This Week In React #277: TanStack RSC, React2DoS CVE, Vercel WebStreams 10x Faster, MUI v9, and the Vertical Codebase
Published on 15.04.2026
React Server Components Your Way: TanStack's Take
TLDR: TanStack Start treats React Server Components as plain data streams rather than a server-owned component tree. You fetch, cache, and render them on your terms, using existing tools like TanStack Query or TanStack Router.
React Server Components Your Way | TanStack Blog
React2DoS (CVE-2026-23869): A New DoS Vulnerability in RSC Flight Protocol
TLDR: Imperva disclosed a high-severity denial-of-service vulnerability in React Server Components that uses the Flight protocol's Map/Set deserialization to trigger quadratic computation from small payloads. Update to React 19.2.5 now.
React2DoS (CVE-2026-23869): When the Flight Protocol Crashes at Takeoff | Imperva
Vercel's fast-webstreams: Making WebStreams 10x Faster for Server Rendering
TLDR: Vercel built a drop-in replacement for Node.js WebStreams that eliminates per-chunk Promise allocations, achieving 10x throughput improvement for piped streams and 14.6x for the exact byte-stream pattern React Server Components uses.
We Ralph Wiggumed WebStreams to make them 10x faster - Vercel
Material UI and MUI X v9: Synchronized Versions and AI-Native Components
TLDR: MUI v9 re-aligns Material UI and MUI X on the same major version number for the first time since their split in 2023, adds NumberField, Menubar, Scheduler, and Chat components, and ships a new MUI Console for managing AI assistant licenses.
Introducing Material UI and MUI X v9 - MUI
The Uphill Climb of Making GitHub Diff Lines Performant
TLDR: GitHub's team reduced INP from 450ms to 100ms and cut JavaScript heap usage by 50% on large pull requests by simplifying their React diff line architecture from 13 components per line to 2, and adding TanStack Virtual for p95+ pull requests.
The uphill climb of making diff lines performant - GitHub Engineering
If You Can't See the Boundary, You Can't Reason About the System
TLDR: A thoughtful developer shared that he'd rather build a client-only React app than use Next.js App Router because the RSC server/client boundary is invisible at runtime. The author responds by building RSC Boundary, a dev-only overlay that makes the boundary visible.
If you can't see the boundary, you can't reason about the system
The Vertical Codebase: Structuring Code by Domain, Not by Type
TLDR: TkDodo argues for organizing codebases vertically by domain rather than horizontally by type (components, hooks, utils), citing Sentry's codebase as a cautionary tale of what horizontal structure looks like after 10 years.
Now More Than Ever, You Need to Master Custom ESLint Rules
TLDR: A detailed walkthrough of building custom ESLint rules using AST analysis, starting with a real useEffect derived-state antipattern, showing how AST Explorer makes rule development practical, and arguing that custom rules are the most reliable way to enforce team coding standards.
Now more than ever, you need to master custom ESLint rules
You Can't Cancel a JavaScript Promise (Except Sometimes You Can)
TLDR: The Inngest SDK interrupts async workflow functions by returning a promise that never resolves, letting the garbage collector clean up the suspended function. It's a legitimate control flow technique that avoids the try/catch pitfalls of exception-based interruption.
You can't cancel a JavaScript promise (except sometimes you can) - Inngest Blog
What Encore Learned Building a Rust Runtime for TypeScript
TLDR: Encore built a 67,000-line Rust runtime that handles the full HTTP lifecycle, database pooling, pub/sub, and tracing for TypeScript applications running on Node.js, achieving 9x the throughput of Express.js.
What We Learned Building a Rust Runtime for TypeScript – Encore Blog
Agent React DevTools: Giving AI Agents Access to React Internals
TLDR: Callstack released a CLI that connects AI agents directly to React DevTools, letting agents inspect the live component tree, profiling data, and render performance rather than relying on visual UI trees alone.