TanStack Under Attack, RSC Rethought, and React Native Gets Serious About Performance
Published on 06.05.2026
Malicious npm Package Brand-Squats TanStack to Steal Environment Files
TLDR: An unscoped npm package called tanstack pushed four malicious versions that silently exfiltrated .env files from developers' machines at install time. The attacker had previously tried to extort TanStack's creator for $10,000, and this appears to be deliberate retaliation or escalation.
Malicious npm Package Brand-Squats TanStack to Exfiltrate Environment Files
Who Owns the Tree? TanStack Start's RSC Model Is Different, On Purpose
TLDR: Tanner Linsley argues that RSC is a protocol, not an architecture, and that TanStack Start supports both server-owned and client-owned composition models. The piece is a thoughtful pushback against the assumption that "RSC support" means "Next.js-style server-first tree."
Who Owns the Tree? RSC as a Protocol, Not an Architecture
Introducing TanStack Form: A Deep Dive Into the API
TLDR: Frontend Masters published a thorough walkthrough of TanStack Form, covering field management, validation timing, array fields, cross-field reactivity, and the composition patterns that make large forms manageable. It's a good reference if you've been curious about the library but not ready to dive into the docs directly.
Time to Yield: A Brutal SSG Benchmark That Exposes Next.js's Static Export Ceiling
TLDR: A developer built a benchmark comparing five SSG frameworks across up to 500,000 static pages and found that Next.js crashes with a stack overflow at 200,000 pages, while a streaming-path approach completes 500,000 pages in 155 seconds. The decisive variable is whether your path source returns an array or yields from an async generator.
Next.js Link as a Button: The Accessibility-Correct Solution
TLDR: When you want a third-party button component to trigger Next.js router navigation instead of a full page reload, the combination of passHref and legacyBehavior on the Link component is the right answer. Using onClick with router.push renders a button element where a link semantics are needed.
Remix 3 Beta Preview: A Full-Stack Rethink With Frames, Unbundling, and a New Component Model
TLDR: Remix 3 is in beta preview and it's a significant departure. The team has moved toward building the full stack, including routing, sessions, auth, uploads, and UI, as composable packages under one umbrella. The component model is explicitly procedural, and assets are served without a traditional bundler dependency.
shadcn/ui Gets Package Import Aliases and Portable Registry Targets
TLDR: shadcn CLI 4.7.0 adds support for package.json#imports as an alias source, replacing the tsconfig.json compilerOptions.paths dependency. Registry items can now also use target aliases to install files into user-configured directories.
May 2026 - Package Imports and Target Aliases
Expo Go and the App Store: What's Actually Happening in May 2026
TLDR: Expo Go for SDK 55 is still pending Apple App Store approval as of May 4th. The team is redirecting developers toward development builds and introducing eas go for creating personal Expo Go builds through your own Apple Developer account.
Expo Go and the App Store in May 2026
Expo Gradle Cache Cuts Android Build Times by 50%
TLDR: EAS now supports Gradle build caching for Android, using task output hashing to skip recompilation when inputs haven't changed. The team reports around a 50% reduction in build times, with the cache keyed to your package manager lock file.
Gradle Cache for Android Builds
Making JSI 30x Faster: Data Shape Is More Important Than Algorithms
TLDR: Margelo's part 2 JSI performance post shows that choosing ArrayBuffer over an array of objects for numeric data produces a 30x speedup in benchmarks. The decisive factor is reducing JSI boundary crossings and GC pressure, not algorithmic cleverness.
Part 2: Making JSI Faster with more Efficient Data Structures
How react-native-ease Runs Animations with Zero JavaScript per Frame
TLDR: react-native-ease hands animation control entirely to the native side after the initial prop change. On iOS it uses Core Animation key-path animations; on Android it uses ObjectAnimator and SpringAnimation. JavaScript is not involved for individual frames.
How react-native-ease Runs Animations with No JavaScript Loop
Building Custom Screen Transitions in React Navigation with navigation.zoom()
TLDR: react-native-screen-transitions v3.4 ships a navigation.zoom() helper that recreates iOS's bounds-driven navigation zoom transition in pure JavaScript, using component measurements and Reanimated worklets.
Building Custom Transitions with react-native-screen-transitions
React Native at Scale: Production Lessons from Zalando and Others
TLDR: Four talks from the React Universe Meetup x Zalando cover measuring performance in brownfield migrations, managing video feeds, using React Native to access HealthKit from a web-first product, and running on-device LLMs with wildly variable initialization times across Android hardware.
React Native Production Lessons from React Universe Meetup x Zalando
Node.js 26 Ships with Temporal API, V8 14.6, and a New Release Schedule
TLDR: Node.js 26 is the new Current release, bringing the Temporal date/time API enabled by default, V8 14.6 with new iterator and map primitives, and a major announcement: starting with Node.js 27, the project moves to one major release per year with every release becoming LTS.
tsz: A TypeScript Compiler in Rust That's Already Faster Than tsgo
TLDR: tsz is a TypeScript type checker and language service written in Rust, targeting TypeScript 6.0.3, and currently benchmarking 1.73x faster than tsgo across 63 test cases. It claims 99% conformance on TypeScript's own test suite and 100% language service conformance.
tsz - A TypeScript Compiler in Rust
Why "Trusted Publishing" Can't Protect You When the Maintainer Is Compromised
TLDR: The Axios supply chain attack exploited a social engineering compromise of the maintainer's live browser session, not a stolen password or API key. Provenance attestation would have signed the malicious package as legitimate because the attacker was operating as the maintainer. This is a different threat model than trusted publishing addresses.
Why "Trusted Publishing" Can't Save Us from Social Engineering