#130May 22, 2026

Files SDK, React2Shell Story, Next.js Security Release, Fate, Tailwind CSS v4.3, RSC Server Functions

Together with

Next.js May 2026 security release

A big security update for Next.js fixing 13 issues across auth bypass, denial of service, SSRF, cache poisoning, and XSS. One of the fixes also covers an upstream React Server Components bug. If you use affected Next.js or react-server-dom-* versions, update right away, as patching is the only full fix. Next.js 15.5.18 and 16.2.6 include the fixes

Docs Update: Data Security & Mutations

The Next.js team extended the guides for implementing data security and mutations in your apps, with a big focus on Server Actions and Server Functions. The docs now make it clearer that these functions can be called by direct POST requests, so you should always check authentication and authorization inside each one, not just at the page level

⚡️ Sponsor

Your AI shouldn't grade its own homework

Claude Code writes beautiful code. So does Codex. But here's the thing, they also think they write beautiful code. And when you ask an AI to review code it just wrote, you get the intellectual equivalent of a student grading their own exam. Shockingly, they always pass.

CodeRabbit CLI plugs into Claude Code and Codex as an external reviewer, different AI Agent, different architecture, 40+ static analyzers and zero emotional attachment to the code it's looking at. The agent writes, CodeRabbit reviews, and the agent fixes. Loop until clean.

You show up when there's actually something worth approving.

One command. Autonomous generate-review-iterate cycles. The AI still does the work. It just doesn't get to decide if the work is good anymore.

Free tier available. Try CodeRabbit's CLI.

📙 Articles / Tutorials / News

The React2Shell Story

A security researcher shares how a close look at React Flight led to finding a critical remote code execution bug in React, later fixed as CVE-2025-55182. It’s a great read if you want to learn how React Server Components and Server Functions work under the hood

Next.js Link as a Button

A simple guide to turning a library button into a real Next.js link. It keeps client-side navigation and renders a proper <a> element

RSC Server Functions Are Not An API Boundary

An interesting post on the hidden API-like risks of server functions. The main point: if something needs to stay stable across deploys, it may need a real API instead.

📦 Projects / Packages / Tools

Files SDK

A new SDK that gives you a single way to work with object and blob storage across 18 providers, including S3, R2, Vercel Blob, and Google Drive. You can upload, download, list, delete, copy, and more without changing your app code when you switch providers

fate

This new data-fetching library takes some of Relay’s best ideas, like view composition and strict data selection, and brings them to regular TypeScript apps. It also supports Suspense, optimistic updates, and live views

Tailwind CSS v4.3

Highlights include new scrollbar utilities, four new color palettes, and a first-party webpack plugin with a big speed boost for Next.js apps

Base UI v1.5.0

This release is mainly about speed and bug fixes. Popups now mount and unmount much faster, and many components got fixes for forms, focus, RTL, and browser behavior

⚡️ Sponsor: Bluebag

Add Skills to your AI-SDK Agent in minutes

Execute Skills in runtime VMs without building infrastructure. Run complex scripts, read Skills on-demand, install dependencies, mint download links, and build predictable, specialised agents in minutes.

All submissions are appreciated.

👋 See you next week!