Critical vulnerabilities in React and Next.js

Critical vulnerabilities in React and Next.js
3 minutes by Gili Tikochinski

Two critical vulnerabilities in React Server Components allow attackers to execute code remotely on servers without authentication. Standard Next.js apps created with default settings are vulnerable and can be exploited with just a crafted web request. The flaws affect 39% of cloud environments according to Wiz Research data. Immediate patching is required as hardened versions are now available.

Tests are dead. Meticulous AI is here.
sponsored by Meticulous

Meticulous automatically creates and maintains an exhaustive e2e UI test suite that covers every corner of your application – with no developer intervention required whatsoever. Dropbox, Lattice, Bilt Rewards and hundreds of organisations rely on Meticulous for their frontend testing. It is built from the Chromium level up with a deterministic scheduling engine – making it the only testing tool that eliminates flakes.

Building a design system in 2026
8 minutes by Kolby Sisk

Design systems help teams create consistent products by providing shared guidelines, components, and standards. However, building custom component libraries creates maintenance headaches and slows development. Kolby recommends starting with an open-source component library like Mantine, then adding a design language, Figma library, and custom theme. This approach reduces friction while maintaining consistency across products.

React has changed, your hooks should too
5 minutes by Matt Smith

Most developers still use React hooks like simple replacements for old class methods, but they're actually a design system for better app structure. The biggest mistake is overusing useEffect for everything when it should only handle actual side effects like network calls. Modern React offers better tools like useSyncExternalStore for subscriptions and useDeferredValue for smooth user interfaces. Custom hooks should focus on separating business logic from UI components, making code cleaner and easier to test.

Without the blue bar
17 minutes by Francisco Miranda

Francisco recreated GitHub's repository view using streaming technology to eliminate loading delays and blue progress bars. The new version renders content on the server and streams it to users piece by piece, keeping the browser's native search working while dramatically improving speed. Using React Server Components and CSS tricks instead of heavy JavaScript, the interface feels instant and app-like while remaining standard web technology.

Create a copy as markdown button for MDX documentation site
10 minutes by Aman Mittal

Aman explains how to add a “copy as markdown” feature to an MDX-based documentation site. MDX pages often include dynamic components, so the raw files cannot be copied directly. The solution is to fetch the original MDX, remove imports, expand scenes, convert custom components, and render API sections into plain Markdown. The process uses a step-by-step conversion pipeline that can be adapted for any documentation site.

Multi-agent engineering for professionals, not vibe coders
sponsored by Tonkotsu

Tonkotsu lets you delegate structured tasks to multiple coding agents and get disciplined, review-ready output. No meandering chats — just parallel execution, clean diffs, and tight feedback loops. It’s how serious developers run AI at scale. Free usage during our early access period.

webdev

• Ten Frontend Commandments
• CSS Advent Calendar
• Top layer troubles: popover vs. dialog

javascript

• Bun is joining Anthropic
• Improve TTFB and UX with HTTP streaming
• Algorithms and data structures implemented in JavaScript

And the most popular article from the last issue was:

• How to simplify your React components with derived state