Episode Details

Back to Episodes

TMiR 2025-12: Year in review, React2Shell (RCE, DOS, SCE, oh my)

Season 2 Episode 12 Published 5 months ago

Description

Full transcript at Reactiflux

Main Content

React2Shell vulnerability
- Initial announcement
  - Followup denial-of-service CVE and source code exposure CVE
  - Vercel bulletin
- Cloudflare
  - Cloudflare report on exploit attempts
  - Cloudflare outage on December 5, 2025
- Tech analysis: “Flight Protocol”
- Vuln is carefully crafted Promise deserialization + `new Function` eval
- PRs: Initial fixes, Promise cycles / function toString, more Promise cycles
- Guillermo’s breakdown
- Shruti’s breakdown
- Comms critique
- “React is rainbow colored (function types)”
- What does this mean for React and RSC adoption going forward?
- When I go back and look at react.dev now \[…\] it feels half-finished
React Native year in review
- More CSS support
- Expo EAS hosting
- RN 0.78: React 19 support
- Lynx launched
- RN 0.79: JSC moving to Community Package
- RN 0.80: Freezing the legacy architecture
- RN 0.81: Android 16 support for edge to edge
- 1.0 on the horizon
- Vega OS launched
- RN 0.82: Only new architecture
- Expo App Awards
- RN 0.83: New Devtools - no breaking changes
React year in review
- CRA deprecation, new install docs (Vite\!)
- Styled Components Deprecated
- Releases: 19.2 (Activity, useEffectEvent), Compiler 1.0
- Research: View Transitions canary, perf, concurrent stores, “throw a promise” deprecated (but not merged yet)
- “Async React” and the

Listen Now

Love PodBriefly?

If you like Podbriefly.com, please consider donating to support the ongoing development.