A security vulnerability in React related to React Server Components was identified over the holiday weekend.

On Nov. 29, Lachlan Davidson, a security consultant for the New Zealand-based security firm Carapace, reported the vulnerability. It allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.

“Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components,” the React team warned Wednesday.

The vulnerability is present in versions 19.0, 19.1.0, 19.1.1 and 19.2.0 of:

• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack

It requires immediate action, the team noted, with a fix introduced in versions 19.0.1, 19.1.2 and 19.2.1. Users will need to upgrade the packages to the fixed versions.

“If your app’s React code does not use a server, your app is not affected by this vulnerability,” the team added. “If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.”

The affected frameworks and bundlers include: Next, react-router, Waku, @parcel/rsc, @vitejs/plugin-rsc and Redwood SDK.

The full post outlines how to update to address the vulnerability.

TanStack Releases Framework-Agnostic AI Tool

The team at TanStack released on Wednesday TanStack AI, “a framework-agnostic AI toolkit built for developers who want control over their stack.”

“We’re building the Switzerland of AI tooling,” the TanStack team wrote. “An honest, open source set of libraries (across multiple languages) that works with your existing stack instead of replacing it.”

The alpha release includes a server that supports multiple languages, with JavaScript/TypeScript, PHP and Python available now. It also offers adapters for OpenAI, Anthropic, Gemini and Ollama. The TypeScript server library also handles summarizations and embeddings, the team added.

TanStack AI uses an open, published protocol.

“We’ve documented exactly how the server and client communicate,” the team stated. “Use whatever language you want. Use whatever transport layer you want. HTTP, websockets, smoke signals. As long as you speak the protocol through a connection adapter, our client will work with your backend.”

In addition to these features, it offers:

• Isomorphic tool support so developers can define tools once with meta definitions, then provide isolated server and client implementations. “This architecture gives you type safety that actually works across your entire application,” the team stated.
• Client libraries for vanilla JS, React and Solid, with Svelte and others planned.
• Per-model type safety that actually matters. “Every provider has different options. Every model supports different modalities. Text, audio, video, tools,” the blog post states. “We give you full typing for providerOptions on a per-model basis, so your IDE knows exactly what each model can do. No more guessing. No more runtime surprises.”
• Isomorphic devtools. The AI devtools panel provides insight into what the LLM is doing on both sides of the connection, they explained, so you can see what’s happening on the server and client.

More is in the works, including headless chatbot UI components for React and Solid.

It has also advanced the TanStack Pacer API to beta. Pacer provides utilities for framework-agnostic debouncing, throttling, rate limiting, queuing and batching.

Microsoft Web Install API Available for Edge

Microsoft’s Web Install API is now available to test on sites as an origin trial on Microsoft Edge. It’s available for Windows, macOS and Linux.

“With the Web Install API, your website can request the browser to install other web applications on the user’s device, by calling the asynchronous navigator.install() function,” wrote Diego González, the program manager for Microsoft Edge. “This allows you to invoke the browser’s built-in web app installation experience from your own user interface and exactly when you need it.”

Basically, it can help developers improve the installation experience of an app or suite of apps, but it can also be used for app store-like experiences, Gonzalez noted.

The blog post provides a brief tutorial on how to use the API.

Django 6.0 Released

On Wednesday, Django fellow Natalia Bidart announced version 6.0 of the web framework Django is available.

Highlights of this release include:

• Template Partials, which “modularize templates using small, named fragments for cleaner, more maintainable code.”
• Background Tasks, which runs code outside the HTTP request-response cycle.
• Content Security Policy (CSP), which protects against content injection by helping configure and enforce browser-level security policies.
• A modernized email API that lets you compose and send emails with Python.

With this release, Django 5.2 reaches the end of mainstream support with the final minor bug fix release, 5.2.9, issued Tuesday. It will still receive security and data loss fixes until April 2028, although users are encouraged to upgrade before then.

The AdventJS Underway

Looking for a new challenge but don’t want to write your own JS framework? Check out the Advent JS, which offers a coding challenge to be solved in JavaScript, TypeScript or Python for every day leading up to Christmas on Dec. 25.

The Advent of Code challenge began in 2015 and is free; however, this year it’s undergone some changes, including removing the global leader board, according to creator Eric Wastl.

Developers can send as many solutions as they want and only the best score will be saved.

TRENDING STORIES