/
Published on 28.01.2026
TLDR: Firefox 147 ships CSS anchor positioning by default, view transition types for SPAs, the Navigation API, Brotli compression for streams, and service workers as ES modules - arguably the biggest Firefox release in years.
Summary:
Firefox has been cooking, and version 147 is a feast. Let's start with the headline: CSS anchor positioning is now enabled by default. This is the feature that lets you position elements relative to other elements without JavaScript gymnastics. The anchor-center value provides convenient centering, and position-anchor: none lets you break implicit associations.
View transition types for single-page applications are also shipping. This mechanism lets you specify different transition types and apply CSS animations based on that type. It's the building block for smooth page transitions that feel native.
The Navigation API landing is significant for SPA developers. This successor to the History API provides proper navigation interception and management, solving longstanding pain points that the History API never quite addressed. If you've ever fought with popstate events, this is for you.
Other highlights: SVG media fragments support (display specific areas or animation segments), Brotli compression for CompressionStream and DecompressionStream, service workers as ES modules (finally!), CSS module scripts for importing stylesheets as CSSStyleSheet instances, and relative length units based on the root element's font (rcap, rch, rex, ric).
The DevTools improvements are also noteworthy: view transition pseudo-elements appear in the elements view, animations show in the animation panel, and anchor-name badges help visualize positioning relationships.
Key takeaways:
Link: Firefox 147 release notes for developers
TLDR: Multiple high-severity denial-of-service vulnerabilities in React Server Components allow server crashes, OOM exceptions, and excessive CPU usage through crafted HTTP requests - immediate upgrades required for React 19.x and Next.js 13-16.
Summary:
This is a security patch you need to apply immediately. CVE-2026-23864 addresses multiple denial-of-service vulnerabilities in React Server Components with a CVSS score of 7.5. The good news: no remote code execution. The bad news: attackers can crash your servers.
The vulnerabilities are triggered by specially crafted HTTP requests to Server Function endpoints. Depending on the code path, you could see server crashes, out-of-memory exceptions, or excessive CPU usage. All three are production nightmares.
Affected packages include react-server-dom-parcel, react-server-dom-webpack, and react-server-dom-turbopack in versions 19.0.x, 19.1.x, and 19.2.x. This affects Next.js 13.x through 16.x and other frameworks embedding RSC implementation like Vite, Parcel, React Router, RedwoodSDK, and Waku.
Vercel has deployed WAF rules to protect hosted projects automatically, but they explicitly state: do not rely on the WAF for full protection. Upgrade now.
Fixed versions: React 19.0.4, 19.1.5, 19.2.4. Next.js has patches across all affected major versions - check the changelog for your specific version line.
Key takeaways:
Link: Summary of CVE-2026-23864
TLDR: Turbopack's incremental architecture uses automatic dependency tracking with "value cells" to achieve fine-grained caching, avoiding manual graph population that's prone to human error - and it now persists to disk.
Summary:
How do you make a bundler fast? Build less. That's the philosophy behind Turbopack's incremental computation architecture, and this deep dive explains how it works.
Traditional build systems like GNU Make use explicit dependency graphs that must be manually populated. This approach leaves room for errors and typically operates at file-level granularity. Turbopack takes a different approach: automatic tracking of function calls and their dependencies.
The core concept is "value cells" - fine-grained pieces of execution, like cells in a spreadsheet. When a function reads a cell, Turbopack records that dependency automatically. This is similar to signals in frameworks like SolidJS. By only marking cells as dependencies when they're actually read, Turbopack achieves finer-grained caching than top-down memoization would provide.
When source files change, Turbopack marks dependent functions as "dirty" and propagates changes up the graph. Cell updates are skipped if contents are equal - so if a transformation produces the same output, downstream work is avoided.
The aggregation graph is clever: because fine-grained caching can create millions of intermediate results, Turbopack maintains a parallel data structure that summarizes portions of the dependency graph for efficient queries about errors, warnings, or completion status.
The big news: file system caching is now stable and on-by-default in Next.js 16.1. The in-memory cache persists to disk, so next dev can resume from a warm cache across restarts.
Key takeaways:
Tradeoffs:
Link: Inside Turbopack: Building Faster by Building Less
TLDR: Expo SDK 55 brings React Native 0.83.1 with React 19.2.0, completely removes Legacy Architecture support, introduces Hermes v1, bytecode diffing for 75% smaller updates, and a redesigned default template.
Summary:
The Expo SDK 55 beta is here with substantial changes. First, the breaking news: Legacy Architecture support is completely gone. The newArchEnabled config option has been removed - if you haven't migrated to the New Architecture, now's the time.
The default template gets a redesign focused on native platform conventions. Native Tabs API provides platform-native tab experiences, and the new /src folder structure separates application code from configuration files.
Hermes v1 represents a major step forward for the JavaScript engine with meaningful performance improvements and better support for modern JavaScript features like ES6 classes and async/await. There's a catch: using Hermes v1 in SDK 55 requires building React Native from source, which significantly increases build times.
The bytecode diffing feature is impressive. Instead of downloading complete Hermes bytecode files for updates, the expo-updates client can apply binary patches. The estimated result: approximately 75% reduction in download times. This is opt-in for SDK 55 and becomes default in SDK 56.
Other highlights: Expo MCP server now supports CLI actions, official AI agent skills repository for Claude Code, new Colors API for Material 3 dynamic styles, Apple Zoom transitions for interactive shared element animations, experimental SplitView support, and improved brownfield integration with the new expo-brownfield package.
Package versioning also changes: all Expo SDK packages now use the same major version as the SDK. expo-camera for SDK 55 is ^55.0.0.
Key takeaways:
Tradeoffs:
Link: Expo SDK 55 Beta is now available
TLDR: Node.js 25.5.0 streamlines Single Executable Application building with a new --build-sea flag, adds an ignore option to fs.watch, enables SQLite defensive mode by default, and supports expecting test cases to fail.
Summary:
The headline feature in Node.js 25.5.0 is the streamlined SEA (Single Executable Application) building process. Previously, generating an SEA required copying the executable, generating a preparation blob with --experimental-sea-config, and injecting the blob using postject. The new --build-sea flag consolidates this into a single step.
The simplicity is striking: write your JavaScript, create a minimal config JSON, run node --build-sea sea-config.json, and you have a standalone executable. The old postject-based process is maintained for backward compatibility for now.
Other notable additions: fs.watch gets an ignore option for filtering which changes trigger callbacks. SQLite defensive mode is enabled by default, which helps prevent accidental corruption from application bugs. The test runner now supports expecting a test case to fail - useful for documenting known issues or testing error conditions.
Under the hood: root certificates updated to NSS 3.119, LIEF added as a dependency to support the new SEA workflow, and SQLite's prepare options now accept additional arguments.
The release also includes typical maintenance: npm upgraded to 11.8.0, ICU updated to 78.2, SQLite to 3.51.2, and various bug fixes across the codebase.
Key takeaways:
Link: Node.js 25.5.0 (Current)
TLDR: Lynn Fisher's annual portfolio refresh explores what happens when you try to resize a fixed-width website - it stretches like elastic and bounces back, creating a playful commentary on responsive design's evolution.
Summary:
Lynn Fisher's annual portfolio refresh is always a creative exploration, and 2025 doesn't disappoint. The concept: what if you tried to resize a fixed-width website, but instead of the content reflowing, it just... stretched? Like taffy.
The technical implementation is elegant. A ResizeObserver tracks window width changes, calculates the scale factor based on the fixed content width (436px), and applies a CSS transform. The math: scaleX = ((newWidth - windowWidth) / appWidth + 1). When you stop resizing, a timeout resets the transform with a playful bounce transition.
The details matter: Math.max() prevents negative scale values that would flip the content horizontally, the bounce uses a custom cubic-bezier timing function, and the fixed width of 436px was chosen because most desktop browsers can't resize below 500px anyway.
The visual design draws from printed paperback books - subtle paper texture in light mode, light dust in dark mode. Chapter-style headers on internal pages. The fonts Hubano Rough and Sydonia Atramentiqua reinforce the printed aesthetic.
There's a lovely accessibility detail buried in here: because the site nav is at the bottom of internal pages, the skip link skips to the nav instead of past it. The focus states for inline links required some clever CSS layering to prevent box-shadow from bleeding through the outline.
This is Lynn Fisher's 19th annual refresh, with the 20th coming in 2026. The post reflects on what changes when you know a design won't persist - it frees you from worry but also limits ambition.
Key takeaways:
Link: Case Study: lynnandtonic.com 2025 refresh
TLDR: Nuxt 4.3 brings route rule layouts, ISR/SWR payload extraction, layout props with setPageLayout, a #server alias, draggable error overlay, and significant performance improvements - plus extended v3 support through July 2026.
Summary:
Nuxt 4.3 is packed with quality-of-life improvements. The extended v3 support announcement is welcome news: instead of January 31, 2026, Nuxt v3 will receive security updates and critical fixes until July 31, 2026.
Route rule layouts let you set layouts directly in nuxt.config.ts using the appLayout property. No more scattering definePageMeta calls across pages - define admin, dashboard, and minimal layouts centrally. Combined with the new ability to pass props to layouts via setPageLayout, this provides much cleaner layout management.
Payload extraction now works with ISR and SWR route rules, not just pre-rendered pages. This means CDNs can cache payload files alongside HTML, reducing API calls during client-side navigation. Related: payload extraction also works in development mode now.
The #server alias provides clean imports within your server directory, similar to #shared. Import protection ensures you can't accidentally import server code from client contexts.
The draggable error overlay (introduced in 4.2) is now more polished - you can drag it to corners, minimize it to a pill button, and your preferences persist across reloads.
Performance improvements include hook filters to avoid unnecessary execution, faster SSR styles plugin, and route rules compilation into a client chunk using rou3. The deprecation of statusCode/statusMessage in favor of status/statusText prepares for Nitro v3.
Key takeaways:
Link: Nuxt 4.3
The summaries above are AI-generated interpretations and may not capture all nuances of the original articles. Always refer to the original sources for complete information.