TMiR 2025-12: Year in review, React2Shell (RCE, DOS, SCE, oh my)
Full transcript at Reactiflux
Main Content
- React2Shell vulnerability
- Initial announcement
- Cloudflare
- Tech analysis: “Flight Protocol”
- Vuln is carefully crafted Promise deserialization + `new Function` eval
- PRs: Initial fixes, Promise cycles / function toString, more Promise cycles
- Guillermo’s breakdown
- Shruti’s breakdown
- Comms critique
- “React is rainbow colored (function types)”
- What does this mean for React and RSC adoption going forward?
- When I go back and look at react.dev now \[…\] it feels half-finished
- React Native year in review
- More CSS support
- Expo EAS hosting
- RN 0.78: React 19 support
- Lynx launched
- RN 0.79: JSC moving to Community Package
- RN 0.80: Freezing the legacy architecture
- RN 0.81: Android 16 support for edge to edge
- 1.0 on the horizon
- Vega OS launched
- RN 0.82: Only new architecture
- Expo App Awards
- RN 0.83: New Devtools - no breaking changes
- React year in review
- CRA deprecation, new install docs (Vite\!)
- Styled Components Deprecated
- Releases: 19.2 (Activity, useEffectEvent), Compiler 1.0
- Research: View Transitions canary, perf, concurrent stores, “throw a promise” deprecated (but not merged yet)
- “Async React” and the ecosystem
- React Foundation
- React growth skyrockets
- React Router RSC support, TanStack Start WIP RSC, Waku
- Dan’s RSC explainers (he had a bunch of things to say)
- Remix v3 Jam recap (not React but relevant)
- Mark went from frustrated (CRA) to excited (ReactConf, foundation, team efforts)
⚡ Lightning round ⚡
- TS 7 progress update
- NPM classic tokens revoked
- GitHub Actions planned work
- Github Action pricing change and immediate about-face
- Stacked diffs proposal in the works?
- Anthropic bought Bun
- SVG Clickjacking from Lyra (SVG filters as logic gates??)
- Dan Abramov’s RSC Explorer: https://rscexplorer.dev/ , https://overreacted.io/introducing-rsc-explorer/
- Instant-loading Github repo explorer using RSCs: Without the blue bar
- React Router’s Take on RSCs
- How AI Coding Agents hid a Timebomb in Our App
- (https://acusti.ca/blog/2025/12/16/react-compiler-silent-failures-and-how-to-fix-them/)
- Great history of web dev: 30 Years of <br> Tags
- Nadia Makarevich’s latest deep dive: Bundle Size Investigation
- Extensive ES2026 feature preview
- React reconciler for Blender 3D
- The “why” of React Fiber
- Async React articles from Aurora Scharff and Jack Herrington
Creators and Guests
Host
Mark Erikson
An engineer maintaining Redux and Redux Toolkit, working at Replay.io to make smarter AI chat bots and debuggers using time travel.
Host
Mo
Head of Mobile at Theodo, a software consultancy that does native app development for iOS and Android
Producer
Carl Vitullo
Solopreneur just vibing, posts are probably bullshit. Community lead at Reactiflux, the largest chat community of React professionals.
