Lessons learned from React's vulnerabilities

Hello, 👋

This is the last issue in 2025. We'll take a short break over Christmas to recharge and will be back on the first Monday in January. Thank you so much for your support and your lovely feedback. I have a lot to go through from the survey and figure out what to bring into the newsletter.

Lastly, I'd like to ask you to share the newsletter with your tech friends and colleagues. It helps heaps.

Lessons learned from React's vulnerabilities
6 minutes by Sosthène Guédon

In the last few weeks, 3 vulnerabilities where found in the React web application framework. The first one, a server-side remote code execution is the worst a vulnerability can get for a web framework. The two other ones are a denial of service, and a source code exposure, much less dangerous, yet still impactful. Sosthène explores potential mitigations that could have been applied ahead of time to prevent these vulnerabilities or at least limit their severity.

Tests are dead. Meticulous AI is here.
sponsored by Meticulous

Meticulous automatically creates and maintains an exhaustive e2e UI test suite that covers every corner of your application – with no developer intervention required whatsoever. Dropbox, Lattice, Bilt Rewards and hundreds of organisations rely on Meticulous for their frontend testing. It is built from the Chromium level up with a deterministic scheduling engine – making it the only testing tool that eliminates flakes.

You might not need an effect
22 minutes by React team

React effects let you sync components with external systems like APIs or browser features. However, you often don't need them. Avoid effects when transforming data for rendering or handling user events. Instead, calculate values during rendering and handle events in event handlers. This makes your code faster and simpler.

Introducing React Server Components explorer
7 minutes by Dan Abramov

Dan created RSC Explorer, a browser-based tool that demonstrates how React Server Components work under the hood. The tool shows the RSC protocol in action, revealing how React serializes and sends component trees over the network instead of just HTML. Users can step through examples to see streaming, server actions, and how components maintain state during server updates.

React compiler’s silent failures and how to fix them
7 minutes by Marjan Taghipour

React compiler eliminates the need for manual memoization in React apps, which saves mental energy and improves code clarity. However, it fails silently when it can't optimize components, which can hurt performance in critical areas. Marjan recommends using an undocumented ESLint rule called "react-hooks/todo" to catch compilation failures and break builds when needed.

Intro to performance of React Server Components
13 minutes by Nadia Makarevich

React Server Components promise better performance by moving work to the server and shipping less JavaScript. An investigation comparing different React rendering approaches shows Server Components can significantly improve initial load times. The best results came from Next.js with server-side data fetching, reducing load times from over 4 seconds to around 1.3 seconds.

webdev

• CSS Wrapped 2025
• The Deep Card Conundrum
• Forced Colors Mode
• How to load CSS (fast)

javascript

• JavaScript Modernizer for VS Code
• Golfing a 2D physics engine in JS
• How We're Protecting Our Newsroom from npm Supply Chain Attacks

And the most popular article from the last issue was:

• UseEffectEvent in React: Essential Do's and Don'ts

Happy holidays!
Jakub