Projecting React

Projecting React
15 minutes by Tanner Linsley

React is around 60 KB before any app code runs. Tanner explores building a smaller alternative shaped to exactly what TanStack Start needs, dropping unused features like concurrent rendering while keeping core hooks, Suspense, and SSR streaming. The result is roughly 85% smaller than stock React, with faster render speeds and a third less JavaScript shipped on a real personal site, at the cost of one day of AI-assisted work.

From React to native web with nanotags: A migration that saved 100 KB
13 minutes by Pavel Grinchenko, Travis Turner

Pavel describes migrating a marketing site from React to native Web Components using Astro and nanostores. The migration reduced JavaScript by 100 KB without losing functionality or accessibility. He explains why Web Components worked well for a mostly static site, the challenges of writing them directly, and how those challenges led to creating nanotags, a lightweight library that simplifies reactive, accessible, and type-safe Web Components.

The React2Shell story
18 minutes by Lachlan Davidson

Lachlan discovered a critical remote code execution vulnerability in React while trying to understand its "Flight" protocol. The protocol's loose property lookup allowed crafting malicious objects that could trick React into executing arbitrary code. After days of sleep-deprived research, a working exploit was built against any default Next.js app. Meta was notified and patched the issue within days.

Five models, one React stack: Why every LLM builds the same app
13 minutes by Sascha Becker

AI coding assistants almost always suggest the same frontend stack: React, Tailwind CSS, and shadcn/ui. This happens because these tools dominate the training data, and their design makes them easy for language models to generate correctly. The pattern feeds itself: AI output goes back to GitHub, future models train on it, and the same defaults get stronger. Developers who never question the output may never learn other options exist.

Postmortem: TanStack npm supply-chain compromise
11 minutes by Tanner Linsley

An attacker chained three vulnerabilities to publish malicious versions of 42 TanStack npm packages on May 11, 2026. They poisoned the GitHub Actions build cache through a fake pull request, then extracted an authentication token from memory to publish directly to npm without stealing any credentials. The malicious packages harvested AWS, GCP, Kubernetes, and other secrets from any machine that ran npm install. All 84 affected versions were caught and deprecated within about 30 minutes thanks to an external researcher.

webdev

• Browsers Treat Big Sites Differently
• Why Keyboard Users Can't Scroll Your Overflow Containers
• Control the Speed of Infinite Animations

javascript

• A Vanilla Routing Experiment
• 9 Times the Web Platform Was Influenced by Libraries
• 33 JavaScript Concepts

And the most popular article from the last issue was:

• Common accessibility mistakes in React