The Workshop

Building with Next.js

All about Next.js and modern web development

Go to all posts

Featured Posts

revalidatePath in Next.js
Jan 20, 2026
A practical guide to revalidatePath in Next.js: how to properly invalidate cache after data mutations, differences between type: "page" and type: "layout", and usage in Server Functions.
3 min readRead more
Rendering Methods in Next.js
Dec 25, 2025
Core rendering methods in Next.js 15 – SSG, SSR, ISR, CSR – with examples, SEO impact, and streaming capabilities through React Server Components.
5 min readRead more
Next.js 15.2
Mar 6, 2025
Next.js 15.2 includes updates for debugging errors, metadata, Turbopack.
3 min readRead more
Composable Caching
Jan 31, 2025
Next.js has introduced Composable Caching – a new caching approach that simplifies cache management at different levels of an application, from data to components and pages.
2 min readRead more

© 2026 The Workshop

Frontend Digest: October – December 2025
December 25, 2025
1. Critical Vulnerabilities in React Server Components (React2Shell)

Dates: December 3-11, 2025
Links: React Advisory | Next.js Security Update | CVE Details

A series of critical vulnerabilities discovered in React Server Components:
- CVE-2025-55182 (CVSS 10.0) – Remote Code Execution via RSC payload deserialization, allowing arbitrary JavaScript execution on the server without authentication
- CVE-2025-55184 / CVE-2025-67779 (CVSS 7.5) – Denial of Service through infinite loop during deserialization
- CVE-2025-55183 (CVSS 5.3) – Server Actions source code exposure
Affected versions:
- React: 19.0.0 - 19.2.2 (patches: 19.0.4, 19.1.5, 19.2.4)
- Next.js: 13.x, 14.x, 15.x, 16.x (patches: 16.0.10, 15.5.9 and others)
- Entire RSC ecosystem: Vite, Parcel, React Router, RedwoodJS, Waku
Attack scale:
Within 48 hours after CVE publication, the PCPCat campaign compromised 59,128 servers (64.6% success rate), stealing credentials from .env files, SSH keys, and AWS configs.

Action required:
Immediate update to patched versions via npx fix-react2shell-next + rotation of all secrets.

2. Next.js 16 + 16.1: Caching Revolution and Turbopack in Production

Release: October 21, 2025 (16.0) | December 18, 2025 (16.1)
Links: Next.js 16 | Next.js 16.1

Next.js 16 introduces fundamental architectural changes:

Cache Components:
- New caching model with use cache directive – explicit control instead of implicit
- Integration with Partial Pre-Rendering (PPR) for instant navigation
- Compiler automatically generates cache keys
Turbopack (stable):
- Default bundler with 5-10x faster Fast Refresh and 2-5x faster builds
- 16.1: File System Caching is stable for next dev – dev server restart up to 14x faster on large projects (react.dev: 3.7s → 380ms, ~10x)
- Bundle Analyzer (experimental) – interactive tool for bundle optimization with import tracing
Architectural changes:
- proxy.ts replaces middleware.ts – explicit network boundary definition
- React Compiler Support (stable) – automatic memoization without manual useMemo/useCallback
- Layout deduplication during prefetching – shared layout downloaded once, not 50 times
3. TypeScript 5.8: Enhanced Type Safety and Direct Node.js Execution

Release: February, 2025
Links: TypeScript 5.8 | Release Notes

TypeScript 5.8 strengthens type safety and simplifies Node.js interoperability:

Checked Returns for Conditional Expressions:
```
function getUrlObject(urlString: string): URL {
    return cache.has(urlString)
        ? cache.get(urlString) // ✅ return type is checked
        : urlString; // ❌ Error: Type 'string' is not assignable to 'URL'
}
```
--erasableSyntaxOnly flag:
- Support for direct TypeScript execution in Node.js 23.6+ via --experimental-strip-types
- Compiler blocks non-erasable syntax (enums, namespaces, parameter properties)
require() for ESM modules:
- Flag --module nodenext now supports require("esm") from CommonJS
- Solves dual-publishing problem for libraries
Performance optimizations:
- Avoiding array allocations during path normalization
- Faster watch mode and editor scenarios for large projects
TypeScript 5.9 (GA release August 1, 2025) continued improvements to conditional types, added deferred imports (import defer) and --module node20.

4. CSS 2025: Customizable Select, if() Function, and Invoker Commands

Links: CSS Wrapped 2025 | Modern CSS 2025 | State of CSS 2025

2025 brings revolutionary CSS capabilities that reduce JavaScript dependency:

Customizable Select (stable in Chrome 135+):
```
select,
::picker(select) {
    appearance: base-select;
}
```
Fully styleable <select> menus – option to change OS default rendering.

if() Function (Chrome):
```
background: if(
    style(--theme: dark): black; style(--theme: light): white; else: gray;
);
```
Conditional property setting based on custom properties on the same element (unlike container queries).

Invoker Commands API:
```
<button commandfor="myDialog" command="show-modal">Open</button>
<dialog id="myDialog">Hello!</dialog>
```
Working with <dialog> and <popover> without JavaScript – browser handles interactions natively. Reached Baseline status: Chrome 135, Edge 135, Firefox 144, Safari 26.2.

field-sizing: content: Automatic <textarea> growth to fit content without JavaScript – long-awaited feature.

sibling-count() / sibling-index(): Getting element index among siblings directly in CSS – previously required hardcoding in HTML or JS.

Custom CSS Functions: Ability to create custom CSS functions – radical language expansion.

Usage leaders (State of CSS 2025):
- :has() – #1 most-used and most-loved
- subgrid – #2 most-loved
- aspect-ratio – #2 usage, #3 sentiment
5. React 19.2: View Transitions, useEffectEvent(), and Ecosystem Stabilization

Release: October 2025
Links: React 19.0-19.2 | React 19 Overview

React 19.2 – third release this year, focusing on refinement:

View Transitions API (canary/experimental): Groundwork for native smooth UI state transitions. The <ViewTransition /> component is only available in the canary channel and was not included in the stable 19.2 release.

useEffectEvent() (stable): Separation of reactive logic from event logic – simplified event handling without unnecessary re-renders.

<Activity/> component: New primitive for hiding/showing UI while preserving state. Supports visible and hidden modes — in hidden mode the component is not displayed, effects are unmounted, and updates are deferred.

Owner Stack (dev-only, 19.1): Helps trace where a component was rendered from – critical for debugging complex trees.

React 19.0 (December 2024):
- Server Components (stable)
- Actions + useActionState, useFormStatus, useOptimistic
- React Compiler (beta) – automatic memoization (stable 1.0 released October 7, 2025)
- ref as prop for function components (without forwardRef)
Critical note: The ecosystem is transitioning with challenges due to breaking changes in async params (Next.js 15), but performance gains justify the migration.

Quarter Summary: The frontend ecosystem experienced a turbulent period with critical React2Shell vulnerabilities, but simultaneously received powerful tools for building performant applications. Next.js 16 with Turbopack and new caching, TypeScript 5.8 with direct execution, CSS with native dialogs and conditional functions – all of this enables writing less JavaScript and more declarative code.