New Critical Next.js CVEs, ElevenLabs UI, TS 7 Roadmap, Async React, Vercel for Platforms, CSS Wrapped

This is the last issue of the year. I want to thank you for reading and supporting the newsletter. I hope you have a great holiday season and a happy new year!

See you in 2026 🎄

– Erfan Ebrahimnia, Curator of Next.js Weekly

---

Two new RSC protocol vulnerabilities

Following last week's React2Shell exploit, two new vulnerabilities affecting Next.js App Router (v13-v16) have been discovered. One can freeze your server, and the other could leak your source code. There is no workaround other than upgrading immediately. You can use npx fix-react2shell-next to automatically verify and update your app. Also check out: Security Bulletin: CVE-2025-55184 and CVE-2025-55183

The next era of React has arrived: Here’s what you need to know

The post describes the architectural shift behind async React, where React 19's new coordination primitives such as: useTransition, Suspense, useDeferredValue, and the new use() API turn async logic into declarative building blocks

---

⚡️ Sponsor

Arcjet - Painless security for developers

Implement bot protection and signup spam protection natively in code.

📙 Articles, Tutorials

𝕏 React2Shell explained

The Vercel CEO wrote a long Tweet sharing his perspective on the React2Shell exploit and how Vercel and others moved quickly to patch it and protect Next.js users

Replacing Next.js ISR with a custom Cloudflare cache layer

Instead of relying on Next.js ISR, Mintlify built a custom caching layer powered by Cloudflare Workers, KV, Durable Objects, and Queues. This setup decoupled deployments from cache invalidation and pushed their cache hit rate to almost 100%.

► The Better Way to Build Next.js APIs

Shows how Elysia, a web framework built on Bun, helps you make very fast and type-safe APIs inside Next.js 16. It also includes Eden, a package that brings built-in type safety between server and client, like a simpler tRPC.

useEffectEvent in React

This guide explains React's new experimental Hook useEffectEvent, and shows how and when to use it. It also covers best practices, use cases like logging or debouncing, and what to expect before it’s stable.

---

🇫🇷 React Paris 2026

React Paris just announced its full speaker lineup, featuring top names like Una Kravets, Tanner Linsley, Mark Erikson, Daishi Kato, Kitze, and Tejas Kumar, focusing on cutting-edge React, AI, and web dev, with the event happening March 26-27, 2026

---

📦 Projects / Packages / Tools

ElevenLabs UI

A component library built on top of shadcn/ui which provides pre-built, customizable React components specifically designed for agent & audio applications, including orbs, waveforms, voice agents, audio players, and more

Lina

A smart scroll area that works great on both touch devices and desktops. It switches between native and custom scrollbars automatically and adds small details like fade effects and smooth edge masks.

OpenStatus Template

The OpenStatus team released a ready-to-use template built with @shadcn/ui and Next.js in SPA mode. It can be exported as a static site and comes with built‑in components like FormCard, ActionCard, MetricCard, Section, and EmptyState.

Progress on TypeScript 7

TypeScript 6.0 will be the last version built with JavaScript and will act as a bridge to 7.0. The team is almost done moving the compiler and editor tools to native code. Version 7.0 will be much faster, uses less memory, and feels smoother in editors like VS Code and Cursor.

---

⚡️ Sponsor

Lessons Learned from Vibe Coding

In this tutorial, learn how v0 and Claude Code accelerate development with Strapi 5 and Next.js

---

🌈 Related

Introducing Vercel for Platforms

Vercel has launched a new product that helps you build platforms where your users can have their own sites or apps. There are two ways to use it: Multi-Tenant, where one codebase serves all your users with custom or wildcard domains, and Multi-Project, where each user gets their own Vercel project with separate builds and settings. It also comes with Platform Elements, a library to make setup easier

CSS Wrapped

Chrome's annual recap shows how far CSS has come, from simple styling to state, logic, and interactivity that was once only reserved for JavaScript

► You really need to try Effect ft. Ethan Niser

Ben Davis and Ethan walk through a Notion-to-Discord app that Ben first built using Effect, showing what went wrong and how to do it better. Ethan explains how to use dependency injection to make code cleaner and easier to test and shows how Effect's schema and logging tools help write safer code.

Designing Design Systems

The maintainer of TanStack Query shares his thoughts on building a design system at Sentry