Dev weekly digest: RSC goes rogue, MDN dumps React, and GitHub finally stacks PRs

TanStack shipped its own take on React Server Components, a high-severity DoS vulnerability forced emergency React patches, and MDN rebuilt its entire frontend without a framework. Meanwhile, GitHub launched native stacked PRs, Bun got a built-in headless browser, and Google gave sites a June deadline to stop hijacking the back button. A packed week across web, mobile, and tooling.

1. TanStack Start ships experimental React Server Components

TanStack released experimental RSC support in TanStack Start, taking a fundamentally different approach from Next.js. Instead of owning the render tree, TanStack treats RSC output as plain React Flight streams you can fetch, cache, and compose on your own terms — more library than framework. The design introduces "Composite Components" with explicit server/client boundaries (no 'use client' directive required) and deliberately omits Server Actions for security reasons. Early results on tanstack.com show a 153 KB gzipped bundle reduction and Total Blocking Time dropping from 1,200 ms to 260 ms on content-heavy pages.

Source: TanStack Blog — React Server Components Your Way

2. React2DoS: Critical DoS vulnerability hits React Server Functions

CVE-2026-23869 is a high-severity (CVSS 7.5) denial-of-service vulnerability in React's Flight Protocol. An unauthenticated attacker can send a single crafted HTTP request to any Server Action endpoint, exploiting improper handling of cyclic data structures during deserialization to trigger O(n²) CPU exhaustion that locks the server for minutes. All React 19.x versions are affected. Patches have been backported to React 19.0.5, 19.1.6, and 19.2.5, and Next.js 16.2.3 includes the fix. If you use Server Functions, upgrade immediately.

Source: Imperva — React2DoS (CVE-2026-23869)

3. MDN ditches React for web components in frontend rebuild

Mozilla rebuilt MDN's entire frontend, replacing the aging React-based SPA (built on ejected Create React App) with web components and a homegrown server component system. The rationale: MDN pages are overwhelmingly static HTML and CSS with small islands of interactivity — a full JavaScript framework was overkill. The new architecture lazy-loads interactive elements as custom elements, starts the dev environment in 2 seconds instead of 2 minutes, and ships dramatically less JavaScript per page. A significant signal for the web components narrative.

Source: MDN Blog — Under the hood of MDN's new frontend

4. React Native 0.85 lands new Shared Animation Backend

React Native 0.85 ships a new Shared Animation Backend that solves a long-standing pain point: layout props like width, height, and flex can now animate via the native driver instead of being forced onto the JS thread. The unified engine replaces two separate reconciliation stacks, benefiting both the core Animated API and Reanimated. Other highlights include simultaneous CDP connections (React Native DevTools, VS Code, and AI agents no longer stomp on each other), TLS support in Metro for local HTTPS/WSS, and the Jest preset extracted to @react-native/jest-preset.

Source: React Native Blog — React Native 0.85

5. GitHub launches Stacked PRs in private preview

GitHub shipped native stacked pull requests, letting developers break large changes into small, dependent PRs that can be reviewed and merged independently. Each PR in a stack targets the branch of the PR below it, forming an ordered chain. The feature works via the UI or the new gh stack CLI. Stacked PRs have long been a top community request and a key workflow at companies using Phabricator or tools like Graphite — now they're built into GitHub itself. Join the waitlist at gh.io/stacksbeta.

Source: GitHub Stacked PRs

6. Bun 1.3.12: built-in headless browser and in-process cron

Bun v1.3.12 adds Bun.WebView, native headless browser automation with WebKit (macOS) and Chrome DevTools Protocol backends. Interactions dispatch as OS-level events (isTrusted: true), and selector-based methods auto-wait for element actionability. The release also introduces Bun.cron() for in-process scheduled tasks that share memory and database pools with your server — no external scheduler needed. The update addresses 120 issues total.

Source: Bun Blog — Bun v1.3.12

7. Node.js moves to enable Temporal API by default

After the Temporal API reached TC39 Stage 4 and V8 14.4 enabled it by default, Node.js merged the PR to enable Temporal without a flag. The change is heading for Node 26 and will finally give JavaScript developers a modern, immutable, timezone-aware date/time API as a built-in global — replacing the widely disliked Date object. Temporal has already shipped in Chrome 144 and Deno 2.7. The Node 24.15.0 LTS release also landed this week, marking require(esm) and the module compile cache as stable.

Source: Node.js PR #61806 — Enable Temporal by default

8. Google will penalize back button hijacking starting June 15

Google announced a new spam policy targeting sites that interfere with browser back-button navigation — redirecting users to pages they never visited, showing unsolicited ads, or otherwise preventing normal history navigation. Enforcement starts June 15, 2026, with penalties including manual spam actions and automated search demotions. Sites are responsible even if the behavior comes from third-party scripts or ad platforms. Frontend developers should audit any history.pushState or redirect behavior before the deadline.

Source: Google Search Central — Back button hijacking policy

9. Material UI and MUI X ship v9 with Base UI primitives

MUI released Material UI v9 alongside MUI X v9, re-aligning major versions across the design system and all advanced components. The headline is Base UI integration: NumberField and Menubar are the first primitives built on the new accessibility-focused stack. MUI X adds Chat and Scheduler components in alpha. The release focuses on better accessibility defaults, improved keyboard navigation, and theming foundations that make CSS integration smoother. MUI jumped directly from v7 to v9 to sync version numbers.

Source: MUI Blog — Introducing MUI v9

10. Nitro Fetch 1.0: drop-in fetch replacement for React Native with HTTP/3

Margelo released Nitro Fetch 1.0, a high-performance networking library for React Native that supports HTTP/3, request prefetching, streaming, FormData, WebSockets, and worklet integration. It's a drop-in replacement for the standard fetch API. A demo on the Bluesky app showed dramatic performance improvements. Combined with the Pulsar haptics library from Software Mansion (150+ haptic patterns with cross-platform SDKs) and Nitro Vector (104x faster bezier math in C++), the React Native ecosystem had a particularly productive week for native-performance libraries.

Source: Nitro Fetch on GitHub