Hey guys,
Welcome to another edition of Import React by Cosden Solutions!
Two themes this week. The supply-chain saga continues (another 317 npm packages compromised), and TanStack is having a real moment - Tanner on Nuno's pod, RSC in Start, Fate 1.0.
Plus Bun yolo-merged a million-line Rust port. Yes, really.
Let's get into it.
⚡️ The Latest In React
🧩 Harness Orchestration 101 — for React devs wiring AI into production
Calling an AI API is easy; composing those calls into a reliable agent is the hard part. This blog from Agentfield introduces the harness — the scope, tools, retries, and eval layer that holds an agent together — and shows how to build one in production. They've also open-sourced 100+ agent recipes if you want to skip straight to code. [ad]
🚨 Mini Shai-Hulud Strikes Again — 317 npm Packages Compromised in 22 Minutes
The atool maintainer account got popped on May 19, and the attacker published 637 malicious versions across 317 packages — including echarts-for-react, timeago.js, and hundreds of @antv scoped packages — in a single 22-minute automated burst. The payload installs a Claude Code SessionStart hook so the malware re-runs every time you start a coding session. Check your lockfiles.
⚛️ Fate 1.0 — A Modern React Data Framework
Christoph Nakazawa's data framework hits 1.0. The pitch: cache normalized objects instead of requests, compose Views up the tree into a single Request at the root, and let the framework handle live updates, optimistic mutations, and GC. Designed for Async React from the ground up — feels like the data layer the new React primitives have been waiting for.
🎙️ Why React Developers Are Leaving Next.js for TanStack — Tanner × Nuno Maduro
A 37-minute conversation that's basically the complete TanStack worldview, end-to-end — the business model, the case against Next.js's RSC architecture, TypeScript inference, "did React win?", and whether TanStack ever becomes the Laravel of the React world. Queue it up for your next walk.
🌳 React Server Components in TanStack — From First Principles
Adam Rackis walks through RSCs in TanStack Start from scratch, deliberately avoiding the Next.js comparison until the end. The argument: TanStack's RSC implementation is radically different — and better — than Next.js's, because it treats Server Components as streams of data the client can compose, not a server-first architecture that owns the tree.
📊 "Most React Performance Advice Is Stuck in 2023"
The thread argument: with React 19's compiler doing automatic memoization, the entire 2023 playbook of React.memo + useMemo + useCallback is mostly noise now, Comments dig into what perf advice actually still applies in 2026, and what got obsoleted overnight. Good gut-check on whether your team's mental model has caught up.
Quick Links
100+ open-source agent recipes from the Agentfield team — covers harnesses, tool use, retries, and evals. Apache 2.0. *
Wiz on the @antv side of the attack — Wiz's writeup focuses on the GitHub imposter-commits angle of the same campaign. Useful companion to the lead story above.
Kevin Patel — "No Way to Prevent This," Says Only Package Manager Where This Regularly Happens — Onion-style satire on the npm ecosystem in the wake of mini-shai-hulud. Cathartic.
npm RFC #868 — Active proposal in the npm RFC tracker. Worth a skim given the week's news.
TanStack Router release 2026-05-20 — Adds deferred hydration and
params.priorityas a route-matching tie-breaker.r/reactjs — Why are people moving from Next.js to TanStack? — The thread version of the Tanner interview. Different perspectives, same question.
2ality — Axel Rauschmayer's JS blog. Reliably the sharpest source on the language itself — bookmark it if you haven't.
token-costs.standardagents.ai — Live per-model token cost comparison across providers. Handy when picking which model to point your agent at.
Cladd — A React UI kit for building actual apps — Opinionated UI kit from the creator of Swiper. 29 styled components, surface system, dark-first, no headless wiring — for editors, dashboards, and internal tools, not landing pages.
🧠 AI & General Programming
⚙️ Bun Goes Full Leeroy Jenkins — Jarred YOLO-Merges a 1M-Line Zig→Rust Port
Six days after opening what he swore was an experimental branch that would probably never ship, Jarred Sumner merged a one-million-line PR rewriting Bun's entire codebase from Zig to Rust — and reportedly spent more time on a single date than vibe-coding the migration. Motivation: memory leaks Zig's tooling couldn't catch. Whether this lands cleanly or burns the runtime down depends almost entirely on how good Bun's Node-compat test suite is.
📄 The Unreasonable Effectiveness of HTML (Claude Code Team)
Thariq Shihipar argues that Markdown has quietly become a bottleneck for AI-generated output, and HTML is the better default. HTML can carry tables, SVG diagrams, sliders, and "throwaway editors" for one-off problems; Markdown can carry a header and a bullet. Practical examples for code review, design exploration, and report writing.
🤐 Nobody Pushed Back: Why Engineers Stay Silent Until It's Too Late
Nokia, TSB, Boeing, and Microsoft Windows Phone — four billion-dollar disasters with the same underlying mechanism: engineers knew, but pushing back cost more than staying quiet. The real argument lands in the last section: pushback isn't about saying "this is wrong," it's about making the cost of the decision visible.
✨ Software Abundance
Tereza Tížková on what shifts when software gets cheap enough to ship for free. Less AI hype piece, more a thoughtful look at what abundance does to product strategy and how we measure value.
📡 How GPS Actually Works (Interactive Deep Dive)
The same crew that made the brilliant Shazam explainer a few weeks back is back with an interactive walkthrough of how GPS turns four floating satellite signals into your blue dot. Time dilation, atmospheric correction, ephemeris data — all visual. A reward for getting through the rest of this email.
✉️ Email Is Crazy
Sam Khawase on why email — the simplest-looking protocol — is actually one of the most cursed. SPF, DKIM, DMARC, BIMI, retries, reputation — the entire deliverability stack laid bare. Also, explains how you’re reading this edition of Import React. :)
See you next week,
Darius