Best of Next.jsDecember 2025

  1. 1
    Article
    Avatar of collectionsCollections·24w

    Critical Vulnerability in React Server Components: Immediate Action Required

    React2Shell (CVE-2025-55182) is a critical remote code execution vulnerability with a CVSS score of 10.0, affecting React 19.0-19.2.0 and Next.js 15.x-16.x. The flaw stems from unsafe deserialization in React's Flight protocol, allowing unauthenticated attackers to execute arbitrary code through crafted HTTP requests. State-sponsored groups and cybercriminals are actively exploiting it to deploy cryptocurrency miners and backdoors. Organizations must upgrade to patched versions (React 19.0.1+, Next.js 15.0.5+) immediately, as the vulnerability impacts 39% of cloud environments and 6% of all websites. WAF rules and endpoint restrictions provide temporary mitigation.

  2. 2
    Article
    Avatar of nextNext.js·21w

    Next.js 16.1

    Next.js 16.1 brings Turbopack file system caching to development mode by default, delivering up to 14× faster compile times when restarting the dev server. The release includes an experimental bundle analyzer for optimizing production bundles, simplified debugging with `next dev --inspect`, and improved handling of transitive external dependencies. Additional improvements include 20MB smaller installs, a new `next upgrade` command, and better async import bundling in Turbopack.

  3. 3
    Video
    Avatar of t3dotggTheo - t3․gg·22w

    Shadcn just changed forever

    Shadcn UI introduced a major update called Shadcn Create that puts customization front and center. Instead of websites looking identical with default components, developers can now configure presets, colors, fonts, icon sets, and styles before generating a project. The system supports multiple component libraries (Radix UI and Base UI), offers various design presets (Vega, Nova, Maya, Lyra, Mirror), and allows extensive theming options. Testing shows that providing AI coding assistants with a well-structured component library significantly improves UI generation quality, even for models typically weak at design. The update maintains Shadcn's philosophy of code ownership while making it easier to start with a unique design system.

  4. 4
    Article
    Avatar of devtoDEV·20w

    I Built a Tool to Stop Wasting Time on Toxic Open Source Projects

    A developer built repo-health, a tool that analyzes GitHub repositories to help contributors identify healthy open source projects and avoid toxic ones. The system uses a hybrid scoring approach combining weighted metrics (activity, maintenance, community, documentation) with LLM-based adjustments to account for context like feature-complete projects. Key features include PR metrics analysis, contributor retention visualization, intelligent issue analysis with difficulty scoring, activity pattern detection for spam, and file-issue mapping. The author shares technical implementation details, bug fixes (cache security vulnerability, React hydration mismatch), and lessons learned about focusing on real problems over engineering challenges.

  5. 5
    Article
    Avatar of ergq3auoeReinier·22w

    TanStack Start Full Course - Build and Deploy a Production-Ready Full Stack App

    A comprehensive 4-hour video course teaching how to build and deploy a production-ready ecommerce application using the TanStack ecosystem. The course covers TanStack Start, Router, Query, and Form, explaining how these tools work together with Vite, Nitro, and Vinxi. It includes comparisons with Next.js and demonstrates modern React full-stack framework architecture through hands-on development.

  6. 6
    Article
    Avatar of auth0Auth0·24w

    Next.js 16: What’s New for Authentication and Authorization

    Next.js 16 introduces three key changes for security: renaming middleware.ts to proxy.ts to clarify its role as lightweight routing logic, making components dynamic by default with opt-in caching to prevent accidental data leaks, and adding the updateTag() API for immediate cache invalidation after permission changes. These updates establish clearer boundaries between edge-layer traffic control and downstream authentication logic, reduce risks of serving stale authorized content, and ensure permission changes take effect instantly through read-your-writes semantics.

  7. 7
    Video
    Avatar of fireshipFireship·23w

    React.js shell shocked by 10.0 critical vulnerability…

    A critical 10.0 severity vulnerability (CVE-2025-55182) dubbed "React2shell" has been discovered in React's server components flight protocol. The exploit allows attackers to achieve remote code execution without authentication by sending malicious payloads that are deserialized on the server. The vulnerability affects millions of React applications using Next.js and similar frameworks, with over 2 million vulnerable servers estimated. Security researchers observed active exploitation attempts from Chinese hacking groups within hours of disclosure. Developers should immediately check their React server components package versions and update to patched versions.

  8. 8
    Article
    Avatar of PrismicPrismic·22w

    Best Headless CMS for Developers in 2026

    Headless CMSs offer developers flexibility, control, and scalability by separating backend from frontend. The top five platforms in 2026 are Prismic (visual page building with AI tools), Sanity (structured content with automation), Contentful (enterprise digital experience platform), Strapi (open-source with plugin ecosystem), and Hygraph (GraphQL-native). Key selection factors include pricing models, API type (REST vs GraphQL), integration ecosystem, and team workflow needs. Modern platforms increasingly include AI features for content generation, translation, and optimization.

  9. 9
    Article
    Avatar of thnThe Hacker News·22w

    React2Shell Exploitation Escalates into Large-Scale Global Attacks, Forcing Emergency Mitigation

    CISA has accelerated the patching deadline for React2Shell (CVE-2025-55182), a critical vulnerability with a CVSS score of 10.0 affecting React Server Components and frameworks like Next.js. The flaw allows unauthenticated remote code execution through unsafe deserialization. Since disclosure on December 3, 2025, threat actors have conducted widespread exploitation with over 35,000 attempts recorded in a single day, targeting government sites, critical infrastructure, and technology companies. Over 137,000 vulnerable IP addresses remain exposed globally, with attackers deploying cryptocurrency miners, botnet malware, and conducting reconnaissance for supply chain attacks.

  10. 10
    Video
    Avatar of wdsWeb Dev Simplified·21w

    NEW Shadcn Update is NOT as Great as Everyone Thinks

    Shadcn UI released a major update allowing developers to customize component libraries and icon libraries. While the visual theme presets get attention, the ability to swap between Radix UI and Base UI, plus different icon libraries, represents the most significant change. The update includes a new project creation tool that generates configured Next.js, TanStack Start, or Vite projects with customized themes. The framework maintains backward compatibility with existing custom registries and third-party components.

  11. 11
    Video
    Avatar of youtubeYouTube·21w

    Why I Stopped Using Next.js (And What I Switched To Instead)

    A developer shares their decision to migrate an interactive coding platform away from Next.js to Tanstack Start. The main issues cited include extremely slow development mode performance (especially during video rendering), complexity of server components mental model, and frequent bugs with interactive features. The platform's highly interactive nature (code editors, live previews, chat) makes client-side rendering more suitable. Tanstack Start was chosen due to familiarity with Tanstack Query and Router, despite being in release candidate status.

  12. 12
    Article
    Avatar of infoworldInfoWorld·24w

    The complete guide to Node.js frameworks

    A comprehensive overview of Node.js web frameworks, categorized into three groups: minimalist frameworks (Express, Koa, Fastify, Hono, Nitro), batteries-included frameworks (Nest, Adonis, Sails), and full-stack meta-frameworks (Next, Nuxt, SvelteKit). Each framework is demonstrated through code examples showing how to implement a simple API endpoint with route parameters. The guide covers the architectural differences, design philosophies, and use cases for each framework, from Express's simplicity and extensibility to Nest's dependency injection and full-stack frameworks' integrated front-end and back-end development.

  13. 13
    Article
    Avatar of 4d2rfgvx0lpcafl03rfahDurgesh Bachhav·24w

    Next.js Complete Learning Guide: Master Modern React Development

    A comprehensive guide covering Next.js 14 App Router fundamentals with practical implementation patterns. Explores file-based routing, Server and Client Components integration, data fetching strategies, caching and revalidation, loading states with Suspense, error boundaries, Server Actions for form handling, and production optimization techniques including image optimization and SEO configuration.

  14. 14
    Video
    Avatar of joshtriedcodingJosh tried coding·23w

    Build a Complete Real-Time Chat with Next.js 16, Redis, Tailwind (2025)

    A comprehensive step-by-step tutorial building a privacy-focused real-time chat application using Next.js 16, Redis, and Tailwind CSS. The guide covers setting up Elysia for type-safe API routes, implementing TanStack Query for data fetching, creating dynamic routing patterns, and building features like auto-generated usernames, room creation with automatic 10-minute expiration, and real-time messaging. Includes best practices for project structure, naming conventions, and deployment-ready code patterns.

  15. 15
    Article
    Avatar of bytesdevBytes by ui.dev·21w

    Base UI (Taylor's Version)

    Base UI v1 launched as an unstyled React component library from the Material UI creators, offering similar functionality to Radix UI but with more complex components and deeper accessibility coverage. The library has gained significant traction with 350k weekly downloads and shadcn support. Other notable updates include Next.js 16.1 with experimental bundle analyzer, React Aria v1.14.0 with new docs, Convex's reusable components challenge, and Chrome DevTools MCP server for live debugging. A JavaScript quiz explores Symbol behavior in objects and JSON stringification.

  16. 16
    Article
    Avatar of doDigitalOcean·21w

    Speed Up Your JavaScript Apps: Native Bun Support is Now Available on App Platform

    DigitalOcean App Platform now supports Bun natively, allowing developers to deploy Bun applications directly from code repositories without configuration files. The platform uses Cloud Native Buildpacks to automatically detect, build, and deploy Bun apps. Key features include zero-configuration deployment, automatic runtime detection via bun.lock files, and seamless Next.js support. Developers can migrate existing Node.js apps by simply replacing package-lock.json with bun.lock. The platform supports three deployment workflows: Cloud Native Buildpacks, Dockerfiles, and pre-built images.

  17. 17
    Article
    Avatar of ergq3auoeReinier·23w

    Next.js 16 Full Stack Course (8+ Hours) | Auth, Caching, Server Actions & Much More

    An 8+ hour comprehensive video course covering Next.js 16 from fundamentals to advanced concepts. The tutorial builds a production-ready full-stack application while teaching routing, server components, authentication, data fetching, real-time updates, caching strategies, and deployment. Includes coverage of new Next.js 16 features like Cache Components for improved performance and efficiency.

See all Next.js archives