based auth, OAuth and social sign-in, account/session management, 2FA, and more. Version 1.4 was just released, introducing stateless/database-free session management support.

Better Auth

react-native-quick-crypto 1.0: Node's crypto For React Native

A swift implementation of Node's Crypto module, written in C/C++ JSI, designed for fast cryptography functions within React Native applications.

Margelo GmbH

Tuple - The Fastest Way to Review AI Slop

Wasting hours debugging AI-generated code? Tuple facilitates team collaboration to identify, refine, and ship your code more efficiently.

Tuple (Sponsor)

๐Ÿ“ธ React Web Camera: A Component for Capturing Multiple Photos Directly From the Browser

This component enhances the user experience by allowing multiple captures without needing to reopen the camera. It offers seamless integration with your app via custom styling. A demo is available.

shivantra

Docs: A React-Powered Collaborative Writing Environment

Developed through a collaboration between the French and German governments, Docs is a feature-rich collaborative note-taking, wiki, and documentation application built upon React, Django, and BlockNote. GitHub repository.

The Government of France

๐Ÿ—“๏ธ FullCalendar: A Full-Sized JavaScript Calendar Control

Integrate a Google Calendar-style experience into your own applications. It provides connectors for React, Vue, and Angular, but can also be used with plain JavaScript. The base version is MIT licensed, with a commercial version available for additional features.

Adam Shaw

Custom React Directives (a.k.a. useNemo)

Custom directives are becoming increasingly popular; why not join the trend and create your own? ๐Ÿ˜…

Adem Kouki

๐Ÿ“Š React Spectrum Charts v1.22.0

Adobe's declarative charting library for composing accessible, Spectrum-styled data visualizations.

React Markdown Editor v4.0.10

A simple Markdown editor component featuring preview and syntax highlighting support. Demos are available

markdown-to-jsx v9.3.0

A customizable toolchain for converting Markdown to JSX.

React Uploady 1.13

Components and hooks for file uploading.

Berry v51.0

A Material UI admin dashboard template for React.

Reactylon 3.5

A Babylon.js-powered XR framework for React.

React Three Fiber 9.4.2

A React renderer for Three.js.

Prettier 3.7

The popular opinionated code formatter.

Preact 10.28.0

The fast, tiny alternative to React.

๐Ÿ“ข Elsewhere in the Ecosystem

Anthropic Acquires Company Behind Bun

Anthropic, renowned for its Claude large language models, has acquired the company behind Bun, the server-side JavaScript runtime. Jarred Sumner, Bun's creator, provides a thorough account, emphasizing that Bun remains as open as ever.

Electron Enters 'Quiet Month'

The Electron project has initiated a 'quiet month' to allow maintainers a period of rest before resuming full activity in January. The post also includes a review of Electron's developments in 2025.

Node 24 LTS Now Available on Vercel

Node 24 LTS is now available for builds and functions on Vercel.

DepX's Badge Generator

DepX offers a graphical badge generator that you can embed in your README or project site to visually indicate the number of dependencies your npm package has.

Easily unsubscribe at any time. Your e-mail address is safe โ€“ here's our privacy policy.