TanStack RSC, React2DoS CVE, MUI v9, WebStreams 10x Faster, and the Case for Vertical Codebases
Published on 15.04.2026
React Server Components Your Way: TanStack's Client-First Approach
TLDR: TanStack Start has shipped experimental React Server Component support that treats RSCs as ordinary fetchable data streams rather than the center of your app architecture. The API is intentionally small, and it pairs naturally with TanStack Query and Router for caching without any special RSC-aware mode.
React Server Components Your Way
React2DoS (CVE-2026-23869): A Quadratic Complexity DoS in the Flight Protocol
TLDR: Researchers at Imperva discovered a denial-of-service vulnerability in React Server Components' Flight protocol deserialization that achieves quadratic complexity, meaning a tiny payload of tens of kilobytes can trigger minutes of CPU work. The fix landed in React 19.2.5, with backports to 19.0.5 and 19.1.6.
React2DoS (CVE-2026-23869): When the Flight Protocol Crashes at Takeoff
Vercel Made WebStreams 10x Faster and Now It's Going Into Node.js
TLDR: Vercel built fast-webstreams, a drop-in replacement for the WHATWG Streams API that routes operations through Node.js streams internals, achieving up to 14.6x faster throughput for the exact byte stream pattern React Server Components use. The optimizations are already being contributed upstream to Node.js itself.
We Ralph Wiggumed WebStreams to make them 10x faster
Introducing Material UI and MUI X v9: A Synced Ecosystem
TLDR: MUI has simultaneously released Material UI v9 and MUI X v9, re-aligning their major version numbers for the first time since the v6 split. The release adds NumberField, Menubar, a Scheduler alpha, a Chat alpha, and a Data Grid AI Assistant backed by a new MUI Console for license and API key management.
Introducing Material UI and MUI X v9
Base UI v1.4.0: Accessibility and Stability Fixes Across the Board
TLDR: Base UI v1.4.0 ships a significant round of bug fixes across nearly every component in the library, with a notable new OTPField component for one-time password entry and substantial fixes to Combobox, Drawer, and Select behavior on mobile.
The Vertical Codebase: Stop Organizing by Type, Start Organizing by Domain
TLDR: TkDodo argues that the standard horizontal codebase structure (components/, hooks/, utils/, types/) creates a maintenance nightmare at scale and that organizing code vertically by domain (dashboard/, widgets/, profiling/) produces codebases that are easier to navigate, own, and evolve.
Custom ESLint Rules: Now More Valuable Than Ever
TLDR: A detailed walkthrough on writing custom ESLint rules by exploring Abstract Syntax Trees, building a rule that catches derived state in useEffect, and making the case that custom rules are more effective than AI coding prompts for enforcing project-specific conventions.
Now more than ever, you need to master custom ESLint rules
Contributing Callsite Revalidation Opt-out to React Router
TLDR: A developer's first-person account of contributing a new feature to React Router that lets you opt individual fetcher submissions and navigation calls out of the default aggressive revalidation behavior, now available as unstable_defaultShouldRevalidate in v7.11.0.
Contributing Callsite Revalidation Opt-out to React Router
Agent React DevTools: Giving AI Agents Access to React Internals
TLDR: Callstack released a CLI tool called Agent React DevTools that connects AI agents directly to React DevTools, giving them access to the live component tree, profiling data, render commits, and performance hotspots without requiring any changes to application code.
Agent React DevTools: Debug React Apps with AI Agents
metro-mcp: A Full-Featured MCP Server for React Native Debugging
TLDR: metro-mcp is a plugin-based MCP server that connects to Metro bundler via Chrome DevTools Protocol, giving AI agents and IDE extensions access to console logs, network requests, the React component tree, Redux state, navigation state, accessibility audits, CPU profiling, and more, with no app code changes required for most features.
React Native 0.85: Shadow Tree Commit Branching and Animation Backend by Default
TLDR: React Native 0.85 introduces dual-branch Shadow Tree commits to eliminate contention between React updates and native animation/styling libraries, and promotes the C++ Animation Backend to enabled by default, with a clean mechanism for animation libraries to update props without going through the JavaScript rendering pipeline.
React Native 0.85 changelog dive
You Can't Cancel a JavaScript Promise (Except Sometimes You Can)
TLDR: The Inngest SDK interrupts async workflow functions by returning a promise that never resolves, letting the garbage collector clean up the suspended function. This achieves generator-style interruption while letting users write plain async/await code, and it actually works correctly in production.
You can't cancel a JavaScript promise (except sometimes you can)
What Encore Learned Building a 67,000-Line Rust Runtime for TypeScript
TLDR: Encore describes building a complete HTTP, database, pub/sub, tracing, and API gateway infrastructure layer in Rust with Node.js NAPI bindings, achieving 9x the throughput of Express.js and processing billions of requests daily. The post covers the non-obvious technical challenges of bridging JavaScript's async model to Rust's.
What We Learned Building a Rust Runtime for TypeScript
Bun v1.3.12: Native Headless Browser, In-Process Cron, and JavaScriptCore Upgrades
TLDR: Bun v1.3.12 ships Bun.WebView, a native headless browser automation API with WebKit and Chrome backends; an in-process Bun.cron() scheduler for long-running servers; JavaScriptCore upgrades including explicit resource management (using/await using); and dozens of Node.js compatibility fixes.
HTML-in-Canvas: Rendering Real DOM Elements Inside canvas
TLDR: WICG has published a proposal and Chromium implementation for rendering arbitrary HTML elements into 2D and 3D canvas contexts, with privacy-preserving restrictions on cross-origin content, currently available behind a Chrome flag.