#React

React Native OTA after CodePush: Stallion vs EAS Update, rollback and signing

CodePush shut down in March 2025. Compared EAS Update, self-hosted, and Stallion for React Native OTA — rollback, bundle signing, delta delivery — plus Unity AssetBundle parallels, TestFlight for personal apps, PWA Service Worker cache traps, and the lifecycle of deployed code.

Next.js 16.2.6 and 15.5.18 patch Middleware bypass and RSC DoS across 13 advisories

Next.js 16.2.6 / 15.5.18 dropped 13 security advisories at once. The impact depends on whether you use App Router, Middleware, RSC, or self-hosted Node.js server — here's where to look before upgrading.

Streaming SSR Shrinks the Blank Time Caused by the Slowest API

Based on Pareto's Streaming SSR article, why TTFB degrades on SSR pages waiting for multiple APIs, and what to check in DevTools and APM.

ACE-Step UI Turns Local Music Generation into a Production App

fspecii/ace-step-ui wraps ACE-Step 1.5's Gradio API in a React/Express/SQLite app with a library, player, editing, and stem separation. On Mac, the MLX+MPS split brings memory and LoRA constraints.

Auto-assigning piano fingerings from a score based on hand size via physics simulation

A browser tool that reads MusicXML and returns fingerings tuned to your hand size and biomechanical constraints. Walks through the backtracking cost minimization, the actual weight values, the academic lineage since Parncutt 1997, and why the same framework generalizes to guitar.

UAT-10608 used React2Shell to steal credentials from 766 Next.js hosts

Cisco Talos tracked UAT-10608 exploiting CVE-2025-55182 (React2Shell) to compromise 766 Next.js hosts and automatically collect DB credentials, SSH keys, and AWS/Stripe/GitHub tokens.

Cloudflare's bot-management script was reading React's internal state

A reverse-engineering report decrypted the obfuscated bytecode running on ChatGPT's login page and uncovered the 55-field fingerprinting system and React Fiber inspection behind Cloudflare Turnstile.

The chardet relicensing dispute and the launch of the React Foundation

A summary of the dispute in which chardet's original author argues that the LGPL-to-MIT relicensing was invalid, and the formal launch of the React Foundation under the Linux Foundation. Two very different cross-sections of OSS governance.

Making an Explainer Video with Remotion + VOICEPEAK

Putting last article's research into practice: turning a post about search data structures into a 2.5-minute explainer video.

Create explainer videos in code with Remotion + VOICEPEAK

Explored how to auto-generate explainer videos by combining Remotion, which lets you write videos with React, and VOICEPEAK, which offers a CLI.

npm Was Broken So I Switched to pnpm [React2Shell Vulnerability]

npm install kept failing with a mysterious error while patching Next.js/React for a security vulnerability. Switching to pnpm fixed it immediately.

Notes on addressing the Next.js/React 'React2Shell' vulnerability

A summary of how to verify impact and the mitigation steps for the CVSS 10.0 React2Shell vulnerability (CVE-2025-55182 / CVE-2025-66478), plus additional DoS and source code exposure issues.