In partnership with
Hey guys,
Welcome to another edition of Import React by Cosden Solutions!
It’s been a rough week on the security front 😬 TanStack dropped the full postmortem on last week's npm compromise, and Next.js shipped 13 CVEs at the same time. Both worth a read even if you weren't directly hit.
Plus a wild Tanner Linsley experiment, a $5M founder admission, and the bundler quietly sitting under every Vite app just hit 1.0.
Let's get into it.
You think 4x faster than you type. Your IDE should keep up.
Wispr Flow lets you dictate prompts, acceptance criteria, and bug reproductions inside Cursor or Warp — with automatic file name and variable recognition. Say user_id, get user_id. Say useEffect, get useEffect.
Paste directly into GitHub, Jira, or Linear. Give coding agents the full context they need without typing a novel.
89% of messages sent with zero edits. Millions of developers use Flow daily, including teams at OpenAI, Vercel, and Clay. Free on Mac, Windows, and iPhone.
⚡️ The Latest In React
🚨 TanStack's Full Postmortem on the npm Supply-Chain Attack
The TanStack compromise now has the official writeup from Tanner. 84 malicious versions across 42 @tanstack/ packages, published by chaining three vulnerabilities. No npm tokens were stolen, the attacker bypassed npm credentials entirely. If you installed anything on May 11, treat the host as compromised and rotate AWS, GCP, Kubernetes, Vault, GitHub, npm, and SSH credentials. External researchers caught it within ~20 minutes; internal alerting did not.
🛡️ Next.js Shipped 13 CVEs in One Coordinated Release
Same week, Vercel dropped a coordinated patch for 13 advisories across Next.js, six rated High, covering auth bypass via App Router segment-prefetch URLs, SSRF in WebSocket upgrades, cache poisoning in RSC responses, XSS in CSP-nonce App Router apps, and a DoS in React Server Components itself (CVE-2026-23870). Patching is the only complete mitigation, upgrade to Next.js 15.5.18 / 16.2.6 and React 19.0.6 immediately. A lot of "I'm done with Next.js" energy in the discourse this week, but the underlying issue is RSC's attack surface is still being mapped in public.
🧪 Tanner Linsley Built an AI-Generated "Projection" of React in a Weekend
Same Tanner, busy week. He shipped @tanstack/redact: an AI-generated React projection that lands at ~9KB gzipped (vs React's ~60KB), runs 2–3× faster on TanStack workloads, and passes 700/700 tests. It's running tanstack.com and his personal site in production today. He's explicit this isn't an "alternative React" and it's not going into TanStack Start, it's an experiment in what happens when regenerating code stops being expensive. The framing alone (code as a "materialized view" of a spec) is worth the read.
⚠️ RSC Server Functions Are Not an API Boundary
Timely after the Next.js CVE wave. Long Ho argues that 'use server' functions feel internal but are functionally public RPC endpoints — anyone can call them with crafted payloads, and treating them like internal-only code is the misconception powering a lot of the recent RSC vulnerabilities. Authenticate, validate, and rate-limit every server function the way you would any public API route.
🪶 Migrating Off React Saved This Marketing Site 100 KB
Evil Martians took an Astro + React + Ark UI marketing site and ripped React out, replacing it with native Web Components and a tiny new library called nanotags (~2.5 KB). Result: 100 KB less JavaScript on the wire, no functionality lost, accessibility actually slightly better. The argument is narrow but sharp — most marketing sites are shipping a full SPA framework just to toggle a sidebar.
Quick Links
Julia Evans on Testing Vue Components in the Browser — Vue-flavored, but the "why real-browser testing beats jsdom" argument applies cleanly to React. Short and sharp.
Tailwind CSS v4.3 — Point release with new utilities for
color-mix(), text-wrap, and faster arbitrary-value compilation.How Libraries Are Quietly Shaping the Web Platform — Jad Joubran on which library patterns are getting absorbed into native browser APIs.
react-doctor by Million — New CLI from the Million team that diagnoses common React perf issues in your codebase.
Remix Changed Direction… Again — Lively r/reactjs thread on Remix's latest pivot. Lots of "are we back?" energy in the replies.
Waku v1 Beta — Daishi Kato's minimal RSC-first framework hits beta with a much more stable API surface.
MapLibre React Native — The open-source Mapbox alternative now has a proper React Native binding.
The "Pocket" / OneCall Factory Pattern — r/reactjs thread on an experimental pattern that collapses a component's render path into a single call for perf. Weird, interesting, probably not for production.
Write Better Error Messages — Wix UX on error-message writing as a product skill, not a copy task. Worth bookmarking.
33 JS Concepts — Compact reference of the JS fundamentals every dev should know cold. Useful for interview prep or onboarding juniors.
🧠 AI & General Programming
🤖 "I'm Going Back to Writing Code by Hand"
A 7-month vibe-coding postmortem that blew up on HN. The author shipped 234 commits on a Kubernetes TUI before sitting down and reading the code Claude wrote, a 1,690-line god object with a 500-line Update() function dispatching across 110 switch branches, all "working 99% of the time." AI builds features beautifully, but it builds architecture terribly, and the velocity high hides the rot until everything collapses at once. Includes five concrete CLAUDE.md / AGENTS.md directives to stop it happening to you.
🕵️ Claude Mythos "Discovered" a CVE That Was Already in Its Training Data
Anthropic claimed Claude Mythos pulled off the first AI-discovered remote kernel exploit (CVE-2026-4747 in FreeBSD's RPCSEC_GSS). Rival Security dug in and found the vulnerable FreeBSD code is a near-verbatim copy of MIT Kerberos code patched as CVE-2007-3999, almost 20 years ago. Mythos didn't invent anything, it pattern-matched a recycled bug. The actually-worrying conclusion: it doesn't have to invent anything to be dangerous — there's a lot of copy-pasted legacy code sitting in production right now.
💸 5 Years and $5M Later: Building a Custom Language Was a Mistake
A genuinely candid founder postmortem from Wasp on why they're replacing their custom DSL with TypeScript while keeping the framework internals identical. The "lang" suffix made every dev think they were trying to replace JavaScript; building IDE tooling for a custom language was a years-long tax; and they eventually realized the moat was never the language, it was having a high-level spec the compiler could reason about. Rare honest writeup of a multi-year bet that didn't pay off.
⚡ Rolldown 1.0 Is Stable
The Rust-based bundler that's been quietly powering Vite 8 since March just hit stable. 10–30× faster than Rollup, on par with esbuild, Rollup-plugin-compatible. Production numbers from the post: Ramp cut build times 57%, Mercedes-Benz.io 38%, Beehiiv 64%. If you're on Vite 8, you're already running it. Next milestone is a "full bundle mode" for dev with claimed 3× faster startup and 40% faster reloads.
🧱 The 4 Symptoms of Bad Software Design
Clean, example-driven breakdown of the four "smells" that say your architecture's in trouble: Rigidity (one change cascades into ten), Fragility (fixing one module breaks another), Immobility (you can't extract anything without dragging the whole stack), and Viscosity (the hacky path is faster than the right one). Each comes with a concrete refactor and a real-world example.
🗣️ Why Senior Developers Fail to Communicate Their Expertise
Sharp framing on a problem most senior devs feel but can't quite name: the rest of the business worries about uncertainty; senior devs worry about complexity, and they're talking past each other every meeting. The magic phrase the post offers ("Can we try something quicker?") is almost worth the read on its own. Bonus take on splitting a codebase into a "Speed" version and a "Scale" version in the AI era.
See you next week,
Darius