In partnership with
Hey guys,
Welcome to another edition of Import React by Cosden Solutions!
Quiet week? Not even close. Next.js quietly shipped a pile of security fixes you'll want to apply today, TanStack dropped an AI library that wants to be the Switzerland of the whole space, and the Bun acquisition is starting to show its first real cracks.
Let's get into it.
Want to get the most out of ChatGPT?
ChatGPT is a superpower if you know how to use it correctly.
Discover how HubSpot's guide to AI can elevate both your productivity and creativity to get more things done.
Learn to automate tasks, enhance decision-making, and foster innovation with the power of AI.
⚡️ The Latest In React
🚨 Next.js Just Shipped a Stack of Security Fixes - Patch Today
A backported security release landed this week patching multiple advisories across Server Components, App Router, Middleware, and the Proxy layer - including a middleware/proxy bypass, a denial-of-service via connection exhaustion in apps using Cache Components, and an SSRF in apps doing WebSocket upgrades. If you're on 16.x, this is a "bump the patch version before lunch" situation. The bypass ones are the spicy part - a couple of them route straight around middleware auth checks.
🎛️ TanStack AI Wants to Be the Switzerland of AI Tooling
Tanner's crew shipped the TanStack AI beta, and the pitch is exactly what you'd expect from TanStack: provider-agnostic, type-safe, framework-first. The beta adds a generateAudio activity with streaming plus fal and Gemini Lyria adapters - music, sound effects, text-to-speech, and transcription, all behind one API. The interesting bet buried in here: they're treating "which AI provider" as a swappable adapter, the same way Query treats your backend.
🐢 Next.js Accidentally Pointed latest at a Prerelease - and the Fix Is Funny
For a bit this week, npm install next could resolve to a prerelease. The fix? The team had to publish multiple no-change "empty" releases just to nudge the dist-tag back, because their new Trusted Publishing setup won't let them edit dist-tags directly. A tiny window into how fragile npm's plumbing still is - and a reminder to pin your versions.
📱 Expo SDK 55 Beta: React Native 0.83, React 19.2, and the Legacy Architecture Is Officially Gone
SDK 55 pulls in React Native 0.83.1 and React 19.2.0 - but the headline is that newArchEnabled is removed entirely. New Architecture is the only option now. If you've been putting off the migration "until you have to," SDK 54 was the last off-ramp. The reanimated v4 / FlashList v2 ecosystem already moved; you're the holdout now.
🧱 WordPress Tried to Ship React 19 - and Had to Revert It
A cautionary tale for anyone shipping React in a plugin ecosystem: several plugins bundled React 18's JSX runtime helpers and crashed the second React 19 loaded alongside them. Gutenberg rolled the upgrade back and is going incremental. The dev note on what breaks (render(), unmountComponentAtNode, findDOMNode, ref callbacks) is worth a read even if you never touch WordPress - it's the cleanest React 18→19 gotcha list around.
Say user_id. Get user_id.
Wispr Flow recognizes variable names, file references, and framework syntax mid-dictation. Speak your prompt, get developer-ready text for GitHub, Jira, or your editor. No mangled syntax. Ever.
Quick Links
Next.js security advisories → - the full GHSA list from the patch above, if you want to know exactly what you're fixing.
Vite 8 + Rolldown - the single Rust-based bundler is now stable, with teams reporting builds dropping from 46s to 6s. If you skipped the upgrade, this is your nudge.
The agentic coding tools have basically converged - six months in, Claude Code, Cursor, Codex, and Antigravity all landed on the same blueprint. A clear-eyed map of who wins which surface.
🧠 AI & General Programming
🚫 Microsoft Reportedly Told Engineers to Drop Claude Code - Right as Billing Changes
Per reporting picked up this month, Microsoft's Experiences + Devices org is moving thousands of engineers off Claude Code to GitHub Copilot CLI by June 30. It collides with Anthropic's June 15 change that moves programmatic Claude usage onto a separate credit pool billed at full API rates - so a lot of teams are about to see the "real" cost of their agent workflows. The token math in here is the part that'll make your eye twitch.
🍞 The First Cracks in the Bun Acquisition
RedMonk dug into Bun's commit history post-Anthropic, and the picture is sobering: of ~7 identifiable pre-acquisition Oven employees, at least 4 have departed or gone quiet, and one active committer went from 745 commits to 1. It's still MIT-licensed and shipping - but as the piece puts it, it's not the team that built it. A genuinely useful case study on what happens to open source after an AI-company acquihire.
😬 "Real Maturity Problems": Not Everyone's Happy With Bun
The companion read to the above. Memory leaks, a growing open-issue pile, and unease about Claude Code being load-bearing on a runtime that breaks if Bun breaks. Worth reading before you make Bun your default in production this quarter.
🧰 Claude Code's June Changelog Is Quietly Huge
Less flashy, more useful: a failed Bash command no longer cancels the rest of a parallel batch, fallback-model retry on unexpected API errors, JetBrains terminal flicker fixed, and metrics you can now slice by team or repo. If you live in the terminal, the parallel-tool fix alone is worth the update.
See you next week,
Darius