WEBVTT NOTE This file was generated by Descript 00:00:00.050 --> 00:00:00.770 Carl: Hello everyone. 00:00:00.770 --> 00:00:04.220 Thank you for joining us for this edition of this year in React, since 00:00:04.220 --> 00:00:08.100 it's the December edition of this month in React, as we're gonna recap what's 00:00:08.100 --> 00:00:11.820 going on with React, React Native and the web more generally, or I guess 00:00:11.850 --> 00:00:16.150 really what has happened, what has been going on through 2025, just to 00:00:16.150 --> 00:00:17.380 give you a little rich perspective. 00:00:17.830 --> 00:00:20.650 Although we do have so much new stuff to talk about this month, so that's 00:00:20.650 --> 00:00:22.090 gonna be a little bit goofy too. 00:00:22.480 --> 00:00:23.260 We gotta balance both. 00:00:23.260 --> 00:00:26.050 We're actually planning on doing a longer episode than usual this 00:00:26.050 --> 00:00:29.310 month, mark and I are gonna hang out for closer to 90 minutes. 00:00:29.310 --> 00:00:30.930 Mo's got to leave at an hour. 00:00:30.930 --> 00:00:32.120 But yeah. 00:00:32.270 --> 00:00:33.290 Let's get into it. 00:00:33.860 --> 00:00:36.920 I'm Carl, I'm a staff product developer and freelance community 00:00:36.920 --> 00:00:40.760 leader here at Reactiflux, or I run community programs like this and build 00:00:40.760 --> 00:00:43.940 tools like a moderation bot that is growing steadily more complicated. 00:00:44.440 --> 00:00:45.345 Mark: Hi, I'm Mark. 00:00:45.345 --> 00:00:47.145 My day job is working at Replay. 00:00:47.145 --> 00:00:51.075 My second unpaid job is working on Redux related things. 00:00:51.315 --> 00:00:54.585 And my third unpaid job is copy pasting links like crazy. 00:00:55.085 --> 00:00:56.375 Mo: And my name is Mo. 00:00:56.405 --> 00:00:58.925 I head the mobile team at Thedo in the uk. 00:00:59.205 --> 00:01:03.945 And I am a member of the React Native community who organizes meetups, 00:01:03.945 --> 00:01:05.205 like the React Native London Meetup. 00:01:05.205 --> 00:01:08.055 And I also organized the RNL Conf, which just happened 00:01:08.055 --> 00:01:10.095 last month and was great fun. 00:01:10.595 --> 00:01:10.860 Carl: Yeah. 00:01:10.950 --> 00:01:12.660 A leader in the React Native community. 00:01:12.660 --> 00:01:14.220 I'd even go so far as to say, 00:01:14.405 --> 00:01:17.075 Mo: I would say member Member is, and member humility is good. 00:01:17.575 --> 00:01:18.115 Carl: yes it is. 00:01:18.145 --> 00:01:18.805 Okay, fine. 00:01:19.305 --> 00:01:19.815 A steward. 00:01:20.118 --> 00:01:22.301 Mo: I, I appreciate you, Carl, as always. 00:01:22.554 --> 00:01:23.814 Carl: Let's get into some new releases. 00:01:24.264 --> 00:01:28.344 Base UI has a v1 release candidate coming on. 00:01:28.864 --> 00:01:29.344 Yeah. 00:01:29.534 --> 00:01:32.114 I actually got a chance to speak to the maintainer of 00:01:32.114 --> 00:01:34.394 Base UI at React Con briefly. 00:01:34.394 --> 00:01:40.534 I hadn't realized it, but it is like fully a relaunch of, oh, I'm blanking 00:01:40.534 --> 00:01:42.394 on the other LI library that they were 00:01:42.394 --> 00:01:42.784 Mark: doing. 00:01:42.784 --> 00:01:43.019 Redx, 00:01:43.284 --> 00:01:43.884 Carl: Yes. 00:01:43.919 --> 00:01:45.804 Mark: or, or, or equivalent of Redx. 00:01:46.164 --> 00:01:46.584 Carl: yes. 00:01:46.584 --> 00:01:52.794 So apparently Base UI is a relaunch of Radix, essentially because the team got 00:01:52.794 --> 00:01:55.044 acquired, the RAD X team got acquired. 00:01:55.074 --> 00:02:00.166 They were given verbal promises that they would be allowed to 00:02:00.166 --> 00:02:02.776 continue maintaining it as part of their full-time responsibilities. 00:02:03.046 --> 00:02:06.016 And that was not true and they did not have a contract saying it. 00:02:06.706 --> 00:02:09.826 So, they have relaunched under a new project, which is 00:02:09.826 --> 00:02:11.596 unfortunate, but also great. 00:02:11.596 --> 00:02:14.086 I don't know, sometimes it's nice to get another chance to 00:02:14.356 --> 00:02:16.186 do the thing from scratch again. 00:02:16.686 --> 00:02:17.166 I guess. 00:02:17.346 --> 00:02:21.246 So anyway, they've got a v1 release candidate coming out, which is cool. 00:02:21.746 --> 00:02:26.096 Mo: Next up we have React Native version 0.83, which is very 00:02:26.096 --> 00:02:27.266 exciting for a few reasons. 00:02:27.516 --> 00:02:31.358 I'll start from the somewhat non-obvious reason, but it's also a good one worth 00:02:31.358 --> 00:02:35.858 mentioning, which is there are no breaking changes in this, and I cannot stress 00:02:35.858 --> 00:02:39.953 how important that is for a React Native version release because, every single 00:02:40.103 --> 00:02:43.438 time you update a React Native version, it's typically, at least, especially in 00:02:43.438 --> 00:02:46.528 the past, had a reputation that it is a painful process and you're gonna need to 00:02:46.528 --> 00:02:48.778 change a lot in your app to make it work. 00:02:49.048 --> 00:02:53.428 And not having any breaking changes is super cool, like, like big props to the 00:02:53.428 --> 00:02:55.718 React Native Core team for doing this. 00:02:55.718 --> 00:02:57.848 And so, super, super cool. 00:02:57.908 --> 00:03:00.978 And , I'm excited to see this as the direction that we're going with 00:03:00.978 --> 00:03:04.308 releases, which kind of makes sense when you go back to what we heard 00:03:04.308 --> 00:03:07.513 at React Conf , and React universe conf other things in this release. 00:03:07.763 --> 00:03:11.473 The new dev tools , is something that's been in the works for a very long time. 00:03:11.793 --> 00:03:14.493 And Alex Hunt and some of the other folks at Meta have been working 00:03:14.493 --> 00:03:15.483 on this for a really long time. 00:03:15.483 --> 00:03:16.683 We got demos of it earlier. 00:03:16.963 --> 00:03:19.813 And they've been working more and more on this and adding things like performance 00:03:19.813 --> 00:03:21.403 tracing and network inspections. 00:03:21.653 --> 00:03:24.983 So we saw a lot of these as demos earlier, but now it's really, really 00:03:24.983 --> 00:03:27.606 coming through and uh, we're seeing it in production, which is awesome. 00:03:27.666 --> 00:03:30.606 So a lot of cool stuff and some other stuff that I won't go into in the 00:03:30.606 --> 00:03:33.426 interest of time, but massive props to the meta team for getting this out. 00:03:33.926 --> 00:03:34.216 Carl: Yeah. 00:03:34.821 --> 00:03:39.801 And I believe they gave a pretty big demo of the dev tools at React Conf. 00:03:39.801 --> 00:03:40.251 Is that right? 00:03:40.751 --> 00:03:41.201 Mo: Yep. 00:03:41.201 --> 00:03:46.121 But they've also been demoing it from last year at React Universe Con, so it's 00:03:46.121 --> 00:03:48.011 been, there's been a long time since 2024. 00:03:48.011 --> 00:03:51.431 They've been demoing this and there's teasers of it coming out at some point. 00:03:51.431 --> 00:03:53.441 So it's been in the making for a while. 00:03:53.471 --> 00:03:56.531 Obviously, it's been getting more and more mature and more ready for sort of 00:03:56.531 --> 00:03:57.946 a production release out to everyone. 00:03:58.446 --> 00:03:58.926 Carl: sure. 00:03:58.956 --> 00:04:02.016 It wouldn't surprise me if there's some overlap with the new architecture too. 00:04:02.046 --> 00:04:05.526 'cause if you're gonna totally change how the internals work, 00:04:05.556 --> 00:04:09.516 then doing instrumentation and developer tool stuff is really hard. 00:04:09.516 --> 00:04:10.266 So that makes 00:04:10.482 --> 00:04:13.062 Mo: some tools were really painful before these new dev tools like 00:04:13.062 --> 00:04:17.569 Flipper, the React Native support got deprecated, was notoriously difficult 00:04:17.839 --> 00:04:18.109 Mark: use. 00:04:18.109 --> 00:04:18.589 So 00:04:18.842 --> 00:04:19.982 Mo: this is a move in the right direction. 00:04:19.982 --> 00:04:20.252 Obviously. 00:04:20.252 --> 00:04:21.512 There was a, there was much demand for it. 00:04:22.012 --> 00:04:22.522 Carl: very cool. 00:04:22.633 --> 00:04:25.813 Mark: Next up the, the last couple months we've mentioned that Christophe 00:04:25.993 --> 00:04:30.553 Nakazawa had been posting teasers on Twitter for a new data fetching 00:04:30.553 --> 00:04:32.773 library that he was calling fate. 00:04:33.193 --> 00:04:35.473 And so he's put out the first alpha of that. 00:04:35.783 --> 00:04:40.373 The main ideas are, it's got some graph QL like features in terms of 00:04:40.373 --> 00:04:45.423 components specifying what pieces of data they actually need and being 00:04:45.423 --> 00:04:47.553 able to sub-select pieces of data. 00:04:47.863 --> 00:04:53.473 But it's a wrapper layer on top of TRPC, so, it'll be interesting to 00:04:53.473 --> 00:04:56.773 see how this one actually compares in practice to the 15 million other 00:04:56.773 --> 00:04:58.273 data fetching libraries out there. 00:04:58.493 --> 00:05:00.173 But nice to see another new approach. 00:05:00.673 --> 00:05:03.943 Meanwhile, the void zero folks have several different new and 00:05:04.003 --> 00:05:05.773 alpha and beta releases coming out. 00:05:06.113 --> 00:05:11.663 The oxalate linting tool has, and now has support for type aware linting 00:05:11.723 --> 00:05:15.563 with the Ts go native build built in. 00:05:16.103 --> 00:05:22.747 And OX format tool has its first alpha they say it is essentially almost 00:05:22.992 --> 00:05:27.167 entirely prett or compatible I think, maybe not this release, but a future one. 00:05:27.167 --> 00:05:30.467 They're working to include tailwind formatting support 00:05:30.677 --> 00:05:33.657 as well, so, faster tools. 00:05:33.717 --> 00:05:34.317 Very good. 00:05:34.482 --> 00:05:39.942 Then along with that V eight is in beta and this is the release that will 00:05:39.942 --> 00:05:46.602 include the roll down rust base build tool replacing ES build and roll up. 00:05:47.082 --> 00:05:51.492 So they are very, very busy cranking along on all the different 00:05:51.492 --> 00:05:52.812 pieces of their ecosystem. 00:05:53.254 --> 00:05:53.764 Carl: Yeah. 00:05:53.794 --> 00:05:58.204 I guess Tan Stack is also exploring and they're, they've released an alpha 00:05:58.204 --> 00:06:01.084 of an ai, SDK yeah, I don't know. 00:06:01.084 --> 00:06:01.324 Ai. 00:06:01.324 --> 00:06:04.174 SDK is so hot right now, or so hot a year ago. 00:06:04.259 --> 00:06:06.694 This, this is a bit of a late entry into that market. 00:06:07.094 --> 00:06:11.174 But Tan Stack, Tanner Linsley generally has done so many great things that 00:06:11.174 --> 00:06:12.764 I'm, oh, you know, I'll see what he do. 00:06:12.794 --> 00:06:13.634 I'll see what he does here. 00:06:13.904 --> 00:06:17.484 He's got good opinions about developer experience and the 00:06:17.484 --> 00:06:18.924 contracts we interact with. 00:06:19.534 --> 00:06:20.044 Yeah, 00:06:20.139 --> 00:06:22.364 Mark: I, talked to him at, at React summit when he was. 00:06:22.864 --> 00:06:26.884 Dropping hints that this was in the works, and he said like, it wasn't even 00:06:26.884 --> 00:06:31.894 something that he was intending to do himself originally, and supposedly a 00:06:31.894 --> 00:06:36.754 lot of folks from the ecosystem asked if Tan Stack would build an alternative 00:06:36.754 --> 00:06:41.814 to the Vercel AI SDK, just so there was competition, and that, the main 00:06:41.814 --> 00:06:44.624 entry here wasn't just owned by Vercel. 00:06:45.024 --> 00:06:51.144 And trying to take the same vendor agnostic and fully typed approach that 00:06:51.144 --> 00:06:54.094 all the other Tan Stack tools use. 00:06:54.594 --> 00:06:55.974 Mo: that's so, so important. 00:06:56.004 --> 00:06:57.894 I'm, and I'm glad someone else is doing that. 00:06:58.086 --> 00:07:02.046 having the option to have something like Tanex start as a, another way to handle 00:07:02.046 --> 00:07:03.696 this is just so good for the ecosystem. 00:07:03.756 --> 00:07:07.376 And I am glad that someone's tackling the AI SDK space because. 00:07:08.051 --> 00:07:09.611 Yeah, competition's great. 00:07:10.111 --> 00:07:11.581 Carl: Yeah, no, it, it totally agree. 00:07:11.581 --> 00:07:11.851 I don't know. 00:07:11.851 --> 00:07:16.831 It's feels very good to have a legitimate community maintained option that's not, 00:07:16.831 --> 00:07:20.541 like, great Google's doing it, Facebook's doing it, everyone has their own thing, 00:07:20.541 --> 00:07:25.371 but like, really nice to have one that's open source first, so that's good. 00:07:25.871 --> 00:07:26.201 Yes. 00:07:26.231 --> 00:07:26.591 Okay. 00:07:26.621 --> 00:07:30.101 Let's get into our main content, starting with can anyone guess it's 00:07:30.101 --> 00:07:32.411 gonna be the React2Shell vulnerability? 00:07:32.661 --> 00:07:36.701 The biggest news in a very long time, What happened? 00:07:37.151 --> 00:07:43.715 It was a major, major remote code execution vulnerability in RSCs where 00:07:43.715 --> 00:07:48.155 you didn't even need to be using RSCs for your app to be vulnerable. 00:07:48.485 --> 00:07:52.975 If the server supported it, then an attacker could send a 00:07:53.245 --> 00:07:57.685 specific payload to your server and get a remote code execution. 00:07:58.255 --> 00:07:59.035 It's real bad. 00:07:59.095 --> 00:08:03.855 This is Like the fact that not only is it full remote code execution, but 00:08:04.355 --> 00:08:07.175 combined with the fact that you don't even need to be taking advantage of the 00:08:07.175 --> 00:08:12.755 feature, it just needs to be enabled in your environment is pretty bad. 00:08:12.815 --> 00:08:13.415 That's pretty bad. 00:08:13.995 --> 00:08:16.225 Actually, in the ensuing drama. 00:08:16.375 --> 00:08:20.678 So a uh, longtime, serial entrepreneur in the community was posting about 00:08:20.678 --> 00:08:22.088 like "uhoh, I think I'm vulnerable. 00:08:22.448 --> 00:08:22.838 Uhoh. 00:08:22.868 --> 00:08:23.108 Yep. 00:08:23.138 --> 00:08:24.608 I got exploited uhoh. 00:08:24.638 --> 00:08:30.055 My docker is also vulnerable to a recent vulnerability that enabled container 00:08:30.055 --> 00:08:34.225 escape." So like it turned, just like researching this React vulnerability 00:08:34.255 --> 00:08:40.425 combined with some other recent container vulnerability they were exposed to let an 00:08:40.425 --> 00:08:45.713 attacker not only get into their system, but escape the containment of what is 00:08:45.713 --> 00:08:46.973 supposed to be a security layer there. 00:08:46.973 --> 00:08:47.363 So, yeah. 00:08:47.393 --> 00:08:47.753 Oof. 00:08:47.819 --> 00:08:49.919 it's been a bad six weeks. 00:08:50.219 --> 00:08:51.299 No, it's been a bad year. 00:08:51.299 --> 00:08:53.489 It's been a really bad year for computer security. 00:08:53.609 --> 00:08:54.539 Like, holy shit. 00:08:55.039 --> 00:08:57.619 Mark: How many different problems have we listed like there were, we'll talk 00:08:57.619 --> 00:09:04.769 about it more later, but Next middleware bypass, NPM Hacks, NX React2Shell, 00:09:04.789 --> 00:09:07.429 like the JSD ecosystem is hurting. 00:09:07.929 --> 00:09:10.470 Mo: I think we've heard anything quite as bad as this. 00:09:10.470 --> 00:09:14.936 Like as in the industry since the big job of vulnerability in 22? 00:09:14.936 --> 00:09:17.741 Mark: I, think It I I think that was Log2Shell maybe. 00:09:17.831 --> 00:09:19.766 Mo: was like that was the last 00:09:19.766 --> 00:09:22.706 big where you heard about it all over where people could 00:09:22.706 --> 00:09:24.416 exploit Java spring applications. 00:09:24.416 --> 00:09:26.846 So people were just exploiting backends left, right, and center, and it was 00:09:26.846 --> 00:09:28.076 a serious critical vulnerability. 00:09:28.286 --> 00:09:32.956 I think this is like like as bad if not worse, and there hasn't been anything 00:09:32.956 --> 00:09:36.406 quite the severe since then that I can recall making news like this. 00:09:36.906 --> 00:09:38.787 Carl: Yeah, You get one of these 00:09:38.787 --> 00:09:39.957 every couple years. 00:09:40.377 --> 00:09:42.447 'cause Log2Shell was definitely one of them. 00:09:42.777 --> 00:09:44.877 I remember Heartbleed 10 years ago. 00:09:45.377 --> 00:09:46.427 these do happen. 00:09:47.117 --> 00:09:49.457 It's never good when it's your ecosystem. 00:09:49.667 --> 00:09:49.967 I don't know. 00:09:50.267 --> 00:09:56.477 thing I said is, serious vulnerabilities like this, they don't necessarily, they 00:09:56.477 --> 00:10:01.247 don't really what, what I take away from it or what I recommend people take away 00:10:01.247 --> 00:10:04.277 from it is not, this tool is insecure. 00:10:04.307 --> 00:10:06.617 These people maintaining it are idiots. 00:10:06.917 --> 00:10:11.887 Like, no, this is, security is really fucking hard to get right. 00:10:11.917 --> 00:10:17.637 It is an adversarial space where, as brilliant as you are, your primary task 00:10:17.637 --> 00:10:19.257 is not making something impenetrable. 00:10:19.287 --> 00:10:22.797 Like that is second a secondary goal of anything you're doing as a 00:10:22.797 --> 00:10:26.127 software developer if you are not a paid full-time security engineer. 00:10:26.697 --> 00:10:31.872 And doing something useful it is just really hard without introducing 00:10:31.962 --> 00:10:32.832 vulnerabilities like that. 00:10:32.832 --> 00:10:37.602 So the line that I like is that CVEs, like a critical CVE 00:10:37.602 --> 00:10:38.952 doesn't mean that it's insecure. 00:10:38.952 --> 00:10:40.482 It means that it's worth targeting. 00:10:40.842 --> 00:10:44.052 'cause most tech is insecure. 00:10:44.082 --> 00:10:48.072 Like if unless you have dedicated significant resources towards 00:10:48.072 --> 00:10:52.182 hardening it, it's insecure, like definitely a hundred percent. 00:10:52.572 --> 00:10:58.332 So the fact that it took this long for it to get revealed to me says that 00:10:58.332 --> 00:11:03.522 they have done hardening work, they have put effort into making it secure. 00:11:04.032 --> 00:11:08.792 And because they put that effort in, the actual vulnerability was complicated 00:11:08.792 --> 00:11:11.852 enough that it took several years before somebody actually figured it out. 00:11:12.282 --> 00:11:18.512 And also I'll say, I know that I, I saw a tweet from uh, Malte Ubl, the CTO of 00:11:18.512 --> 00:11:22.402 Vercel you know, engineering leadership at Vercel saying that in the wake of this 00:11:22.402 --> 00:11:28.852 they did a bug bounty hackathon and ended up paying like $750,000 in bounties out. 00:11:29.242 --> 00:11:33.462 Presumably that's a long laundry list of like minor vulnerabilities. 00:11:33.462 --> 00:11:36.372 I don't, I don't believe they've commented publicly about what exact 00:11:36.612 --> 00:11:41.052 Mark: I, I think, I think that one may have been somewhat related to Elle's 00:11:41.052 --> 00:11:43.662 application firewall rules that they, that 00:11:44.362 --> 00:11:47.692 Carl: So this is their consumer facing security tool to make it. 00:11:48.192 --> 00:11:51.192 More protected and they found a whole bunch of new ways to make 00:11:51.192 --> 00:11:52.872 it safer is what it sounds like. 00:11:52.902 --> 00:11:53.322 Mark: Mm-hmm. 00:11:53.822 --> 00:11:54.092 Carl: Cool. 00:11:54.152 --> 00:11:54.452 Yeah. 00:11:54.482 --> 00:11:54.872 Great. 00:11:55.372 --> 00:11:58.222 Yeah, I guess to say a little bit more about where this vulnerability 00:11:58.222 --> 00:12:03.622 came from and why it was so serious, like this level of vulnerability is 00:12:03.622 --> 00:12:10.022 fairly rare and JavaScript, I would say largely because in general , the types 00:12:10.022 --> 00:12:14.662 of code that have a greater risk of introducing this type of vulnerability, 00:12:15.292 --> 00:12:19.162 usually you'll just farm it out to a different, something that's already been 00:12:19.162 --> 00:12:21.202 battle tested and hardened in that way. 00:12:21.532 --> 00:12:25.572 Specifically why this happened is because, so React is basically 00:12:25.572 --> 00:12:26.952 a scheduler at this point. 00:12:27.452 --> 00:12:28.652 It's scheduling work. 00:12:28.652 --> 00:12:33.242 It is, competing with V8 and other JavaScript run times in order 00:12:33.242 --> 00:12:36.512 to do scheduling of execution. 00:12:36.912 --> 00:12:39.552 That's just like, as they were building React and realizing the 00:12:39.552 --> 00:12:43.152 performance snafus they were running into, like they realized, oh shit, 00:12:43.152 --> 00:12:44.262 we have to write a scheduler. 00:12:44.502 --> 00:12:47.142 And that was, do you remember what the code name for that was? 00:12:47.142 --> 00:12:47.562 Mark? 00:12:47.816 --> 00:12:48.527 Mark: That was fiber. 00:12:48.836 --> 00:12:50.036 Carl: So like that was React Fiber. 00:12:50.036 --> 00:12:53.976 It was, "we're turning React into a scheduler." Now server components 00:12:53.976 --> 00:12:55.596 are , basically building on top of that. 00:12:55.596 --> 00:12:57.306 It's saying, okay, we built a scheduler. 00:12:57.306 --> 00:13:02.556 Now we've realized that in order to provide the kind of experiences we want 00:13:02.556 --> 00:13:08.616 to be enabled to offer, we think that we have to transcend the network boundary 00:13:08.646 --> 00:13:13.866 and be able to schedule work not just on the client but across the client. 00:13:13.866 --> 00:13:17.666 We need to be able to pause execution on the server, put it in a little 00:13:17.666 --> 00:13:21.916 box, send it across the network, then open the box and pick up right 00:13:21.916 --> 00:13:23.476 where we left off on the client. 00:13:24.106 --> 00:13:26.286 And that's fucking hard. 00:13:26.376 --> 00:13:30.066 So like they already built their own scheduler, so like that's bespoke. 00:13:30.156 --> 00:13:33.246 You can't just use existing tools for it because they made it. 00:13:33.736 --> 00:13:37.456 the reason this vulnerability came in is because as part of pausing 00:13:37.456 --> 00:13:41.986 execution, bundling it up and shipping it somewhere else, that's serializing it. 00:13:42.046 --> 00:13:47.086 That is serializing a complex set of execution state. 00:13:47.566 --> 00:13:50.916 And where else have we talked about serialization being 00:13:50.916 --> 00:13:53.066 a major ecosystem level? 00:13:53.566 --> 00:13:56.116 Project, it's the React Native new architecture. 00:13:56.116 --> 00:13:57.736 So like this is the same problem. 00:13:58.156 --> 00:14:00.316 Serializing is slow. 00:14:00.676 --> 00:14:04.966 It's vulnerable because you're taking data and if you wanna make 00:14:04.966 --> 00:14:09.496 it as compact as possible, you have to invent a binary format. 00:14:09.646 --> 00:14:14.696 And as soon as you do stuff in binary, that's really dangerous because people 00:14:14.696 --> 00:14:20.126 can structure payloads so that the binary data lines up in just such a way that a 00:14:20.126 --> 00:14:24.716 naive interpreter on the other end of it that opens, it goes, oh, I know what this 00:14:24.716 --> 00:14:29.986 is, runs it, and oops, then you've got like a shell escape or like a terminated 00:14:29.986 --> 00:14:34.486 memory before or after you just like, that's, how you get all of these most 00:14:34.486 --> 00:14:39.196 serious vulnerabilities is a binary formatted data source gets deserialized, 00:14:39.556 --> 00:14:44.326 and somebody tricks that deserializing process into thinking that something 00:14:44.356 --> 00:14:46.336 different than was actually sent is there. 00:14:46.836 --> 00:14:49.326 Mark: We'll dive a little more into the, technical aspects of this later. 00:14:49.386 --> 00:14:55.476 But big picture is the, the flaw itself was in the serialization deserialization 00:14:55.476 --> 00:15:00.191 logic, which was written in order to be able to handle serializing 00:15:00.371 --> 00:15:06.296 and deserializing And because it was generic code in the sense that it 00:15:06.296 --> 00:15:11.176 was meant to handle, conceptually any piece of data, carefully crafted 00:15:11.176 --> 00:15:18.896 input could, when revived , run as promises get turned into a function, 00:15:18.896 --> 00:15:21.896 constructor escape the sandboxing. 00:15:22.396 --> 00:15:26.026 And next thing the attacker is running arbitrary JavaScript code 00:15:26.386 --> 00:15:28.846 within the context of your server. 00:15:29.356 --> 00:15:31.306 And then very bad things happen. 00:15:31.444 --> 00:15:36.927 So the initial announcement came out it was timed with a bunch of fixes 00:15:36.957 --> 00:15:39.897 from all the different RSE frameworks. 00:15:39.927 --> 00:15:43.717 So, clearly the, the work had been done behind the scenes for 00:15:43.717 --> 00:15:45.457 coordinated disclosure and fixes. 00:15:45.664 --> 00:15:51.879 All the major hosting platforms for CloudFlare, Dino Netlify also 00:15:51.879 --> 00:15:56.169 immediately came out with application firewall rules to try to block, what 00:15:56.169 --> 00:15:57.849 they knew about the attack at the time. 00:15:58.349 --> 00:16:04.469 And as Carl said, once someone knows that there's vulnerabilities in a certain 00:16:04.469 --> 00:16:09.659 system, everyone else in the penetration security space is gonna swarm and look 00:16:09.659 --> 00:16:12.329 for other potential issues in thing. 00:16:12.829 --> 00:16:19.399 And so that's why the next day there was a second set of announcements saying that 00:16:19.429 --> 00:16:22.369 two more new CVEs had been discovered. 00:16:22.679 --> 00:16:26.879 One was a denial of service attack where React would try to infinitely 00:16:26.879 --> 00:16:29.189 revive a series of fake promises. 00:16:29.759 --> 00:16:34.019 And then the other one was a source code exposure vulnerability, where 00:16:34.199 --> 00:16:40.379 crafted input could force the API to return the contents of a server function 00:16:40.469 --> 00:16:42.119 that you had written on your backend. 00:16:42.619 --> 00:16:47.509 we had the one truly bad CVE, the remote code execution. 00:16:47.869 --> 00:16:51.499 And then as other people looked at what was the fix, what was the area, 00:16:51.529 --> 00:16:53.719 what's going on, what else can we find? 00:16:54.219 --> 00:16:56.919 A couple of additional follow on things were discovered. 00:16:57.549 --> 00:17:01.849 And you know, as Carl said, it's, yeah, those were there, but it's also, and 00:17:01.849 --> 00:17:06.649 now people are looking for them because there's the potential for more problems. 00:17:07.149 --> 00:17:11.459 Carl: If you can do a remote code execution, that probably means you 00:17:11.459 --> 00:17:16.322 can do other things most likely, very proximal to that same vulnerability 00:17:16.322 --> 00:17:19.832 because like so much of it relies on manipulating the binary encoding. 00:17:19.832 --> 00:17:22.449 That , that smells like . If you can do that, you can do other things. 00:17:22.449 --> 00:17:25.179 So I'm not surprised to find that they found other things. 00:17:25.419 --> 00:17:30.099 I will say like remote code execution, source code 00:17:30.099 --> 00:17:32.799 exposure, and denial of service. 00:17:32.799 --> 00:17:34.299 Like, oh, that's rough. 00:17:34.299 --> 00:17:36.639 That's like the trifecta of things you don't want to happen. 00:17:37.149 --> 00:17:41.296 So yeah, finding all of them, it's like now we know that they're 00:17:41.296 --> 00:17:42.976 not there in that way at least. 00:17:42.976 --> 00:17:43.696 So like great. 00:17:44.306 --> 00:17:46.286 To me this builds trust a little bit. 00:17:46.386 --> 00:17:52.286 I actually chatted briefly with Ricky Hanlon in the wake of this and asked 00:17:52.346 --> 00:17:56.126 what kind of security hardening they have, what's kind of security review 00:17:56.126 --> 00:17:57.986 they have done as part of designing this. 00:17:58.406 --> 00:18:01.346 Because, like I said, like Serializing deserializing is a 00:18:01.346 --> 00:18:04.406 well-known dangerous place to be. 00:18:04.646 --> 00:18:06.146 It's a dangerous place to find yourself. 00:18:06.146 --> 00:18:08.426 Like there are projects that I've not done because I realized like, 00:18:08.456 --> 00:18:11.336 oh, in order to do this, I'm gonna have to touch binary stuff. 00:18:11.396 --> 00:18:15.026 And that gets really hairy and you have to do that very delicately. 00:18:15.246 --> 00:18:19.356 So like that to say like, there are smart people on the React core team. 00:18:19.356 --> 00:18:21.876 Like they absolutely knew this was a risk. 00:18:21.876 --> 00:18:26.096 And I'm curious to hear more details about what mitigation they've 00:18:26.096 --> 00:18:30.476 done over the last, six years that server components have been in 00:18:30.476 --> 00:18:32.066 development in one form or another. 00:18:32.576 --> 00:18:36.476 Yeah, so Ricky Hanlon said that he'd do some research on that 00:18:36.476 --> 00:18:39.866 and include it in the post-mortem blog post, but I, I haven't seen 00:18:39.866 --> 00:18:41.165 the post-mortem blog post yet, so 00:18:41.609 --> 00:18:44.557 Mark: So , this happened in what, December? 00:18:44.557 --> 00:18:46.237 11th ish, I think. 00:18:46.737 --> 00:18:47.285 Carl: Yeah. 00:18:47.328 --> 00:18:49.248 second pair of vulnerabilities was the 11th. 00:18:49.248 --> 00:18:50.718 First one was the third. 00:18:51.218 --> 00:18:51.608 Mark: Okay. 00:18:51.917 --> 00:18:55.497 we had the initial announcement, which was dubbed React2Shell. 00:18:55.867 --> 00:18:59.957 Vercel has put together a, a very comprehensive set of 00:19:00.017 --> 00:19:02.207 details on what happened. 00:19:02.492 --> 00:19:03.392 looks like December 3rd. 00:19:03.392 --> 00:19:05.552 December 4th was when the initial announcements came out. 00:19:05.922 --> 00:19:11.310 Vercel's bulletin has a lot of info on the timeline and how to fix things, 00:19:11.310 --> 00:19:15.820 which is basically upgrade to the latest version of any React based framework. 00:19:15.930 --> 00:19:18.450 Now, if you haven't already done so. 00:19:18.790 --> 00:19:21.160 And they provide instructions on how to do that. 00:19:21.710 --> 00:19:27.260 In the wake of all this, we've already seen the vulnerabilities being exploited. 00:19:27.540 --> 00:19:32.130 Carl mentioned a Reactiflux community member who got hacked as a result. 00:19:32.450 --> 00:19:35.610 CloudFlare put out a post detailing. 00:19:35.610 --> 00:19:39.120 "Yeah. We're, seeing this getting used in a lot of penetration scans." 00:19:39.570 --> 00:19:45.090 An interesting side effect of this was CloudFlare had already had a dashboard 00:19:45.090 --> 00:19:50.940 problem when they DDoS themselves with a use effect and then they. 00:19:51.440 --> 00:19:54.820 They also had an issue with something else on their backend. 00:19:54.820 --> 00:19:59.110 I think second or third outage then happened when they tried to roll out a 00:19:59.110 --> 00:20:05.650 change to buffer sizes in relation to fixing React2Shell, and made themselves 00:20:05.650 --> 00:20:08.060 go down again for another half an hour. 00:20:08.560 --> 00:20:11.110 , Carl: it's funny how these seem to be kind of unforced errors 00:20:11.140 --> 00:20:13.480 on Cloudflare's part, like Yeah. 00:20:14.030 --> 00:20:19.310 , they also were like Johnny on the spot with a blog post saying, we've got 00:20:19.310 --> 00:20:22.880 a web application firewall that will prevent the worst of this from happening. 00:20:22.910 --> 00:20:25.850 And then like, took themselves down for a couple of hours. 00:20:26.130 --> 00:20:32.410 I was reading the, the writeup of this and it sounds like they started seeing 00:20:32.410 --> 00:20:38.620 elevated errors in a tool that was related to determining production errors. 00:20:38.670 --> 00:20:42.660 It was a tool partially designed to help avoid the risk of outages. 00:20:43.020 --> 00:20:46.440 They started seeing error rates rise in that and we're like, nah, this is fine. 00:20:46.440 --> 00:20:47.190 We're gonna keep going. 00:20:47.690 --> 00:20:51.520 That, so that seems a little like an unforced, self-owned there, which is un. 00:20:52.020 --> 00:20:55.320 Silly to me, given how smart me they came across at the very 00:20:55.320 --> 00:20:56.880 beginning of this vulnerability. 00:20:57.000 --> 00:20:58.470 Anyway, I'm just giggling at them. 00:20:58.970 --> 00:20:59.420 Okay. 00:20:59.480 --> 00:21:00.620 Some tech analysis. 00:21:00.620 --> 00:21:04.315 I guess I did sort of an abstract tech analysis, but let's get deeper in. 00:21:04.920 --> 00:21:08.790 Mark: The React team is very fond of their project code names that start 00:21:08.790 --> 00:21:11.940 with f They, they've literally got like two or three dozens of them. 00:21:11.970 --> 00:21:14.297 So, fiber was the React 16 rewrite. 00:21:14.717 --> 00:21:19.787 So React Flight is the code name for most of the work that has to do 00:21:19.787 --> 00:21:21.737 with implementing server components. 00:21:22.127 --> 00:21:28.817 And so the flight protocol is their custom serialization and deserialization 00:21:29.427 --> 00:21:35.947 technique that is meant to encode not just data, like , it can, serialize 00:21:36.007 --> 00:21:41.767 JavaScript objects and, more advanced values like dates and promises and stuff. 00:21:42.157 --> 00:21:47.947 But it also encodes a lot of the semantics of react components themselves. 00:21:48.197 --> 00:21:51.977 Like when you put a suspense in there, it puts in a placeholder value that says 00:21:51.977 --> 00:21:53.897 this will be filled in later, and so on. 00:21:54.287 --> 00:21:58.620 So there's many other like advanced JavaScript serialization libraries out 00:21:58.620 --> 00:22:03.710 there like `cereal`, but they built their own because they specifically 00:22:03.710 --> 00:22:08.830 needed it to handle react related concepts, not just , the data. 00:22:09.400 --> 00:22:15.130 And so ultimately the vulnerability is in this flight protocol implementation. 00:22:15.340 --> 00:22:21.190 Not the data format per se, but the process of doing the deserialization. 00:22:21.730 --> 00:22:27.670 And so because of that, it's a core part of RSC functionality itself, not 00:22:27.670 --> 00:22:32.860 specific to any one framework, which is why all the RSC frameworks were affected. 00:22:33.360 --> 00:22:39.600 Carl: Yeah, so I guess the vulnerability here is a carefully crafted promise 00:22:39.630 --> 00:22:42.360 des serialization and a function eval. 00:22:42.817 --> 00:22:46.584 So the danger there, like function eval. 00:22:47.084 --> 00:22:49.484 one of the JavaScript concepts they're trying to serialize 00:22:49.484 --> 00:22:52.294 is executable code dangerous. 00:22:52.593 --> 00:22:55.173 this is why if you, this is why you don't use eval. 00:22:55.203 --> 00:22:59.403 This is why like eval has lint rules saying never use this because 00:22:59.403 --> 00:23:00.843 'cause it's so fucking dangerous. 00:23:01.153 --> 00:23:03.463 So it's not literally eval in this case. 00:23:03.513 --> 00:23:07.956 Mark: It's not the eval keyword, but new function and, and passing in a, a 00:23:07.956 --> 00:23:09.606 string is essentially the same thing. 00:23:09.953 --> 00:23:12.293 Carl: Slightly different semantics, but essentially the same thing. 00:23:12.393 --> 00:23:13.863 Executing untrusted code. 00:23:14.356 --> 00:23:16.636 Mark: There were three major fixed prs. 00:23:16.666 --> 00:23:22.846 The first one has the fix for the actual remote code execution vulnerability, 00:23:23.266 --> 00:23:29.476 and they snuck the fix into a larger PR that did a bunch of other refactoring 00:23:29.836 --> 00:23:35.546 to try to add just a little more obscurity with what was going on. 00:23:36.006 --> 00:23:42.196 But I, I saw people quickly identifying which bit of that PR was the actual error. 00:23:42.446 --> 00:23:47.606 Basically it boiled down to a couple lines that had like, looking 00:23:47.606 --> 00:23:51.506 up `module[name].something else`. 00:23:51.776 --> 00:23:56.215 And so just like a generic object field lookup with user provided 00:23:56.215 --> 00:23:58.225 input for the field names. 00:23:58.725 --> 00:24:04.545 And the fix was essentially adding a object has own property 00:24:04.755 --> 00:24:05.265 Carl: check 00:24:05.745 --> 00:24:06.375 Mark: around that. 00:24:06.865 --> 00:24:09.445 And so there were a couple very good breakdowns. 00:24:09.775 --> 00:24:13.175 Guillermo Rauch, CEO of Vercel posted a, a tweet where he went 00:24:13.175 --> 00:24:18.005 into some detail on what the actual vulnerability issue itself was. 00:24:18.425 --> 00:24:23.285 And then Shruti Kapoor had another very good breakdown, and I saw a 00:24:23.285 --> 00:24:25.385 few others being posted as well. 00:24:25.885 --> 00:24:29.275 It's one of those things where on the one hand, you look at it and it's like, okay, 00:24:29.605 --> 00:24:35.725 if you think about it, this is a generic object lookup with user provided input. 00:24:36.055 --> 00:24:39.955 And at no point was that user provided input sufficiently 00:24:39.955 --> 00:24:43.885 checked and someone figured out the right sequence to make it happen. 00:24:44.385 --> 00:24:47.235 On the other hand, Ricky Hanlon also made the comment that 00:24:47.735 --> 00:24:52.745 figuring this out and crafting the input was incredibly advanced. 00:24:52.745 --> 00:24:57.175 Like, yeah, in hindsight, maybe some of this looks really simple 00:24:57.175 --> 00:25:01.435 and obvious, but as Carl said, like it, it took years for anyone to look 00:25:01.465 --> 00:25:06.325 down far enough and realize that this particular bit of code was vulnerable in 00:25:06.340 --> 00:25:06.580 Carl: Yeah. 00:25:07.216 --> 00:25:12.760 It's funny, I'm reading this, Shruti Kapoor's writeup of it, and it really 00:25:12.760 --> 00:25:17.576 reminds me of SVG, , the way this is encoded reminds me of how SVG is encoded. 00:25:17.796 --> 00:25:21.696 , line one is M1 colon and then a bunch of data. 00:25:21.906 --> 00:25:25.896 M is a means, this is a module one is the ID for this module. 00:25:25.926 --> 00:25:29.376 Like, " J0, this is a json chunk with root component ID zero." 00:25:30.016 --> 00:25:30.556 So I don't know. 00:25:30.556 --> 00:25:33.051 That's interesting it rhymes with something I've noticed in my career 00:25:33.051 --> 00:25:38.011 is like, I did some really cool, fun stuff with SVG because when you 00:25:38.011 --> 00:25:42.961 start looking at the details of how things are encoded, like this, you 00:25:42.961 --> 00:25:44.431 can do some really interesting things. 00:25:44.521 --> 00:25:47.821 It's like all the tools will generate a certain type of valid 00:25:47.821 --> 00:25:50.941 thing based in some assumption, but when you start actually looking at 00:25:50.941 --> 00:25:54.711 what they're producing and doing it yourself, you find interesting stuff. 00:25:54.711 --> 00:25:57.291 So, I don't know, that's just, that's what the security researcher did is 00:25:57.291 --> 00:26:02.771 instead of relying on the compiler to do output for him, he tore it apart, 00:26:02.771 --> 00:26:07.121 looked at how it actually worked, and then went, "Oh hey, this lets you get 00:26:07.121 --> 00:26:12.161 arbitrary modules and extract whatever thing you want off it. I bet you can do 00:26:12.161 --> 00:26:13.991 something interesting with that." Yeah. 00:26:14.465 --> 00:26:16.505 Mo: I'm curious as to what you guys think about this. 00:26:16.505 --> 00:26:19.925 Like, I, I'm looking at , the sort of, the quote from Ricky and part 00:26:19.925 --> 00:26:21.485 of me is like, I appreciate it. 00:26:21.485 --> 00:26:25.945 It, it is very complex, attack that you need to coordinate at the 00:26:25.945 --> 00:26:29.985 same time, it feels a little bit, shrugging of the issue, which was 00:26:29.985 --> 00:26:31.785 a very key, core vulnerability. 00:26:31.785 --> 00:26:32.205 Right. 00:26:32.545 --> 00:26:35.005 it's almost like in contrast to CloudFlare, where 00:26:35.005 --> 00:26:36.445 they're like, "we fucked up. 00:26:36.505 --> 00:26:37.375 We know we fucked up. 00:26:37.375 --> 00:26:38.425 We let you guys down. 00:26:38.455 --> 00:26:42.065 We've lost your trust." Granted they've had to do that a few times now, but , the 00:26:42.065 --> 00:26:47.532 point is , it just feels a little bit immature to brush it off to say, I don't 00:26:47.532 --> 00:26:48.762 know, maybe this is just my opinion. 00:26:48.762 --> 00:26:52.152 I'm keen to hear what you guys think from like a how should open source 00:26:52.152 --> 00:26:55.802 slash big tech companies handle when I say open source slash big tech? 00:26:55.832 --> 00:26:59.432 'cause it's effectively when speaks, kind of speaking on behalf of Meta, right. 00:26:59.762 --> 00:27:00.872 Whether he likes or not. 00:27:01.352 --> 00:27:04.502 And it's like, I don't think that that's a constructive way to look at 00:27:04.502 --> 00:27:05.972 it, to be like, it's quite complex. 00:27:06.002 --> 00:27:07.952 That's why CVEs are discovered. 00:27:08.012 --> 00:27:11.162 Hackers and bounty hunters are the best people to discover this. 00:27:11.162 --> 00:27:14.635 It's like, not quite like, you guys are the maintainers. 00:27:14.793 --> 00:27:15.603 You should look out for it. 00:27:15.603 --> 00:27:18.783 It feels a little bit like shrugging off a very, very, very core 00:27:18.783 --> 00:27:20.793 issue that happened in ecosystem. 00:27:21.559 --> 00:27:24.759 Mark: So on the one hand I think from a, like a security response 00:27:24.759 --> 00:27:29.569 perspective, the React team and all the rest of the, the hosting 00:27:29.569 --> 00:27:30.979 companies have done the right thing. 00:27:30.979 --> 00:27:33.546 There was, some private disclosure happened. 00:27:33.966 --> 00:27:38.016 Everybody worked out the patches, had the firewall rules ready to go. 00:27:38.016 --> 00:27:42.876 There was a coordinated release so that at the moment this was publicized, 00:27:42.996 --> 00:27:46.956 like, there was immediate protection and fixes of Ill, like that is 00:27:46.956 --> 00:27:48.456 the correct part of the handling. 00:27:49.093 --> 00:27:52.723 then similarly, as soon as the additional CVEs were discovered, 00:27:52.723 --> 00:27:56.283 there were follow up posts, tools, created to help bump all your versions. 00:27:56.523 --> 00:27:59.193 Like all that stuff has been excellent and I think , they've 00:27:59.523 --> 00:28:00.693 that stuff the right way. 00:28:01.023 --> 00:28:05.043 On the other hand, as you're pointing out, even from like a perception perspective, 00:28:05.083 --> 00:28:08.113 , the blog post on the follow up CVEs. 00:28:08.613 --> 00:28:13.833 Initially, one of the first bits in that post was a call out box that 00:28:13.833 --> 00:28:19.083 said, "follow up CVEs are a very common thing because everyone, now, 00:28:19.143 --> 00:28:20.793 everyone is looking at your code." 00:28:21.243 --> 00:28:24.903 And the React team actually got called on in Hacker News, like, " which is more 00:28:24.903 --> 00:28:29.373 important, protecting your reputation or giving people the information they need 00:28:29.373 --> 00:28:33.723 to re-update their tools." And, to their credit, , they restructured the post. 00:28:33.723 --> 00:28:35.433 So the tech information was first. 00:28:35.433 --> 00:28:38.876 I I do totally get the preemptive defensiveness. 00:28:39.626 --> 00:28:43.265 Like of course, the React team and ecosystem are gonna get criticized 00:28:43.265 --> 00:28:45.245 because, oh no, now there's more problems. 00:28:45.245 --> 00:28:46.475 Look how bad your code is. 00:28:46.505 --> 00:28:47.495 I totally get that. 00:28:47.975 --> 00:28:50.905 I think the comment was, justified. 00:28:51.576 --> 00:28:56.226 But putting that as the first thing in the post was maybe not the best way to do it. 00:28:56.286 --> 00:28:59.136 I agree with you that the way the phrasing here and the 00:28:59.136 --> 00:29:01.986 defensiveness does not look ideal. 00:29:02.631 --> 00:29:03.051 Mo: Yeah. 00:29:03.111 --> 00:29:04.521 And it's just a phrasing thing, right? 00:29:04.521 --> 00:29:08.691 It's like, I, I agree with you a hundred percent that it was very well coordinated. 00:29:09.081 --> 00:29:12.501 They worked with all the right people, all the right hosting providers, 00:29:12.501 --> 00:29:17.288 and did a good job of tackling a critical vulnerability, right? 00:29:17.678 --> 00:29:21.698 But then the messaging is a little bit laissez faire, like, 00:29:21.698 --> 00:29:23.348 let's just, this happens guys. 00:29:23.408 --> 00:29:24.558 Of course it happens. 00:29:24.558 --> 00:29:27.493 And so that, that's the bit that I'm just, a little bit it doesn't sit right with me. 00:29:27.493 --> 00:29:29.320 Carl: Yeah, I have some opinions on this., I don't know. 00:29:29.320 --> 00:29:33.850 This is, deep in the weeds of like communication, effective communication, 00:29:33.850 --> 00:29:35.590 especially when you've someone wrong. 00:29:35.706 --> 00:29:39.756 Even that someone is an abstract group of millions who rely on your work. 00:29:40.186 --> 00:29:40.576 Yeah. 00:29:40.606 --> 00:29:44.926 defensiveness is never good to lead with Also defensiveness. 00:29:45.426 --> 00:29:47.646 Is a lot broader than most people think about. 00:29:47.646 --> 00:29:51.786 If you are offering a reason, a justification, an explanation, 00:29:52.416 --> 00:29:53.526 all of that is defensive. 00:29:53.526 --> 00:29:56.666 That is saying, maybe it's not saying :it's okay that this 00:29:56.666 --> 00:30:00.406 happened because," but it is saying there are mitigating factors. 00:30:00.466 --> 00:30:09.566 And at the outset while talking about, a problem, a thing, it is never good to 00:30:09.566 --> 00:30:12.036 offer reasons why you made that mistake. 00:30:12.096 --> 00:30:15.586 Just like you made it, it happened, it's done, own it.Don't defend it. 00:30:17.106 --> 00:30:19.279 Mark: Which, which I think has generally, as a, counter example, 00:30:19.279 --> 00:30:22.599 I think generally been one of the strengths of Cloudflare's, you know, 00:30:22.599 --> 00:30:25.969 outage messaging It's like, yeah, we screwed up, but here's exactly what 00:30:25.969 --> 00:30:28.882 happened and the things that went wrong. 00:30:29.066 --> 00:30:34.346 they're explaining the technical reasons, but it's generally factual rather 00:30:34.346 --> 00:30:37.016 than like communications oriented. 00:30:37.302 --> 00:30:37.512 Carl: yeah. 00:30:37.512 --> 00:30:42.762 And I wanna, Mo you used the word immature and I think I like yes. 00:30:43.332 --> 00:30:47.112 In context it's the wrong, it's like wrong. 00:30:47.692 --> 00:30:52.572 I would reframe it from immature to like, this is crisis comms. 00:30:52.572 --> 00:30:57.582 This is public relations at a world level security incident. 00:30:58.032 --> 00:31:02.682 And so while the, while that instance of, defensiveness, especially when 00:31:02.682 --> 00:31:06.432 you feel that you've done everything you could, you've done your best 00:31:06.882 --> 00:31:08.292 totally get it totally makes sense. 00:31:08.292 --> 00:31:11.802 There's a really strong instinct to do that If you're operating 00:31:11.802 --> 00:31:16.112 at a world class level, the expectation is higher than that. 00:31:16.112 --> 00:31:18.752 So I guess I would reframe it from like immature to like not 00:31:18.752 --> 00:31:20.222 meeting the bar of excellence. 00:31:20.429 --> 00:31:22.739 Mo: What Mark was saying was exactly what I was thinking, which is like 00:31:22.799 --> 00:31:26.869 the CloudFlare posts are exactly how I would rather have this handled, 00:31:26.869 --> 00:31:31.269 which is an admission of whatever that is an admission we made a mistake or 00:31:31.299 --> 00:31:33.579 we didn't discover this, I'm sorry. 00:31:33.909 --> 00:31:38.269 And here's exactly what went wrong that reads as I'm giving you the technical 00:31:38.269 --> 00:31:40.729 reasons and I'm being transparent with you, rather than I'm defending 00:31:40.729 --> 00:31:42.619 myself and trying to, to cover up 00:31:43.266 --> 00:31:47.076 Mark: And are all the mitigation steps going forward to improve our 00:31:47.076 --> 00:31:50.551 process and make sure that this set of problems never happens again. 00:31:51.311 --> 00:31:52.394 Mo: To play the devil's advocate. 00:31:52.394 --> 00:31:56.624 To my earlier point, I get the emotional instinct to defend yourself. 00:31:56.624 --> 00:31:56.894 Right? 00:31:56.894 --> 00:31:58.544 Like it's an open source project. 00:31:58.874 --> 00:32:02.804 You've chosen to work and benefit off of the work that React and the 00:32:02.804 --> 00:32:04.544 React team have have been building. 00:32:04.544 --> 00:32:09.763 I get it, like open source maintainers are not appreciated enough, but you are also a 00:32:09.763 --> 00:32:14.113 multi-billion dollar company and you need to have some PR instincts as part of that. 00:32:14.189 --> 00:32:15.419 Carl: Or delegate to a PR team. 00:32:15.984 --> 00:32:19.884 Mark: The reactions to this have been incredibly predictable on Hacker 00:32:19.884 --> 00:32:24.734 News and Twitter and everywhere else, which is lots and lots of, " RSCs 00:32:24.734 --> 00:32:27.374 were a mistake in the first place. 00:32:27.794 --> 00:32:33.194 boy, I am glad I never adopted RSCs" and lots of similar 00:32:33.194 --> 00:32:34.514 threads from lots of people. 00:32:34.991 --> 00:32:35.621 Carl: Can't avoid it. 00:32:36.121 --> 00:32:37.621 Look at us not doing that. 00:32:37.621 --> 00:32:38.581 We're so good. 00:32:39.181 --> 00:32:41.621 Mo: Give ourselves pats on the shoulder collectively. 00:32:42.121 --> 00:32:45.031 Mark: We've seen complaints about server components being quote two 00:32:45.361 --> 00:32:47.614 complex really since the beginning. 00:32:48.124 --> 00:32:52.811 And like with the word boilerplate people use the word complex or complexity 00:32:52.811 --> 00:32:55.001 to mean lots of different things. 00:32:55.451 --> 00:32:56.951 Is it the mental model? 00:32:57.161 --> 00:32:59.471 Is it the technical implementation? 00:32:59.891 --> 00:33:04.121 Is it the architectural approach of trying to bridge the server and the client? 00:33:04.121 --> 00:33:07.121 I mean, diff different people have different pieces in mind when, 00:33:07.121 --> 00:33:08.651 when they use the word complex. 00:33:08.991 --> 00:33:13.281 I, I think there, like, there's probably some fair validity to the concerns. 00:33:13.331 --> 00:33:18.341 We've talked about the mental model of trying to understand if you're looking 00:33:18.341 --> 00:33:23.471 at a given file, a given function, understanding where is the code running, 00:33:23.531 --> 00:33:29.268 when is the code running, what are the inputs needing to, if I've got a secret 00:33:29.268 --> 00:33:33.708 value on the server, how do I make sure that it's not getting accidentally 00:33:33.708 --> 00:33:35.418 exposed and sent to the client? 00:33:36.018 --> 00:33:40.498 So, as Carl said, part of this is just, client server behavior 00:33:40.558 --> 00:33:42.148 is a distributed system. 00:33:42.178 --> 00:33:44.343 It is a inherently complex thing. 00:33:44.763 --> 00:33:49.593 And we are trying to solve a complex problem with 50,000 different 00:33:49.593 --> 00:33:52.353 attempts at abstraction, server components being one of them. 00:33:52.743 --> 00:33:58.173 So part of it is, this is just a very hard space, but it's probably also legit to say 00:33:58.173 --> 00:34:03.603 that this particular set of abstractions is complex, both in terms of mental model 00:34:04.293 --> 00:34:06.963 necessary technical implementations. 00:34:07.453 --> 00:34:10.443 You know, as always, I feel weird saying this stuff because I'm on the 00:34:10.443 --> 00:34:13.533 sidelines and so I'm the bystander without the hands-on experience, 00:34:14.103 --> 00:34:16.143 but just eyeballing things. 00:34:16.173 --> 00:34:21.913 I think that's maybe a point in favor of something like remix loaders or TanStack 00:34:21.933 --> 00:34:28.063 Start server functions where you look at a thing and it's very, very explicit: this 00:34:28.063 --> 00:34:30.703 is the function that runs on the server. 00:34:30.793 --> 00:34:34.033 And okay, yeah, maybe there's still some bundler magic that's going on to 00:34:34.033 --> 00:34:38.893 make that feasible be in the same file, but at least there was something in the 00:34:38.893 --> 00:34:44.593 code that very clearly said where that piece of behavior is intended to run. 00:34:45.093 --> 00:34:49.143 Carl: I'm just saying if this were written using the primitives that 00:34:49.243 --> 00:34:54.713 Effect-TS offers, then list what environment was required as part 00:34:54.713 --> 00:34:57.293 of the types, like you could get type level guarantees on this shit. 00:34:57.743 --> 00:34:58.673 I'm just saying. 00:34:59.173 --> 00:35:02.593 Mark: There was one tweet that I saw, which was using the metaphor 00:35:02.623 --> 00:35:04.925 of different function colors. 00:35:05.175 --> 00:35:08.505 this concept started as a blog post like a decade ago where someone 00:35:08.775 --> 00:35:14.775 that sync and async functions are differently colored and that they're, 00:35:14.775 --> 00:35:15.855 they're essentially contagious. 00:35:15.855 --> 00:35:19.275 That once you have an async function, it spreads through the rest of the code base. 00:35:19.635 --> 00:35:20.805 And so this tweet. 00:35:21.405 --> 00:35:26.445 Was saying, well now we've got like three different colors and they multiply. 00:35:26.715 --> 00:35:30.345 So now you have to consider like function components, server components, 00:35:30.375 --> 00:35:32.865 hooks, server side, client side. 00:35:32.895 --> 00:35:36.645 It was kinda like the multiple kit of factor of all the possible 00:35:36.645 --> 00:35:38.835 variations in how a thing can run. 00:35:39.335 --> 00:35:42.995 All right, one, one last bit of Opiniony stuff and then we can move on. 00:35:43.085 --> 00:35:48.685 So what do we think this means in terms of, what's going to happen 00:35:48.685 --> 00:35:53.605 with React in 2026, but also what does this mean in terms of server 00:35:53.605 --> 00:35:56.065 component adoption at this point? 00:35:56.565 --> 00:36:00.155 On the one hand , we've been seeing the positive technical progress in the 00:36:00.155 --> 00:36:06.095 ecosystem where it, it's getting past the experimental stage in other tools. 00:36:06.435 --> 00:36:09.805 React Router has added RSC support walkthrough is getting 00:36:09.805 --> 00:36:11.485 closed to being production ready. 00:36:11.765 --> 00:36:16.625 Redwood is out there , TanStack Start is looking at RSC 00:36:16.625 --> 00:36:18.365 support in its own unique way. 00:36:18.755 --> 00:36:24.875 So we're getting past the point where this is just a feature that's available 00:36:24.875 --> 00:36:29.345 in Next, and that feels like it's going to be very big for adoption. 00:36:29.345 --> 00:36:34.165 I think actually React Router support is gonna be huge, but now you've 00:36:34.165 --> 00:36:38.245 got a vulnerability here and you've got all the naysayers popping up 00:36:38.245 --> 00:36:43.021 and saying, "ha ha, look. See, I was right. This was a bad idea." So plus 00:36:43.021 --> 00:36:44.611 and minus, how is this gonna behave? 00:36:45.013 --> 00:36:47.893 Carl: I will say I think the haters are gonna show up no matter 00:36:47.893 --> 00:36:52.256 what, and the only thing that varies is, there's some variance. 00:36:52.256 --> 00:36:54.656 There's probably gonna be more haters because of this than 00:36:54.746 --> 00:36:55.856 there might have been otherwise. 00:36:56.036 --> 00:37:00.266 But many of those haters would have just been saying something 00:37:00.266 --> 00:37:01.766 different if this hadn't happened. 00:37:01.886 --> 00:37:05.877 So I think there's gonna be, I think this is gonna end up being net 00:37:05.877 --> 00:37:12.377 good because there deserves to be more than an uncritical adoption. 00:37:12.377 --> 00:37:15.247 Like, you know, when I think about when hooks came out, everyone's like, "aww 00:37:15.267 --> 00:37:18.207 yeah!" And just like immediately all in. 00:37:18.554 --> 00:37:21.185 So like it's a rainbow colored functions. 00:37:21.185 --> 00:37:22.776 It's bunch of complexity. 00:37:22.776 --> 00:37:25.536 It's difficult to know where code is executing now. 00:37:25.536 --> 00:37:30.706 It's hard, Next adds on additional caching stuff that adds even more complexity. 00:37:31.186 --> 00:37:37.156 So I think this might trigger a bit of a reckoning for the folks pushing the state 00:37:37.156 --> 00:37:40.099 of the cutting edge, the people who are pushing the envelope, I think are going to 00:37:40.099 --> 00:37:43.789 be forced to offer stronger justification. 00:37:44.289 --> 00:37:46.809 Forced is wrong, let's say pressured. 00:37:47.359 --> 00:37:50.562 What do you think would be good, I've said a couple times over the years 00:37:50.562 --> 00:37:54.822 of doing this podcast that like I view the, the React core team as 00:37:54.822 --> 00:38:01.872 doing like post-doctoral research in distributed execution of, you know, ui. 00:38:01.992 --> 00:38:08.422 So with that framing in mind, this is going to ask those folks who are 00:38:08.422 --> 00:38:14.162 doing the more academically minded whatever to more strongly justify the 00:38:14.162 --> 00:38:16.022 direction, which I think will be good. 00:38:16.292 --> 00:38:21.915 And I think, we'll, I would hope will lead to more robust everything. 00:38:22.418 --> 00:38:27.328 The "react is rainbow colored," I think is like so deeply real and a 00:38:27.328 --> 00:38:32.098 major limiting factor because you're context switching and like you said 00:38:32.098 --> 00:38:35.348 Mark, , there's nothing in the code to indicate where it's executing. 00:38:35.348 --> 00:38:36.188 You have to know it. 00:38:36.528 --> 00:38:40.668 I'll say that, specifically, the fact that you can't look at the code and 00:38:40.668 --> 00:38:46.998 understand aspects of it without gathering more context from where it is, is like 00:38:47.028 --> 00:38:53.888 deeply antithetical to the model of programming that React is built upon, like 00:38:53.948 --> 00:38:56.988 componentized self-contained, tiny world. 00:38:56.988 --> 00:39:03.038 If I'm looking at a component, generally, up until React server components I guess, 00:39:03.458 --> 00:39:05.468 I know that it has everything it needs. 00:39:05.948 --> 00:39:06.848 Unless I've done something else. 00:39:06.873 --> 00:39:11.508 Like, okay, CSS can cascade, context is slightly unknown. 00:39:11.538 --> 00:39:16.368 But like I can look at the guarantee, I can look at the code and statically 00:39:16.428 --> 00:39:22.398 understand what guarantees it requires from its environment and what it's doing. 00:39:22.541 --> 00:39:25.961 it doesn't just like reach into other stuff and change things at random. 00:39:26.441 --> 00:39:30.671 And so with React server components, I can no longer look at a single component and 00:39:30.671 --> 00:39:33.518 fully understand where it is in the world. 00:39:34.018 --> 00:39:35.818 So I don't know, hopefully that changes. 00:39:36.270 --> 00:39:42.170 Mo: So we've gone through an, an era over the last couple years where it's 00:39:42.170 --> 00:39:44.450 been a heavy focus on RSCs, right? 00:39:44.510 --> 00:39:50.200 And I think someone in the chat as well today asked like, are RSCs good or bad? 00:39:50.710 --> 00:39:51.130 Right. 00:39:51.730 --> 00:39:55.300 And I think that's the issue is just because it's been so center stage 00:39:55.300 --> 00:39:57.010 on every discussion about React. 00:39:57.510 --> 00:40:02.280 It's almost been implied that everyone needs RSCs, everyone needs next. 00:40:02.340 --> 00:40:05.640 Anyone who builds a web app needs these tools, and this is the right 00:40:05.640 --> 00:40:07.980 evolution for everyone in the ecosystem. 00:40:08.667 --> 00:40:10.227 I personally never believed that that was the case. 00:40:10.227 --> 00:40:15.587 I think it was a good optimization and a good next step to help take React to 00:40:15.587 --> 00:40:19.607 certain paradigms and certain spaces where it wouldn't have been suitable for before. 00:40:20.107 --> 00:40:22.267 But it wasn't the be all and end all. 00:40:22.957 --> 00:40:27.867 And I've been working with a client where they started off with next JS, in 00:40:28.167 --> 00:40:32.217 the beginning of the year they brought me in to try to help them a little bit 00:40:32.217 --> 00:40:35.217 and clean up the next JS app because they weren't next JS developers. 00:40:35.217 --> 00:40:37.977 They were from a totally different ecosystem and they were trying to 00:40:37.977 --> 00:40:41.307 understand next, and the app was a mess. 00:40:41.817 --> 00:40:45.447 And so over the last couple months , we realized, well they don't really have 00:40:45.447 --> 00:40:49.617 the expertise to be able to manage like a complex next JS app that was quite 00:40:49.617 --> 00:40:54.597 large in the surface area and handle all of the caching complexities and RSCs as 00:40:54.597 --> 00:40:56.757 a concept within that development team. 00:40:57.417 --> 00:41:03.477 And so we switched them to Astro after a while and it's just been a lot easier for 00:41:03.477 --> 00:41:05.667 them to conceptualize and understand that. 00:41:06.327 --> 00:41:08.757 And so is this a net good? 00:41:09.057 --> 00:41:12.909 I actually think it is because like you say, Carl and I 00:41:12.909 --> 00:41:13.899 completely agree with that. 00:41:13.899 --> 00:41:19.539 It's, this is going to help us really stop pushing this like, 00:41:19.539 --> 00:41:21.009 envelope of RSCs are for everyone. 00:41:21.009 --> 00:41:25.059 And this is by no means me saying RSCs are a bad evolution of react. 00:41:25.119 --> 00:41:27.969 No, to the contrary, I actually think it was a good route, good 00:41:27.969 --> 00:41:30.009 evolution, but it's not for everyone. 00:41:30.279 --> 00:41:31.359 It's not for every site. 00:41:31.599 --> 00:41:36.639 We neglected single page apps, which are for so many things in pursuit of 00:41:36.639 --> 00:41:39.999 this RSC Dream, and I think we need to come back to reality and see like, 00:41:39.999 --> 00:41:41.619 what is the ecosystem in its whole? 00:41:42.009 --> 00:41:45.955 And start to prompt people to think a little bit before they always 00:41:45.955 --> 00:41:48.685 reach out for next js for every single project that they wanna do. 00:41:49.195 --> 00:41:50.515 do you actually need next? 00:41:51.055 --> 00:41:55.255 Are you having to take on the complexity that next gives when you adopt next? 00:41:55.315 --> 00:41:59.545 And like it has a lot of benefits, but like, does your site need those benefits? 00:42:00.085 --> 00:42:03.655 Or are you just doing it because it's what everyone else does? 00:42:04.465 --> 00:42:07.270 so I honestly think it's, it's a good thing. 00:42:07.420 --> 00:42:08.320 It will be tough. 00:42:08.320 --> 00:42:12.870 There will be an adjustment period, but I think it'll, generally make us a bit more 00:42:12.870 --> 00:42:15.420 nuanced as an ecosystem, which is good. 00:42:15.840 --> 00:42:18.780 And the bleeding edge is not always the be all and end all. 00:42:18.780 --> 00:42:21.330 The bleeding edge should be there to help push everyone forward. 00:42:21.830 --> 00:42:23.930 It's not for every single app that we built. 00:42:24.070 --> 00:42:24.360 Carl: Yeah. 00:42:24.860 --> 00:42:29.520 I, have an analogy that I love, or I don't know, an analogy, a way of framing 00:42:29.760 --> 00:42:34.400 that kind of, you just expressed of like the we, the bleeding edge and 00:42:34.400 --> 00:42:35.960 like reigning it in a little bit there. 00:42:36.020 --> 00:42:39.290 I think there's a really strong need for two types of work. 00:42:39.290 --> 00:42:42.800 There's the people who are expanding the range of what's possible, and 00:42:42.800 --> 00:42:45.800 then there's the people who are bringing that out to everybody else. 00:42:45.860 --> 00:42:49.570 So like, as you're exploring, like you can't be constrained 00:42:49.570 --> 00:42:53.460 about what is this gonna look like for, every individual actor. 00:42:53.460 --> 00:42:57.120 Like that's, if you're exploring under the constraints of analyzing 00:42:57.120 --> 00:43:00.770 it for every possible possibility, you will never explore anything. 00:43:00.770 --> 00:43:01.790 It's just too much work. 00:43:02.120 --> 00:43:08.620 So that needs to happen largely in isolation, in order to happen at all. 00:43:09.250 --> 00:43:11.050 And then there's a translation. 00:43:11.050 --> 00:43:14.930 It's like, in entrepreneurial terms, it's the distribution problem. 00:43:14.930 --> 00:43:17.850 It's how do you get it to everybody, great, you've made 00:43:17.850 --> 00:43:19.600 a perfect, better mouse trap. 00:43:19.600 --> 00:43:23.280 How do you get people to know about it, realize it's better, and buy it? 00:43:23.700 --> 00:43:26.250 Where in this case, buy it is, install it over some other tool. 00:43:26.800 --> 00:43:31.660 And yeah, so I think we just got a, the naysayers got a much stronger argument. 00:43:32.110 --> 00:43:34.100 We'll have to see how that plays out. 00:43:34.600 --> 00:43:37.150 Mark: I will tie this back to one of my favorite hobby 00:43:37.150 --> 00:43:39.490 horses, which is documentation. 00:43:39.820 --> 00:43:44.500 Maybe I overindex on better docs being the answer to all problems, 00:43:44.620 --> 00:43:46.870 but it is my answer to all problems. 00:43:47.230 --> 00:43:50.440 And so, one of the points I've made repeatedly over the course of this year 00:43:50.680 --> 00:43:55.120 is that the React core docs don't talk about server components meaningfully. 00:43:55.120 --> 00:44:00.730 There's one page with scattered bits of information, but the core docs 00:44:00.730 --> 00:44:05.860 have no intro to what are server components, what problem do they solve, 00:44:06.430 --> 00:44:12.130 why should I use them, when should I use them, which apps and architectures 00:44:12.130 --> 00:44:14.740 would benefit from server components? 00:44:15.115 --> 00:44:18.655 And there are some great posts out there that go into a lot of this information. 00:44:18.655 --> 00:44:21.265 Vercel had a intro to RSCs post. 00:44:21.565 --> 00:44:26.095 Dan has his explainers on server components from different mental models, 00:44:26.575 --> 00:44:29.635 but the core docs don't have this. 00:44:30.205 --> 00:44:34.810 And even today I was actually having a, a tweet discussion with Rachel Nabors, 00:44:34.825 --> 00:44:36.295 one of the original docs authors. 00:44:36.775 --> 00:44:39.775 And we agreed that the tutorial kind of trails off. 00:44:39.805 --> 00:44:43.465 It doesn't give you any real world steps on how to apply your 00:44:43.525 --> 00:44:45.685 theoretical knowledge of components. 00:44:46.185 --> 00:44:50.145 I don't necessarily think it's the React Docs job to explain everything about web 00:44:50.145 --> 00:44:56.385 app architecture, but given that React itself is now more than just a view 00:44:56.385 --> 00:45:02.595 library, that I think there ought to be some guidance in the docs about how to act 00:45:02.895 --> 00:45:08.805 like, when does it make sense to use these different tools that we're providing you. 00:45:09.305 --> 00:45:13.794 Carl: I like her post saying, when I go back and look at React dev now, and 00:45:13.794 --> 00:45:15.864 like React, do Dev was her project. 00:45:15.864 --> 00:45:16.164 She like, 00:45:16.164 --> 00:45:17.339 what, when it started, as, 00:45:17.395 --> 00:45:18.400 Mark: Her and Dan together. 00:45:18.400 --> 00:45:18.730 Yeah. 00:45:19.150 --> 00:45:19.630 Carl: Right. 00:45:19.660 --> 00:45:20.200 Right. 00:45:20.290 --> 00:45:23.200 And so she says, when I go back and look at React Dev now after having 00:45:23.200 --> 00:45:25.960 shipped half a dozen more developer education portals since launch, it 00:45:25.960 --> 00:45:28.210 feels half finished, they're saying. 00:45:28.760 --> 00:45:30.350 This is part of their early work. 00:45:30.680 --> 00:45:32.930 They got better at it and now they see room for improvement, 00:45:33.300 --> 00:45:34.200 which I think is really real. 00:45:34.700 --> 00:45:35.880 Mo: Yeah, a hundred percent. 00:45:36.060 --> 00:45:40.877 And the earliest like time, we started to actually talk about this this 00:45:40.877 --> 00:45:44.597 year, which kinda goes into the year recap, but is we, we conversation 00:45:44.717 --> 00:45:46.217 finally over the CRA deprecation. 00:45:46.217 --> 00:45:49.677 Like that was the reckoning that started this conversation about what did, what 00:45:49.677 --> 00:45:53.727 is the React stance on, where is RSC suitable and where is it not suitable? 00:45:53.727 --> 00:45:54.087 So. 00:45:54.657 --> 00:45:57.357 It's interesting that we're looping back to this, but yeah, it's, it's 00:45:57.477 --> 00:45:59.217 been a common theme for the last year. 00:45:59.907 --> 00:46:00.327 Carl: Yeah. 00:46:00.387 --> 00:46:05.087 And man, going back to my, comparison of like the explorers and the, I don't 00:46:05.087 --> 00:46:07.967 know, salesmen did, for lack of a better. 00:46:08.002 --> 00:46:11.995 Mark: There are specific like business programmer archetype posts that I've 00:46:11.995 --> 00:46:14.950 seen that cover this, and I don't know what they are off the top of my head. 00:46:15.468 --> 00:46:15.888 Carl: You are right. 00:46:15.888 --> 00:46:21.525 But I feel like the React core team is perhaps too heavily stacked with 00:46:21.945 --> 00:46:28.355 scientists and adventurers and there's not enough entrepreneurs and teachers, 00:46:28.775 --> 00:46:33.485 like we need more who are bringing this knowledge and like workshopping 00:46:33.485 --> 00:46:36.095 it to say what is understandable? 00:46:36.095 --> 00:46:40.975 How can we make people, how can we put words to page that permit 00:46:40.975 --> 00:46:44.155 people to walk away from it with the understanding we intended. 00:46:44.800 --> 00:46:50.680 And like there's like, they're so busy figuring out what it needs to be that 00:46:50.770 --> 00:46:56.500 I don't think they're quite investing the time and energy into ensuring that 00:46:57.000 --> 00:46:58.590 people understand what they intend. 00:46:59.220 --> 00:47:02.090 And I guess we've said before, I've said this before, in the podcast, 00:47:02.090 --> 00:47:07.780 that React spent so long Innu this number one seat of Mindshare. 00:47:07.780 --> 00:47:14.700 Like it spent solidly, I'd say eight years as like one of the top five 00:47:15.270 --> 00:47:17.850 hottest technologies in general. 00:47:17.850 --> 00:47:22.140 And so they didn't need that core team labor of figuring out how to 00:47:22.140 --> 00:47:25.770 make people understand it because there was a legion of community 00:47:25.770 --> 00:47:30.270 members where, that was how they were doing their competitive advantage. 00:47:30.280 --> 00:47:33.460 They were, that's they were getting consulting work is by 00:47:33.460 --> 00:47:36.790 being a subject matter expert on the cutting edge of React. 00:47:36.940 --> 00:47:39.430 And like, nobody cares about that anymore. 00:47:39.790 --> 00:47:43.360 Not literally like I care, you care the people listening to this care. 00:47:43.642 --> 00:47:45.652 Mo: It's not picking people's bills like it used to. 00:47:45.652 --> 00:47:48.892 And so all of the attention onto ai, so you don't have all of the 00:47:49.222 --> 00:47:50.782 consultants and all of those people. 00:47:50.782 --> 00:47:54.112 So it's now the responsibility to react core team to do that. 00:47:54.502 --> 00:47:57.892 There's a, , there's a person at work who does like technology mapping that is like 00:47:57.922 --> 00:48:01.342 a little bit more senior than I am, and he spends more time in strategy stuff. 00:48:01.342 --> 00:48:04.822 So he is more of that entrepreneurial type of person that you're talking about, Carl, 00:48:05.182 --> 00:48:09.202 and he, talks about like technologies going through this, like these different 00:48:09.202 --> 00:48:13.012 levels of like genesis, and then growth, and then at the end they become 00:48:13.012 --> 00:48:16.642 commoditized and like whether we like it or not, react has become commoditized. 00:48:16.642 --> 00:48:17.452 Like there are. 00:48:17.515 --> 00:48:20.665 many ways that you can quickly build React apps, whereas like, it 00:48:20.665 --> 00:48:22.825 wasn't the case several years ago. 00:48:22.825 --> 00:48:27.615 And so it's it's now there's a point where we need to really document everything 00:48:27.615 --> 00:48:31.485 and make sure that it's understandable by everyone because there aren't gonna 00:48:31.485 --> 00:48:35.745 be consultants who you know are gonna be, that you have to pave to do it. 00:48:35.795 --> 00:48:37.205 It's very accessible to everyone. 00:48:37.591 --> 00:48:41.851 Mark: my last thought on this topic is that, I don't think the React core team 00:48:42.440 --> 00:48:46.110 has time to do a bunch of additional documentation unless they, significantly 00:48:46.110 --> 00:48:48.360 change their priorities and maybe they're not the best people to do it. 00:48:48.750 --> 00:48:51.730 But I was encouraged by discussions with the team at React Conf for, they 00:48:51.750 --> 00:48:57.330 indicated they are much more interest, they're very willing to have external 00:48:57.330 --> 00:48:59.430 community contributions to the docs. 00:48:59.930 --> 00:49:02.090 Obviously, there needs to be collaboration agreement on what the 00:49:02.090 --> 00:49:06.620 content is, but they're willing to work with people to get that stuff in. 00:49:07.120 --> 00:49:07.390 Carl: yep. 00:49:07.630 --> 00:49:08.200 Interesting. 00:49:08.700 --> 00:49:11.520 Yeah, I would, I would like to talk more with you about that actually, 00:49:11.550 --> 00:49:12.340 mark, Cool. 00:49:12.802 --> 00:49:14.422 Mark: Moving right along. 00:49:14.634 --> 00:49:17.604 Carl: Mo can you give us a bit of a recap about React Native this 00:49:17.604 --> 00:49:19.568 year as our React Native expert 00:49:20.048 --> 00:49:20.873 Mo: I would love to. 00:49:20.873 --> 00:49:21.743 Thanks Carl. 00:49:22.013 --> 00:49:26.963 So let's do our React Native year in recap 2025. 00:49:27.503 --> 00:49:30.803 So I'm gonna start from January and we're gonna do this very quick fire. 00:49:31.143 --> 00:49:34.503 And I'll, go over the releases, I'll go over some other significant 00:49:34.533 --> 00:49:36.063 things that happen in the ecosystem. 00:49:36.573 --> 00:49:38.613 What I will say is, this is not comprehensive. 00:49:38.613 --> 00:49:41.403 You can obviously go through the podcasts and listen through every single month, 00:49:41.978 --> 00:49:45.128 I thought I'd pull out things that were significant enough to me personally. 00:49:45.128 --> 00:49:49.358 So this is by no means a, prioritization of how important things are. 00:49:49.358 --> 00:49:50.798 It's just what came to mind. 00:49:50.798 --> 00:49:53.198 And I'll ground them by the reactive releases that went 00:49:53.198 --> 00:49:54.408 out during the year basically. 00:49:54.888 --> 00:49:55.008 So. 00:49:55.508 --> 00:49:59.348 January React Native version 0.77. 00:49:59.618 --> 00:50:03.256 So this one was basically give a high level. 00:50:03.376 --> 00:50:08.206 There was a lot of focus on styling because CSS is super, super rich in 00:50:08.206 --> 00:50:09.496 terms of styling that it gives you. 00:50:09.616 --> 00:50:14.326 And so a lot of effort was put into taking CSS features and bringing them into React 00:50:14.326 --> 00:50:18.406 Native to help with Layouting, to help with sizing and even things like blending 00:50:18.406 --> 00:50:19.816 modes, which was really quite cool. 00:50:20.116 --> 00:50:24.550 So it helped make styling within React Native a little bit more web-like. 00:50:24.800 --> 00:50:27.140 And that was a trend through a lot of the releases, not just in 00:50:27.140 --> 00:50:30.800 styling, but in other spaces within this year's React Native releases. 00:50:31.250 --> 00:50:34.970 Another thing that's worth mentioning was there was a breaking change that seemed 00:50:34.970 --> 00:50:39.058 to be Initially they thought that it was gonna be quite uncontroversial, which was 00:50:39.058 --> 00:50:41.518 removing console logs showing in Metro. 00:50:41.938 --> 00:50:44.668 We'll come back to that in one of the next releases. 00:50:45.168 --> 00:50:48.528 Same time in January, expo launches their EAS hosting. 00:50:48.798 --> 00:50:53.748 And so this is expos forte into the universal app deployment world. 00:50:53.988 --> 00:50:57.498 obviously Expo's been pushing universal apps for the last couple of years and 00:50:57.498 --> 00:51:00.924 they didn't have a hosting solution for it and things like backend routes 00:51:00.924 --> 00:51:03.864 and so on and so forth to help you build a full stack application. 00:51:04.164 --> 00:51:09.275 So they launched EAS hosting as sort of a esque competitor for people 00:51:09.275 --> 00:51:12.515 that want to build mobile and web apps using the expo ecosystem. 00:51:12.735 --> 00:51:15.855 And also have basic API endpoints and so on and so forth. 00:51:16.165 --> 00:51:18.385 So that was another thing that happened in January. 00:51:18.925 --> 00:51:22.315 We move on to February, React Native 0.78. 00:51:22.735 --> 00:51:28.285 And this was big because React Native was struggling, was kind of falling behind 00:51:28.285 --> 00:51:31.835 the React ecosystem in terms of adopting , the latest major versions of React. 00:51:31.835 --> 00:51:34.685 So it was on React 18 for a long time. 00:51:35.225 --> 00:51:41.165 And so, 0 78 in February gave us React 19 support, which, came with a whole 00:51:41.165 --> 00:51:44.255 bunch of different things, but you were able to finally use all of the 00:51:44.280 --> 00:51:49.465 new React features, like actions, like the optimistic and so on and so forth. 00:51:49.855 --> 00:51:53.095 There was also the React compiler and they started to hint that we're gonna 00:51:53.095 --> 00:51:54.925 have more frequent releases this year. 00:51:55.375 --> 00:51:59.755 Now the example that I mentioned, or the point that I mentioned around the removing 00:51:59.755 --> 00:52:06.475 of logs was reverted this release because of widespread complaints because people 00:52:06.475 --> 00:52:11.485 are used to seeing their logs in Metro and so they added a flag saying that you 00:52:11.485 --> 00:52:16.615 can now pass dash dash client logs and get back your logs, which was, was much 00:52:16.615 --> 00:52:18.235 appreciated by the React Native community. 00:52:18.735 --> 00:52:24.165 In March no React Native releases, but the folks at ByteDance released Lynx and 00:52:24.165 --> 00:52:29.115 links was sort of their internal inner source version of React Native that was 00:52:29.385 --> 00:52:32.205 very similar to React Native in many ways, but was also quite different in 00:52:32.205 --> 00:52:34.695 terms of how they handled the internals. 00:52:34.915 --> 00:52:40.115 And was really focused on, getting a quick time to interactive for a mobile app. 00:52:40.355 --> 00:52:43.805 So this is what's powering apps like TikTok and so on and so forth. 00:52:43.985 --> 00:52:46.785 So it was quite exciting to see an alternative to React Native 00:52:46.785 --> 00:52:50.255 and a different take to building cross-platform native apps that 00:52:50.255 --> 00:52:51.725 followed React Native very closely. 00:52:52.225 --> 00:52:57.925 In April, we had React Native version 0.79, and so I'm gonna just highlight 00:52:57.955 --> 00:53:00.865 one thing out of this release, which was, and of course there was a lot 00:53:00.865 --> 00:53:04.765 more that happened in this release, but one of the key things was JS Core, 00:53:04.765 --> 00:53:09.585 which was the old engine, pre Hermes that React Native relied on, moved 00:53:09.585 --> 00:53:11.325 to a community maintained package. 00:53:11.625 --> 00:53:12.195 So. 00:53:12.695 --> 00:53:15.785 Majority of React Native users didn't really, didn't make a difference to them. 00:53:15.785 --> 00:53:19.215 But for some of those older apps that relied on JSC, it, it just 00:53:19.215 --> 00:53:25.115 signaled that the React team was really zeroing in on Hermes as the 00:53:25.115 --> 00:53:26.765 engine to run React Native apps. 00:53:27.265 --> 00:53:30.685 Then in June, two months after we had React Native versions, 0.80. 00:53:30.955 --> 00:53:36.085 And so this one was big because the legacy architecture, as they put it, 00:53:36.085 --> 00:53:39.925 or as how everyone sort of referred to it, the old architecture was frozen. 00:53:40.555 --> 00:53:45.925 And so this was pretty much in, in this world of making the new architecture, 00:53:45.925 --> 00:53:49.075 the sort of defacto way at the defacto internals of React Native, 00:53:49.375 --> 00:53:53.615 this was sort of a big deal because it was basically saying , we are no 00:53:53.615 --> 00:53:56.735 longer gonna be so supporting the old architecture, and we really want everyone 00:53:56.735 --> 00:53:58.355 to move over to the new architecture. 00:53:58.535 --> 00:53:59.855 It's been in the making for years. 00:54:00.095 --> 00:54:01.595 Let's get everyone migrated away. 00:54:01.905 --> 00:54:04.635 This was sort of the big news for this release. 00:54:05.135 --> 00:54:09.615 Then two months later in August there was a release of React Native 0.81. 00:54:09.915 --> 00:54:14.205 This was mainly focused on Android 16 support because there was some drastic 00:54:14.265 --> 00:54:16.155 breaking changes in the Android ecosystem. 00:54:16.465 --> 00:54:19.255 So this was API level 36 for you Android developers. 00:54:19.555 --> 00:54:23.555 And it supported things like Edge to edge support but it also deprecated 00:54:23.555 --> 00:54:26.595 things like safe area view because there were better alternatives in the 00:54:26.595 --> 00:54:30.455 ecosystem that were open, open source and really just made sure that that 00:54:30.455 --> 00:54:34.125 React Native , was compliant with the latest Google requirements for apps, 00:54:34.125 --> 00:54:35.625 which was to have edge to edge support. 00:54:36.125 --> 00:54:41.015 Then in September we had a talk from Jorge Cohen, who's one of 00:54:41.015 --> 00:54:44.285 the engineering managers at Meta in the React Native Core team. 00:54:44.585 --> 00:54:47.495 And they talked about how 1.0 is on the horizon. 00:54:47.495 --> 00:54:51.545 So this has been like the brunt of jokes in the React Native 00:54:51.545 --> 00:54:55.895 ecosystem for a very long time that React Native will never reach 1.0. 00:54:56.225 --> 00:54:59.615 And so this was a, this was quite fun for us to, hear as a community that, 00:54:59.665 --> 00:55:03.385 you know, there is a world in which we can reach a 1.0 of React Native. 00:55:03.635 --> 00:55:06.275 And there are many memes if you search for React Native 1.0 00:55:06.522 --> 00:55:09.255 Mark: We're not there yet, but at least we're talking about it. 00:55:09.932 --> 00:55:11.912 Mo: It's a great, great move, right? 00:55:11.912 --> 00:55:14.282 Like it's, at least we're talking about it, which is great. 00:55:14.905 --> 00:55:19.345 a little bit of an anecdote is, I still laugh when there was a a CEO of a company 00:55:19.345 --> 00:55:22.525 that we spoke to who we were trying to say, you should go to React Native and 00:55:22.525 --> 00:55:23.965 not build two separate native apps. 00:55:24.265 --> 00:55:27.685 And he said to me, point blank, that "my friend told me that React Native is 00:55:27.685 --> 00:55:32.105 so un unstable, it's not even version 1.0." And that still makes me chuckle. 00:55:32.585 --> 00:55:33.875 How decisions are made. 00:55:34.375 --> 00:55:34.885 Cool. 00:55:35.455 --> 00:55:40.515 Same time in September the folks at Amazon lifted the veil on something 00:55:40.515 --> 00:55:43.875 that they've been working on for a number of years, which is a completely 00:55:43.875 --> 00:55:48.105 new operating system that is built from the ground up to support React Native. 00:55:48.165 --> 00:55:49.845 And so they call it Vega Os. 00:55:50.135 --> 00:55:54.495 I have known about Vega OS for a little while and have been working with some of 00:55:54.495 --> 00:55:56.505 the folks at Amazon behind the scenes. 00:55:56.805 --> 00:56:02.445 But Vega OS will power the next generation of Fire TV devices and 00:56:02.445 --> 00:56:04.185 other devices that Amazon makes. 00:56:04.245 --> 00:56:08.295 And so this was really quite cool because the only way and the defacto 00:56:08.295 --> 00:56:11.295 way that you build apps for this new operating system is with React Native. 00:56:11.655 --> 00:56:17.205 So it's a big bet on React Native's future and long GI longevity as a technology, 00:56:17.205 --> 00:56:18.765 which was really, really cool to see. 00:56:18.765 --> 00:56:22.005 And it just shows that this ecosystem is only growing and expanding. 00:56:22.505 --> 00:56:25.535 Then in October we had React Native version 0.82. 00:56:25.805 --> 00:56:29.105 Now this one was also a big one in the world of new architecture releases 00:56:29.375 --> 00:56:35.015 because this was a release where they removed the legacy architecture. 00:56:35.465 --> 00:56:38.855 And so basically they were saying that this version will only 00:56:38.855 --> 00:56:40.715 run on the new architecture. 00:56:40.895 --> 00:56:43.655 You'll need to adopt the new architecture to be able to use it. 00:56:43.995 --> 00:56:46.635 And they're gonna be removing for future releases. 00:56:46.935 --> 00:56:50.325 All of the components in the code that rely on the legacy architecture. 00:56:50.825 --> 00:56:55.745 Also in October we had Expo launching their 2025 Expo app awards. 00:56:56.085 --> 00:56:59.015 So this was the first time they were doing this, but it was actually quite 00:56:59.015 --> 00:57:01.885 cool and I think it's notable to talk about it, which is, Expo sort 00:57:01.885 --> 00:57:05.892 of in, in Apple-esque fashion of, let's do an app awards for the year. 00:57:06.102 --> 00:57:10.332 They basically opened up nominations for people to, to nominate any apps that have 00:57:10.332 --> 00:57:12.222 been built with React Native and Expo. 00:57:12.592 --> 00:57:16.532 And so we saw a lot of cool apps come from different parts of the world 00:57:16.532 --> 00:57:19.457 and, and basically say, Hey, we use React Native, we use Expo. 00:57:19.707 --> 00:57:23.227 And so it was a really cool uh, it was a really cool showcase and I think 00:57:23.227 --> 00:57:28.517 it's a really good collection of really top class well-built, well-designed 00:57:28.877 --> 00:57:32.447 apps that have been built with React Native and having something like that 00:57:32.777 --> 00:57:35.537 available as a reference is really cool when you're talking to people 00:57:35.537 --> 00:57:38.787 about why React Native is a great technology to be building your apps with. 00:57:39.287 --> 00:57:44.177 And finally, and we talked about it in the new releases going to December, we now 00:57:44.177 --> 00:57:46.397 have React Native version zero point 83. 00:57:46.907 --> 00:57:50.087 And so the key things to highlight with this, as we mentioned, is the 00:57:50.087 --> 00:57:53.687 new dev tools and that there are no breaking changes, which is very, very 00:57:53.687 --> 00:57:57.497 exciting for the React Native community to not have any breaking changes 00:57:57.497 --> 00:57:59.867 and have a smooth update process. 00:58:00.347 --> 00:58:03.527 And so that's the yearly recap for React Native. 00:58:03.617 --> 00:58:07.785 And I hope it was tac enough and I didn't bore the audience with all of 00:58:07.785 --> 00:58:11.415 the releases and all of the numbers that start from 77 and go up to 83. 00:58:11.556 --> 00:58:12.576 Carl: That's a lot of releases! 00:58:12.696 --> 00:58:15.709 Mark: I would not have known enough to, pull in most of those items 00:58:15.969 --> 00:58:16.779 Carl: that's a lot of releases. 00:58:16.779 --> 00:58:19.659 I mean, we got six releases in 12 months, like hot Damn. 00:58:19.659 --> 00:58:19.809 That's 00:58:20.049 --> 00:58:20.649 Mark: every two months. 00:58:20.649 --> 00:58:21.429 That's solid. 00:58:21.624 --> 00:58:22.824 Carl: Do you know when it was first released? 00:58:23.071 --> 00:58:23.671 Mo: React Native's. 00:58:23.671 --> 00:58:24.806 First release was 2015. 00:58:25.612 --> 00:58:28.282 Carl: Okay, so that's 10 years, 83 versions in 10 years. 00:58:28.282 --> 00:58:31.132 That's, I guess that's eight per year, so, oh, if they're 00:58:31.132 --> 00:58:32.122 slowing down, how dare they? 00:58:32.534 --> 00:58:38.594 Mo: So, so there was a very, very fast start at where very, very like quick, 00:58:38.594 --> 00:58:42.794 quick releases and then um, it slowed down to several months before there 00:58:42.794 --> 00:58:46.394 was a release, and now they're sort of standardizing it at a release every two 00:58:46.394 --> 00:58:49.318 months, which is quite good because, you know, that's something that's more 00:58:49.318 --> 00:58:53.168 maintainable and manageable and makes it less painful to do the updates. 00:58:53.318 --> 00:58:56.948 So if I've done my math right here, if we do the a hundred divided by 83, 00:58:56.948 --> 00:58:59.618 that's 17 divided by six releases. 00:58:59.708 --> 00:59:03.668 So we're talking three years before, if they just continue on the succession, 00:59:03.879 --> 00:59:06.549 1.0 might be there in 2.8 years. 00:59:06.891 --> 00:59:10.041 or they do 0.1 hundred and then we all have a good laugh. 00:59:10.485 --> 00:59:10.785 Carl: Yeah. 00:59:10.785 --> 00:59:11.959 I'm just pulling it up real quick. 00:59:11.959 --> 00:59:17.389 Version o one initial public release was March 27th, 2015, and they 00:59:17.389 --> 00:59:20.369 had version 0.10 out by August. 00:59:20.369 --> 00:59:23.639 So yeah, that's 10 releases in like three months. 00:59:23.669 --> 00:59:27.149 So that's, entirely different type of release. 00:59:27.649 --> 00:59:28.039 Yeah, man. 00:59:28.039 --> 00:59:31.879 They're on version 0.40 in 2016, like a year later, 00:59:32.209 --> 00:59:35.965 that Doesn't really mean anything, but that's just some fun uh, It's interesting 00:59:35.965 --> 00:59:39.955 this, it's professionalizing, you got this prototype that, oh, look at works. 00:59:40.015 --> 00:59:40.705 Oh, it's broken. 00:59:40.735 --> 00:59:41.365 Oh, it's broken. 00:59:41.395 --> 00:59:42.085 Oh, it's broken. 00:59:42.905 --> 00:59:47.325 it's like a stable ish product with a release schedule 00:59:47.325 --> 00:59:48.165 and all that kind of stuff. 00:59:48.255 --> 00:59:49.005 It's cool to see. 00:59:49.505 --> 00:59:50.825 Mo: I wouldn't say stable ish. 00:59:50.825 --> 00:59:51.605 I'd say stable. 00:59:51.605 --> 00:59:53.615 don't undermine the community like that, Carl. 00:59:54.095 --> 00:59:57.685 Carl: According to SemVer, a zero major version you're you are allowed to release 00:59:57.685 --> 01:00:00.809 breaking changes without a major revision. 01:00:01.309 --> 01:00:03.221 Mo: you're telling me the CEO was right all along. 01:00:03.221 --> 01:00:04.751 It's not stable until it's 1.0. 01:00:04.871 --> 01:00:05.261 Right. 01:00:05.801 --> 01:00:06.461 Carl: I'm just saying. 01:00:06.491 --> 01:00:08.351 technically that's what the contract says. 01:00:08.577 --> 01:00:10.227 Mo: Technically, that is what the contract says. 01:00:10.227 --> 01:00:10.587 You are. 01:00:10.617 --> 01:00:11.727 You are absolutely right. 01:00:12.227 --> 01:00:13.787 So yeah, it was lovely as always. 01:00:13.817 --> 01:00:18.537 Have a lovely holidays to everyone who's listening and enjoy whatever 01:00:18.537 --> 01:00:21.627 festivities you're celebrating and we'll see you on the other side. 01:00:22.306 --> 01:00:23.056 Mark: you very much, Mo. 01:00:23.476 --> 01:00:25.216 Merry Christmas and happy holidays to you too. 01:00:25.546 --> 01:00:26.026 Carl: Cool. 01:00:26.266 --> 01:00:27.226 Okay, wonderful. 01:00:27.674 --> 01:00:32.024 Mark: Semi rapid firing our way through the myriad of stuff we have left. 01:00:32.086 --> 01:00:37.936 We, we started the year in React land with React 19 had just come out in December of 01:00:37.936 --> 01:00:42.976 24, and that's when I noticed everyone's CRE React app projects were breaking. 01:00:43.516 --> 01:00:48.916 And I will still take 75 to 80% of the credit for the actual 01:00:49.126 --> 01:00:51.106 deprecation process happening here. 01:00:51.446 --> 01:00:54.926 Theo had put up his post complaining about the docs a couple years ago. 01:00:54.926 --> 01:00:59.756 Dan had written his response saying, don't use CRA, but I take credit for 01:00:59.816 --> 01:01:04.346 complaining loud enough for noticing the problem and complaining loud enough and 01:01:04.346 --> 01:01:10.580 filing the issue and pushing them to make this happen, which is also how we actually 01:01:10.580 --> 01:01:15.980 ended up with the React Docs actually now listing Vite, RSBuild, and Parcel, 01:01:15.980 --> 01:01:22.880 and do it yourself tooling as a valid, officially documented, supported way to do 01:01:22.880 --> 01:01:26.300 a React project, not just use a framework. 01:01:26.540 --> 01:01:28.490 So I actually legitimately take credit for that one. 01:01:28.990 --> 01:01:30.100 Carl: I give credit for that one. 01:01:30.100 --> 01:01:30.520 Yeah. 01:01:30.567 --> 01:01:34.977 yeah, we, so we start with Create React App deprecation, much better new docs. 01:01:35.037 --> 01:01:38.637 We move into styled components getting actually officially deprecated. 01:01:38.926 --> 01:01:42.826 Mark: That had kind of been on the horizon because of the changes with server 01:01:42.826 --> 01:01:46.666 components and not having contact support in a server components environment. 01:01:46.966 --> 01:01:52.086 Which, kind of also goes back to the, the mental model and like, even if 01:01:52.086 --> 01:01:56.489 they're not pushing server components, technical changes and having to 01:01:56.489 --> 01:01:59.342 keep up change on the ecosystem 01:01:59.738 --> 01:02:03.908 So the, big react release this year was 19.2 in the fall, which included 01:02:03.908 --> 01:02:07.708 the, the final actual release of the activity component previously 01:02:07.708 --> 01:02:11.968 offscreen, and the new confusingly named use effect event hook. 01:02:12.508 --> 01:02:16.918 And then along with that at React Con, the react compiler finally hit 1.0. 01:02:16.978 --> 01:02:21.778 It had been an RC for a while and now it's finally officially, officially available. 01:02:22.078 --> 01:02:26.788 , it'll be still very interesting to see what the adoption rate is on that. 01:02:26.788 --> 01:02:27.988 I, I have no metrics. 01:02:27.988 --> 01:02:30.538 I've not looked at download numbers or anything. 01:02:30.878 --> 01:02:35.680 But I, feel like it's gonna need official integration into build tool 01:02:35.680 --> 01:02:39.280 chains to really start to take off, otherwise it's still kind of piecemeal. 01:02:39.780 --> 01:02:44.870 On the API research side we had the canary release of view transitions. 01:02:45.210 --> 01:02:49.650 We've got the ongoing concurrent stores work that I am very personally 01:02:49.650 --> 01:02:51.390 excited about and involved in. 01:02:51.700 --> 01:02:56.740 We saw a mention of killing off the existing throw a promise 01:02:56.740 --> 01:03:00.400 method for triggering suspense now got the use hook available. 01:03:00.950 --> 01:03:05.380 Also at React conf Ricky Hanlon's talk on Async React, I think 01:03:05.380 --> 01:03:08.590 was one of the biggest pieces of messaging from the React team. 01:03:09.010 --> 01:03:12.550 We've spent all these years building the new features, suspense, 01:03:12.550 --> 01:03:14.840 transitions all the other stuff. 01:03:15.200 --> 01:03:19.250 What does it mean in terms of coherent usage? 01:03:19.430 --> 01:03:23.840 How does it change the code that you'd write versus a 2018 ERA app? 01:03:24.200 --> 01:03:28.220 What does it mean in terms of, well, you know, ecosystem libraries like 01:03:28.220 --> 01:03:32.840 component libraries and routers and state management tools ought to just do the 01:03:32.840 --> 01:03:36.770 transition calls for you so you don't have to write them in your own code. 01:03:37.270 --> 01:03:39.100 I think we're gonna be digesting the implications of 01:03:39.100 --> 01:03:40.930 that one for quite a while. 01:03:41.750 --> 01:03:47.450 Then at React Conf, we also had the mic drop announcement of the React Foundation 01:03:47.960 --> 01:03:54.020 that reacts ownership is finally after years and years of speculation. 01:03:54.020 --> 01:03:59.570 And boy, I wish they would actually moving from meta to an independent 01:03:59.570 --> 01:04:04.860 foundation, part of the Linux Foundation, with multiple companies providing 01:04:04.890 --> 01:04:10.050 financial support, board governance, and technical support as well. 01:04:10.550 --> 01:04:14.300 And then I, I found out some more details from Seth Webster at React Summit that, 01:04:14.300 --> 01:04:18.590 they'd been working on this for like four years and had even held off on 01:04:18.980 --> 01:04:21.860 trying to do the announcement for a while because they wanted to make sure 01:04:21.860 --> 01:04:27.620 that they were working on they, that, that their internal day-to-day process 01:04:27.620 --> 01:04:31.730 of development was essentially beta testing the process that they're going 01:04:31.730 --> 01:04:33.950 to use as things become more public. 01:04:34.610 --> 01:04:38.200 And the comments that down the road they want to make the development 01:04:38.230 --> 01:04:43.420 of its of react itself fully public, the weekly meetings bringing back 01:04:43.480 --> 01:04:46.870 RFCs as a means of getting proposals. 01:04:47.260 --> 01:04:53.020 So the development of React is going to change significantly as we go forward. 01:04:53.570 --> 01:04:57.140 We've also had all the rise of all the different AI powered build tools, 01:04:57.140 --> 01:04:58.820 which are using react by default. 01:04:58.820 --> 01:05:00.500 'cause that's what LLMs are trained on. 01:05:00.840 --> 01:05:06.960 A lot of that is based on Vite of course, next V0 is using next, but 01:05:07.250 --> 01:05:09.240 Vite is the default for a lot of these. 01:05:09.570 --> 01:05:13.230 And so the growth charts for React are absurd. 01:05:13.820 --> 01:05:14.595 Carl: It is absurd. 01:05:14.595 --> 01:05:16.245 there's a visible inflection point. 01:05:16.245 --> 01:05:16.515 I don't know. 01:05:16.515 --> 01:05:18.015 It's, it's funny, there's actually like two— 01:05:18.220 --> 01:05:20.830 Mark: like January this year is when all the AI tools took off. 01:05:21.385 --> 01:05:21.805 Carl: Yeah. 01:05:22.105 --> 01:05:25.365 It's funny 'cause there's a certain, very consistent, I would say exponential 01:05:25.365 --> 01:05:28.875 growth curve from like 2015 to 2023. 01:05:29.025 --> 01:05:31.245 And then it's funny, there's like a little kink down. 01:05:31.245 --> 01:05:35.235 Like stops growing quite as quickly until January of this 01:05:35.235 --> 01:05:37.185 year and then it fucking rockets. 01:05:37.685 --> 01:05:38.465 So that, I don't know. 01:05:38.465 --> 01:05:39.095 That's interesting. 01:05:39.125 --> 01:05:45.025 So I wonder if people stopped, like the pace of new projects actually 01:05:45.175 --> 01:05:47.695 got hampered by initial AI tools. 01:05:47.725 --> 01:05:50.935 'cause maybe I, I feel like people may be, I dunno, this is speculation, 01:05:50.935 --> 01:05:53.425 but I feel like people wanted them to be able to do more than they 01:05:53.425 --> 01:05:59.035 could and actual as evidenced in download numbers, pace of development 01:05:59.035 --> 01:06:00.595 slowed and maybe they got better. 01:06:01.045 --> 01:06:01.290 I don't know. 01:06:01.295 --> 01:06:01.795 This is fun. 01:06:01.945 --> 01:06:04.915 It's just interesting to look at some data and see some patterns. 01:06:05.415 --> 01:06:08.927 Mark: As mentioned earlier, we're seeing other tools working on RSC 01:06:08.927 --> 01:06:12.667 support, and I think , the biggest one is React Router officially bringing 01:06:12.667 --> 01:06:14.827 out RSC support in framework mode. 01:06:14.827 --> 01:06:18.307 I think that's, gonna be one of the biggest pieces of, of adoption outside 01:06:18.307 --> 01:06:22.277 of next we've seen a bunch of other frameworks with RSC support in some 01:06:22.277 --> 01:06:24.942 form Parcel Redwood walkout, et cetera. 01:06:25.227 --> 01:06:30.297 Tan Stack start is teasing RSC support, and I have seen Tanner 01:06:30.297 --> 01:06:34.197 gave me a demo and I think it's gonna blow people's minds once that 01:06:34.197 --> 01:06:37.677 officially comes out just because it's so different and yet it works. 01:06:37.677 --> 01:06:42.807 Dan went on a whole series of blog posts back in the spring where he put 01:06:42.807 --> 01:06:46.917 out like 10 different posts trying to explain our server components from 01:06:46.917 --> 01:06:49.527 first concepts, different mental models. 01:06:49.827 --> 01:06:51.237 Here's another explanation. 01:06:51.237 --> 01:06:56.907 Does this explanation make rses click for Is it a GraphQL replacement? 01:06:56.937 --> 01:06:58.527 Is it a backend for front end? 01:06:58.527 --> 01:06:59.487 Is it serialized? 01:06:59.487 --> 01:07:00.922 JSON and. 01:07:01.422 --> 01:07:05.292 I would love to see a lot of these, like some form of this 01:07:05.352 --> 01:07:07.452 added to the docs somehow. 01:07:08.002 --> 01:07:13.342 We had the React Router remix team, Ryan Florence and Michael Jackson 01:07:13.622 --> 01:07:17.432 teasing us for months about what remix V three would look like. 01:07:17.492 --> 01:07:19.442 Was it going to be a fork? 01:07:19.472 --> 01:07:20.697 WW would it use preact? 01:07:20.697 --> 01:07:22.287 Would it be a fork of preact? 01:07:22.577 --> 01:07:24.707 Iframes something somehow. 01:07:25.097 --> 01:07:29.297 And then they eventually had remix conf and dropped the details. 01:07:29.657 --> 01:07:35.837 And it's a weird hybrid mix of react and backbone and a few 01:07:35.837 --> 01:07:37.067 other things mixed together. 01:07:37.407 --> 01:07:43.167 It's clearly not, it's literally not react, but there's a lot of overlap. 01:07:43.587 --> 01:07:48.447 No idea how that one's gonna get adopted, but it's clearly like they clearly have 01:07:48.447 --> 01:07:50.337 their idea and they're going with it. 01:07:50.837 --> 01:07:57.017 We had numerous arguments over directives and bundlers and 01:07:57.017 --> 01:07:59.267 mental models and complexity. 01:07:59.657 --> 01:08:05.237 Use client use, server use, cash use, use, use, use, use, 01:08:05.237 --> 01:08:07.547 use, use, use, use, use, use. 01:08:08.047 --> 01:08:08.437 Yeah. 01:08:08.937 --> 01:08:14.417 And finally, speaking purely for myself, I started the year feeling very frustrated. 01:08:14.622 --> 01:08:18.472 I, put a lot of emotional energy into like the Create React app, 01:08:18.872 --> 01:08:23.372 deprecation and trying to convince the team to change the docs. 01:08:23.492 --> 01:08:26.762 I even spent a while writing a blog post that I fortunately never 01:08:26.762 --> 01:08:30.242 actually published because it was too ranty and would've caused problems. 01:08:30.612 --> 01:08:36.512 I was very frustrated with the direction of React early on, but I can say 01:08:36.512 --> 01:08:41.922 that React Con completely changed my outlook , on where things are going. 01:08:42.402 --> 01:08:46.722 The technical progress is great compiler and 19.2 and performance 01:08:46.782 --> 01:08:48.052 research, that's all cool. 01:08:48.592 --> 01:08:50.632 The foundation I never saw coming. 01:08:50.952 --> 01:08:56.172 And the fact that they finally were doing it like even, like, even just the, 01:08:56.172 --> 01:09:01.622 the slide, seeing them say the words React Foundation tells me a lot about 01:09:01.622 --> 01:09:04.262 the intent and what been trying to do. 01:09:04.292 --> 01:09:07.232 And it, and like, it was only afterwards that I got a sense of how many 01:09:07.232 --> 01:09:08.612 years they've been working on this. 01:09:09.112 --> 01:09:13.162 And then on an individual level, like I got to talk to several React team members 01:09:13.162 --> 01:09:17.772 who basically said, we don't get any credit for doing community rated related 01:09:17.772 --> 01:09:20.382 things in our meta performance reviews. 01:09:20.892 --> 01:09:22.452 And so things like. 01:09:23.067 --> 01:09:28.647 The Async React working group and, doing, like a lot of the other stuff that they're 01:09:28.647 --> 01:09:35.907 doing shows me how much they care about keeping React, working for the community. 01:09:36.207 --> 01:09:38.517 , I've got my gripes, everyone's got their gripes. 01:09:38.547 --> 01:09:44.967 Nothing's perfect, but it's not for lack of effort and care on their 01:09:44.967 --> 01:09:48.597 part, and that's the part that actually encourages me the most. 01:09:49.137 --> 01:09:53.387 And so, the react to shelf vulnerability is a big bummer 01:09:53.537 --> 01:09:54.947 and it's gonna cause problems. 01:09:55.277 --> 01:09:59.867 I, Carl and I were briefly chatting with Ricky and as Carl said, hug ops. 01:09:59.867 --> 01:10:01.975 I, feel a lot of sympathy for what they've been having to go 01:10:01.975 --> 01:10:03.655 through the last couple weeks. 01:10:04.155 --> 01:10:09.345 But yeah, even with that in mind, I am actually excited and positive about the 01:10:09.345 --> 01:10:11.925 direction of React itself going into 2026. 01:10:12.425 --> 01:10:14.305 Carl: Yeah, I think I would agree with that. 01:10:14.370 --> 01:10:16.945 I, I read your blog post that you never published. 01:10:17.015 --> 01:10:21.635 I printed it like an attempt at like, editing and maybe salvage parts that were 01:10:21.665 --> 01:10:26.369 less ranty and, you know, salvage seems mean, not salvage, but help process. 01:10:26.665 --> 01:10:28.525 And yeah, it was not inaccurate. 01:10:29.155 --> 01:10:30.425 So , I would agree. 01:10:30.500 --> 01:10:32.285 I I never saw the foundation coming. 01:10:32.855 --> 01:10:36.475 , it's like retroactively, I don't know, validating or like. 01:10:36.975 --> 01:10:40.245 It's good to know that they were thinking about this for a long time. 01:10:40.795 --> 01:10:46.015 I relate to the thought of exploring an idea and then realizing like, "oh, in 01:10:46.015 --> 01:10:51.885 order to do this, , in order to accomplish our goals here, we have to do this 01:10:51.885 --> 01:10:56.749 hard project first." That rhymes with a lot of things I've done in my life. 01:10:56.809 --> 01:10:59.059 And so, like fuck yeah. 01:10:59.059 --> 01:11:02.029 For putting the work in, like working for several years to 01:11:02.029 --> 01:11:05.459 like test the process and yeah. 01:11:05.459 --> 01:11:08.239 I mean, I guess we'll see, Remains to be seen quite how 01:11:08.239 --> 01:11:09.649 successful they were at that. 01:11:10.129 --> 01:11:13.829 Mark: But I absolutely respect the intent and the effort to make that happen. 01:11:14.329 --> 01:11:16.519 Carl: yes, it is a massive amount of effort. 01:11:16.519 --> 01:11:17.529 Like, it's tough. 01:11:17.799 --> 01:11:19.539 Well, I'm excited to see how that goes. 01:11:19.939 --> 01:11:21.529 Yeah, it's been an interesting year. 01:11:21.594 --> 01:11:21.834 I don't know. 01:11:21.834 --> 01:11:25.224 I'm trying to think of how to like summarize this year. 01:11:25.724 --> 01:11:29.864 ' cause like we've been talking about server components for a long time. 01:11:29.984 --> 01:11:32.474 I still don't have firsthand experience with them. 01:11:33.089 --> 01:11:33.539 Mark: neither. 01:11:33.569 --> 01:11:36.014 'cause I don't write, I don't write front end apps these days. 01:11:36.614 --> 01:11:37.184 Carl: Yeah. 01:11:37.550 --> 01:11:41.280 I just saw somebody chatting about maybe I need to just pair program with 01:11:41.280 --> 01:11:44.280 Effect, so I understand it and I was like, Ooh, you're the person who talked 01:11:44.280 --> 01:11:47.280 about RSCs and like, maybe we should just do a knowledge transfer there. 01:11:47.800 --> 01:11:48.610 So maybe I'll do that. 01:11:48.790 --> 01:11:51.780 But yeah, it's been quite a year. 01:11:51.780 --> 01:11:52.050 I don't know. 01:11:52.050 --> 01:11:55.260 In some ways it's like legitimizing the fact that they've had a major 01:11:55.260 --> 01:11:58.920 vulnerability in React is like somewhat legitimizing, like, welcome to the 01:11:58.920 --> 01:12:06.490 party, welcome to the list of world class engineering projects that have caused 01:12:06.490 --> 01:12:09.010 security people a huge headache for a day. 01:12:09.510 --> 01:12:12.090 And the rest of the ecosystem headaches for months. 01:12:12.353 --> 01:12:13.854 But Remains to be seen. 01:12:13.974 --> 01:12:17.204 If it actually is good, I guess we'll just keep paying attention to 01:12:17.204 --> 01:12:18.584 it and talking about it on the air. 01:12:19.084 --> 01:12:19.474 Mark: All right. 01:12:19.474 --> 01:12:22.714 Well, how do you feel about just lightning rounding everything from here on out. 01:12:23.214 --> 01:12:24.234 Carl: Let's blast through it. 01:12:24.734 --> 01:12:27.760 Mark: One of the big announcements from earlier this year was that ts was 01:12:27.760 --> 01:12:31.990 being ported to go and it was gonna be released as TypeScript version seven. 01:12:32.530 --> 01:12:35.980 And so the TypeScript team put out a big update post, basically saying 01:12:35.980 --> 01:12:40.510 that there will be a TS 6.0 based off all the same current code base. 01:12:40.840 --> 01:12:44.920 There will be a bunch of deprecation and strict mode changes and 01:12:44.920 --> 01:12:48.970 other, like, we think modern type script should be written this way. 01:12:49.090 --> 01:12:50.290 Settings changes. 01:12:50.790 --> 01:12:54.270 And then there will be no TS 6.1. 01:12:54.480 --> 01:12:59.700 The next big release would be TS 7.0, the native built. 01:13:00.170 --> 01:13:05.640 So great to see both progress being made and that this is happening and that, , we 01:13:05.640 --> 01:13:07.230 have a direction for all this stuff. 01:13:07.595 --> 01:13:08.195 Carl: Very cool. 01:13:08.645 --> 01:13:12.955 Yeah, quick roundup of some GitHub, this all fits under a Microsoft 01:13:12.955 --> 01:13:17.630 umbrella, funnily but NPM, GitHub, some user experience and whatever stuff. 01:13:17.690 --> 01:13:23.455 So, NPM, after several vulnerabilities actually revoked every classic token. 01:13:23.735 --> 01:13:26.975 Classic tokens are no longer valid at all. 01:13:27.480 --> 01:13:32.220 Which should make generally, like they had to do that because of all 01:13:32.220 --> 01:13:35.120 of the vulnerabilities that were, all of the phishing attacks that we're 01:13:35.120 --> 01:13:37.530 targeting well-known maintainers. 01:13:37.560 --> 01:13:42.060 So like this needed to happen because it had become clear that 01:13:42.060 --> 01:13:46.830 NPM maintainers had been hacked in a much, much greater quantity than had 01:13:46.830 --> 01:13:49.170 been, than those tokens had been used. 01:13:49.590 --> 01:13:53.400 There was a follow-up attack like two weeks later because, like GitHub and 01:13:53.400 --> 01:13:58.940 NPM, GitHub, who owns NPM (and is owned by Microsoft) put out a notice that 01:13:58.940 --> 01:14:02.360 they were going to revoke all of the tokens because of this problem, which is 01:14:02.360 --> 01:14:06.530 wonderful, and you need to give people time to respond to that and update their 01:14:06.530 --> 01:14:08.510 code and prevent downtime and whatever. 01:14:08.810 --> 01:14:12.890 But it also gives the attackers who have those compromised tokens, a 01:14:12.890 --> 01:14:14.630 window of time in which to use them. 01:14:14.740 --> 01:14:15.760 And so that did happen. 01:14:15.760 --> 01:14:18.700 They did in fact, use more of the tokens that they had previously 01:14:18.700 --> 01:14:22.330 collected, I think like one day before they got invalidated. 01:14:22.330 --> 01:14:23.800 So, eh, that sucks. 01:14:24.200 --> 01:14:25.546 But should stop happening. 01:14:25.576 --> 01:14:28.006 This is a huge positive change. 01:14:28.006 --> 01:14:32.086 Hopefully this means that 2026, we will not continually be 01:14:32.086 --> 01:14:36.316 reporting on yet another new vulnerability in NPM publishing. 01:14:36.736 --> 01:14:37.216 Maybe. 01:14:37.556 --> 01:14:41.216 Also you should consider using PMPM because it lets you do things like 01:14:41.216 --> 01:14:45.396 minimum delay time before you start using a new version that was released 01:14:45.516 --> 01:14:49.476 and also lets you, I think by default it does not run post install, or 01:14:50.076 --> 01:14:54.046 there's various scripts that open vulnerabilities that PNPM does not 01:14:55.466 --> 01:14:58.761 Mark: I, I actually went through what week and a half ago my own 01:14:58.761 --> 01:15:01.041 Redux Library Publishing workflow. 01:15:01.041 --> 01:15:05.901 I, I'd always done all my releases locally and we had set up a GitHub 01:15:05.901 --> 01:15:08.451 actions workflow a while back, so some of the other maintainers 01:15:08.451 --> 01:15:09.921 could publish more easily. 01:15:10.201 --> 01:15:15.781 Turns out those releases got tagged with Trusted, and then I did more 01:15:15.781 --> 01:15:19.291 releases locally that were not, and we actually had a couple people 01:15:19.291 --> 01:15:25.351 complain that PNPM said, oh no, Redux Toolkit isn't trusted anymore. 01:15:26.221 --> 01:15:27.061 complaining about that. 01:15:27.421 --> 01:15:32.101 So I actually, with that and with the token deprecation, I actually went through 01:15:32.101 --> 01:15:37.871 a week and a half ago and did a bunch of GitHub actions hardening changed some 01:15:37.871 --> 01:15:42.701 of the publish workflow and figured out, okay, what I can do is I can use Release 01:15:42.701 --> 01:15:48.071 it to do the tag and push, and then I will actually kick off the publish itself 01:15:48.101 --> 01:15:50.681 as the a, the workflow in the repo. 01:15:51.051 --> 01:15:55.431 And so then it's actually trusted and tagged according, and flagged accordingly. 01:15:55.931 --> 01:15:56.621 Carl: Interesting. 01:15:56.711 --> 01:15:57.401 Oh, that's funny. 01:15:57.401 --> 01:15:58.421 That's deep in the weeds. 01:15:58.507 --> 01:16:01.797 Mark: Basically, I'm not doing the literal publish step for my own machine. 01:16:01.797 --> 01:16:03.657 It's happening from within GitHub actions. 01:16:04.077 --> 01:16:04.497 Carl: Got it. 01:16:04.677 --> 01:16:05.067 Cool. 01:16:05.067 --> 01:16:05.667 Interesting. 01:16:06.277 --> 01:16:06.457 Yeah. 01:16:06.457 --> 01:16:09.397 Well, speaking of GitHub actions, Jared Palmer, who is a, like 01:16:09.397 --> 01:16:11.347 pretty, he's a huge name in React. 01:16:11.407 --> 01:16:14.437 He did formic, he did turbo repo. 01:16:14.467 --> 01:16:15.307 He did turbo pack. 01:16:15.307 --> 01:16:16.137 He worked on 01:16:16.137 --> 01:16:16.827 Mark: V0. 01:16:17.092 --> 01:16:21.742 Carl: I actually did a job interview with him circa 20, oh my God. 01:16:21.742 --> 01:16:24.732 17. And yeah, holy shit. 01:16:24.732 --> 01:16:25.572 Jesus. 01:16:25.752 --> 01:16:29.712 And he was, he is genuinely a very sharp dude, so I am not 01:16:29.712 --> 01:16:31.002 at all surprised to see him. 01:16:31.502 --> 01:16:33.722 Take the reins in a more serious capacity. 01:16:33.722 --> 01:16:38.298 Like he was doing, like I met him when he was working like at his dad's business, 01:16:38.298 --> 01:16:41.358 and then he did his own business, and then he did like three more businesses 01:16:41.358 --> 01:16:46.218 before working for Vercel, and now he's fucking PM of one of the most 01:16:46.578 --> 01:16:48.678 visible parts of the developer world. 01:16:48.678 --> 01:16:49.488 And like yeah. 01:16:49.548 --> 01:16:51.738 Earned it so thoroughly earned. 01:16:51.738 --> 01:16:52.548 Fuck yeah Jared. 01:16:53.098 --> 01:16:57.828 And I love this because he's immediately coming through and talking 01:16:57.828 --> 01:17:01.818 about a bunch of things that I've wanted to see in for a long time. 01:17:02.418 --> 01:17:05.698 So like, GitHub actions, they're great, but they're, they all, they're also awful. 01:17:06.178 --> 01:17:10.648 They enable so much great stuff and I hate using them. 01:17:11.102 --> 01:17:16.402 He was responding to uh, the Primo Gen who was a very prolific tech YouTuber 01:17:16.402 --> 01:17:20.632 as well as uh, Jamon Holmgren, who, fun fact, previously sponsored this podcast, 01:17:21.182 --> 01:17:27.237 with a really long, basically a blog post on Twitter with citations talking about 01:17:27.237 --> 01:17:31.137 the work that they're looking to do to make GitHub actions better in general. 01:17:31.417 --> 01:17:32.137 So that's really cool. 01:17:32.167 --> 01:17:35.137 Like, I'm gonna see if I can quickly summarize some of this. 01:17:35.637 --> 01:17:35.907 Eh? 01:17:36.237 --> 01:17:38.062 Oh, this is like, no, these are pretty deep 01:17:38.087 --> 01:17:39.432 Mark: in in, in the weed stuff. 01:17:39.432 --> 01:17:42.252 But they, intend to do a lot of stuff to make GitHub actions 01:17:42.252 --> 01:17:43.752 better at a technical level. 01:17:44.212 --> 01:17:48.592 Unfortunately, shortly after that, they also announced a price increase 01:17:48.592 --> 01:17:54.352 for both standard GitHub actions and cases where you're using GitHub actions 01:17:54.352 --> 01:17:57.772 to kick off your own job runners. 01:17:58.042 --> 01:18:02.692 And the the reasons listed were understandable, like it takes money to 01:18:02.692 --> 01:18:08.482 run the control servers, even if they aren't the ones executing the actual jobs. 01:18:09.052 --> 01:18:13.672 But the way they announced that this got a bunch of blow back, and so like 24 01:18:13.672 --> 01:18:18.592 hours later, they're like, Nope, nope, Holt revert, undo, cancel, cease desist. 01:18:19.117 --> 01:18:19.477 Carl: yep. 01:18:19.777 --> 01:18:23.267 Which again, like I gotta say, Jared Palmer was the one messaging 01:18:23.267 --> 01:18:25.187 that, and I think he did a good job. 01:18:25.217 --> 01:18:28.577 Like, he says, "we missed the opportunity to gather feedback from the community 01:18:28.577 --> 01:18:31.907 ahead of this move. , we'll learn and do better." And like, we were talking 01:18:31.907 --> 01:18:33.917 about, like not being defensive earlier. 01:18:34.007 --> 01:18:36.707 Like, this is a great example of like not being defensive, just saying 01:18:36.707 --> 01:18:38.387 like, yep, here's what we did wrong. 01:18:38.777 --> 01:18:40.847 We get it, we're gonna do something differently. 01:18:41.347 --> 01:18:41.707 Love it. 01:18:41.887 --> 01:18:42.187 great. 01:18:42.797 --> 01:18:48.882 Yeah, on the pricing there was a lot of, you know, low effort punches below the 01:18:48.882 --> 01:18:53.652 belt in the vein of like, "how are they gonna charge for self-hosted runners?" 01:18:53.652 --> 01:18:54.852 And it's like, well come on. 01:18:54.882 --> 01:18:55.792 Like, alright. 01:18:55.792 --> 01:18:59.002 It's not their CPU time, but like, you're taking advantage of. 01:18:59.502 --> 01:19:03.402 A lot of other infrastructure to get to the point where that 01:19:03.402 --> 01:19:04.932 runner is executing on your code. 01:19:04.932 --> 01:19:07.032 Like sure, the marginal cost. 01:19:07.252 --> 01:19:09.182 Mark: Free infrastructure will always be abused. 01:19:09.682 --> 01:19:10.312 Carl: right, right. 01:19:10.342 --> 01:19:13.102 Anything always has two things. 01:19:13.102 --> 01:19:15.562 It's got the, the marginal cost of running it, and then it's got the 01:19:15.562 --> 01:19:18.052 capital expenditure of building it and they built the fuck out of 01:19:18.052 --> 01:19:19.282 this and they're still building it. 01:19:19.282 --> 01:19:21.342 So like, no, it's not free. 01:19:21.552 --> 01:19:24.972 It's not free just because you are covering the marginal cost. 01:19:25.332 --> 01:19:27.342 So, settle out, settle down. 01:19:27.912 --> 01:19:32.052 If somebody says this should be free because I'm running it on my 01:19:32.052 --> 01:19:33.717 server, like, chill the fuck out. 01:19:33.717 --> 01:19:35.532 You don't understand how business works. 01:19:35.892 --> 01:19:38.922 You're too narrowly focused on the one technical aspect. 01:19:39.112 --> 01:19:40.252 Broaden your perspective. 01:19:40.752 --> 01:19:41.052 Anyway. 01:19:41.102 --> 01:19:43.412 Last thing on GitHub. 01:19:43.812 --> 01:19:44.562 So excited. 01:19:44.562 --> 01:19:46.122 One more thing from Jared Palmer. 01:19:46.152 --> 01:19:46.662 Yay. 01:19:46.972 --> 01:19:49.702 They are sending out a proposal for Stacked Diffs. 01:19:49.982 --> 01:19:53.297 If you're not familiar with, if when I said Stack Diffs you didn't go, 01:19:53.777 --> 01:19:58.627 "oh my God, they're doing it," then, stacked diffs is a way of communicating 01:19:58.627 --> 01:20:03.427 to GitHub that this PR depends on this PR, which depends on this pr, 01:20:03.767 --> 01:20:05.177 so you, you can do this yourself. 01:20:05.207 --> 01:20:10.897 You can branch off main, do some work, push open a poll request, 01:20:11.047 --> 01:20:16.297 and then from that branch continue doing new work and push another 01:20:16.357 --> 01:20:18.247 Mark: On a third, on a second branch. 01:20:18.577 --> 01:20:21.187 Carl: Right, based on that first branch. 01:20:21.187 --> 01:20:25.237 So like, you do, let's say you commit four times and you push that branch, 01:20:25.387 --> 01:20:28.627 then you do another branch that includes those four commits that are not yet 01:20:28.627 --> 01:20:32.977 merged yet and do four more commits and you push that and make a pr. 01:20:33.527 --> 01:20:34.947 , that is my preferred way of working. 01:20:35.627 --> 01:20:41.417 I really like saying, "I made these changes. They're ready for review. I'm 01:20:41.417 --> 01:20:47.357 gonna keep using them locally while review happens, and CI and cd, all the 01:20:47.357 --> 01:20:51.287 validation steps, but I'm gonna keep using it." So my next change is I don't have 01:20:51.287 --> 01:20:55.077 to reintegrate them after this merges. 01:20:55.717 --> 01:21:01.417 And it is a really frustrating dance to do on GitHub because like, I, I 01:21:01.417 --> 01:21:02.917 also like to do squash and merge. 01:21:03.257 --> 01:21:06.347 So that I have like, great, here's the record of every change I made 01:21:06.347 --> 01:21:11.327 in the pr, but I only care that about the one higher level change. 01:21:11.327 --> 01:21:15.047 It's, I'm thinking about it in a different level of, of abstraction after it merges 01:21:15.276 --> 01:21:18.752 Mark: and then when you merge the first pr, the four actual commits 01:21:18.752 --> 01:21:20.342 get squashed to a new commit. 01:21:20.342 --> 01:21:24.182 And then the second PRS branch now has no relation to the history. 01:21:24.542 --> 01:21:26.222 And how do you keep track of it? 01:21:26.222 --> 01:21:30.452 How do you update the second PR to now point to main da, da, da, da. 01:21:30.834 --> 01:21:34.941 Carl: And in my experience, I have about a hundred percent incidents of 01:21:34.971 --> 01:21:38.601 merge conflicts after that, because they're technically different. 01:21:38.601 --> 01:21:42.351 Commits Git does not know that they are the same changes. 01:21:42.591 --> 01:21:46.701 It just knows that two branches touched the same lines of code 01:21:47.031 --> 01:21:48.891 with different commit hashes. 01:21:48.891 --> 01:21:50.451 So like, I don't know, that's a conflict. 01:21:50.481 --> 01:21:51.591 You gotta fix it yourself. 01:21:51.951 --> 01:21:53.231 So, basically it just sucks. 01:21:53.231 --> 01:21:56.171 You have to go through, like, you have to like check out the 01:21:56.231 --> 01:21:57.641 branch in your local computer 01:21:58.211 --> 01:21:59.861 Mark: Reset it, re push, something. 01:22:00.030 --> 01:22:04.170 Carl: Skip the commits that got squashed, push that, check out the next 01:22:04.170 --> 01:22:05.940 branch that was based on that branch. 01:22:05.940 --> 01:22:10.020 You just now updated and pushed and like, it was just a really manual dance 01:22:10.560 --> 01:22:12.270 of going through every single time. 01:22:12.720 --> 01:22:17.690 And I, that has been my preferred mode of working since 2016. 01:22:18.110 --> 01:22:22.660 Like stacked diffs is a term that I have used to describe my workflow 01:22:23.160 --> 01:22:25.170 for close to 10 years at this point. 01:22:25.530 --> 01:22:29.640 And people have been demanding it on GitHub for almost that long. 01:22:29.640 --> 01:22:34.360 So like, to see this actually happening is like, I feel like the Rand Paul 01:22:34.360 --> 01:22:37.290 gif it's happening , I'm so excited. 01:22:37.290 --> 01:22:38.070 This is so good. 01:22:38.417 --> 01:22:40.487 Well, I'm excited to see the possibilities. 01:22:40.487 --> 01:22:41.807 We'll see what actually happens. 01:22:42.482 --> 01:22:45.602 Mark: And then one last ecosystemy thing, and it's amazing that 01:22:45.602 --> 01:22:46.682 so much happened this month. 01:22:46.682 --> 01:22:48.632 It's almost an afterthought at this 01:22:49.052 --> 01:22:53.862 but a, a very small company called Anthropic bought a 01:22:53.862 --> 01:22:56.592 little known tool called bun. 01:22:57.092 --> 01:22:57.452 Carl: Woo. 01:22:57.662 --> 01:22:58.202 Yeah. 01:22:58.322 --> 01:22:58.712 Great. 01:22:58.932 --> 01:23:01.635 there's some chatter about like, what, this doesn't make any sense. 01:23:02.005 --> 01:23:05.815 But apparently Anthropic has invested pretty heavily in 01:23:05.815 --> 01:23:07.765 using Bun in Claude code. 01:23:08.195 --> 01:23:12.425 And I don't know exactly what precipitated this deal at this time, 01:23:12.645 --> 01:23:14.595 Mark: might have even just been like literally like them 01:23:14.595 --> 01:23:16.485 chatting in person or something. 01:23:16.808 --> 01:23:19.643 Carl: actually, if I recall correctly, the, the Bun blog post actually 01:23:19.643 --> 01:23:24.343 goes pretty, it speaks pretty candidly about why they did this. 01:23:24.443 --> 01:23:27.533 And the, the TLDR is that they are a venture backed business. 01:23:27.533 --> 01:23:30.623 They took funding and that means that they need to return 01:23:30.623 --> 01:23:31.913 a multiple to their investors. 01:23:31.913 --> 01:23:36.623 They need to exit as a business, they need to provide liquidity to their 01:23:36.623 --> 01:23:39.293 investors at a multiple of what they took. 01:23:39.723 --> 01:23:43.743 Which means either building a business that makes enough money that people value 01:23:43.743 --> 01:23:45.993 it higher than what it was created for. 01:23:46.203 --> 01:23:50.283 Or you build something valuable enough that a larger business that is much larger 01:23:50.343 --> 01:23:57.083 and successful and producing revenue and whatever sees you and goes, we need this. 01:23:57.173 --> 01:24:01.943 We need this so badly, we're gonna buy it from you and it's ours now. 01:24:02.003 --> 01:24:02.753 And so that's what happened. 01:24:02.753 --> 01:24:04.763 This was an acquihire situation. 01:24:04.813 --> 01:24:06.163 Bun did not have revenue. 01:24:06.163 --> 01:24:07.483 They did not have a business plan. 01:24:07.483 --> 01:24:10.843 They did not have a path to revenue or a path to a business plan. 01:24:11.483 --> 01:24:14.413 The closest they ever had was sell one day. 01:24:14.933 --> 01:24:17.543 And I think that made a lot of sense in 2022, and it makes 01:24:17.543 --> 01:24:19.883 a lot less sense in 2026. 01:24:20.192 --> 01:24:22.982 So I think it was the writing was on the wall. 01:24:23.222 --> 01:24:27.332 Presumably there was some kind of like funding milestone or, runway 01:24:27.392 --> 01:24:31.462 check-in that they did and we're like "uhoh" and chopped it around. 01:24:31.462 --> 01:24:32.032 Got acquired. 01:24:32.242 --> 01:24:32.722 Love it. 01:24:32.722 --> 01:24:33.292 It's great. 01:24:33.342 --> 01:24:37.235 I am happy to see open source capture value. 01:24:37.235 --> 01:24:42.295 Open source is really bad at getting anything close to the value it generates 01:24:42.355 --> 01:24:45.625 in the form of money for its maintainers. 01:24:45.865 --> 01:24:48.985 So I'm happy to celebrate any instance of that happening. 01:24:49.115 --> 01:24:50.885 I hope it will happen for more people. 01:24:50.885 --> 01:24:51.805 I. Cool. 01:24:52.295 --> 01:24:53.015 I wanna talk about this. 01:24:53.015 --> 01:24:53.945 SVG ClickJacking. 01:24:53.945 --> 01:24:54.155 This is 01:24:54.155 --> 01:24:54.325 Mark: really 01:24:54.325 --> 01:24:55.045 Go for it! 01:24:55.594 --> 01:24:56.554 Carl: Who published this? 01:24:56.554 --> 01:24:57.694 I wanna credit them by name. 01:24:58.034 --> 01:25:02.904 I guess they only introduce themselves as Lyra, so that's all I will name them as. 01:25:03.114 --> 01:25:05.634 But they, they appear to be doing, they appear to blog about 01:25:05.634 --> 01:25:08.684 some security things in general. 01:25:08.864 --> 01:25:11.144 And this is like such a fun exploit. 01:25:11.174 --> 01:25:11.894 This is taking 01:25:11.894 --> 01:25:13.614 Mark: It was an insanely good post. 01:25:13.634 --> 01:25:13.904 Carl: yeah. 01:25:13.904 --> 01:25:15.134 Such a good post. 01:25:15.134 --> 01:25:18.935 Like I talk about how I love reading technical write-ups about things, 01:25:18.935 --> 01:25:25.715 and this is like a legitimately novel exploit technique using a tool that I 01:25:25.715 --> 01:25:31.565 would've never considered to even have a risk of an exploit of this caliber. 01:25:31.955 --> 01:25:37.015 Anyway, so it's, they're using SVG filters, which let you do 01:25:37.075 --> 01:25:40.585 some fancy visual effects on your website in, in general, 01:25:40.680 --> 01:25:42.870 Mark: like calculating pixel colors, basically. 01:25:43.464 --> 01:25:46.384 Carl: the first thing they do is like, "oh, we can use this to make liquid 01:25:46.384 --> 01:25:51.064 SVGs" because it lets us do fun, like shimmery effects because of how you can 01:25:51.064 --> 01:25:54.664 access the pixel data on your webpage on. 01:25:54.724 --> 01:25:56.384 And like, , it's rare. 01:25:56.384 --> 01:26:00.554 There are not that many tools on the web, like not many platform 01:26:00.554 --> 01:26:05.954 features enable you to retrieve pixel values of the rendered page. 01:26:05.984 --> 01:26:08.294 Like that's not trivial to do elsewhere. 01:26:08.874 --> 01:26:15.374 , and anyway, summarizing all of this is to say that an old vulnerability 01:26:15.374 --> 01:26:19.704 known as ClickJacking, where, it used to be that like in the nineties you 01:26:19.704 --> 01:26:24.324 would go to click like an okay button or like a download button, and secretly 01:26:24.324 --> 01:26:27.774 there was a layer on top of that that you couldn't see that was, injected 01:26:27.774 --> 01:26:31.224 by like a malicious advertisement and you thought you were clicking 01:26:31.224 --> 01:26:34.164 download on this thing, but you were actually clicking download on malware. 01:26:34.674 --> 01:26:36.834 And that's been pretty effectively defended against 01:26:36.834 --> 01:26:39.534 for 15 years, I would say. 01:26:39.834 --> 01:26:43.334 Like iframes got, really the reason iframes are so clamped down 01:26:43.334 --> 01:26:46.154 is because there were a bunch of possible ClickJacking attempts 01:26:46.454 --> 01:26:48.644 like attacks using iframes. 01:26:48.674 --> 01:26:53.914 And so this is a new way, the, the way that SVG filters let you 01:26:53.914 --> 01:27:00.684 inspect pixels and modify, modify the visuals for a certain output. 01:27:01.184 --> 01:27:04.514 Lets you layer things over in ways that you couldn't do be, 01:27:04.754 --> 01:27:05.984 you can't do any other way. 01:27:05.984 --> 01:27:09.960 So it's a, it's a, an old attack that I had generally considered to be like, 01:27:10.020 --> 01:27:11.070 I don't think about this anymore. 01:27:11.100 --> 01:27:13.246 It doesn't happen in my experience. 01:27:13.246 --> 01:27:15.106 Like, I have never encountered this professionally. 01:27:15.476 --> 01:27:19.996 Here's somebody doing a writeup explaining how to do it with a brand new technology. 01:27:19.996 --> 01:27:22.036 This is a really, really fantastic writeup. 01:27:22.036 --> 01:27:26.416 I would absolutely recommend reading it because it's like fun and silly and 01:27:26.446 --> 01:27:31.936 genuinely cutting edge and cross domain because it's really advanced security 01:27:31.936 --> 01:27:36.367 stuff using on visual things that I would've never thought had a security 01:27:36.583 --> 01:27:40.279 Mark: The phrase that got me was, they were treating pixel analysis 01:27:40.279 --> 01:27:46.879 and creating like and NAND or Logic Gate equivalents out of SVG filters. 01:27:47.379 --> 01:27:48.489 Carl: Yeah, right. 01:27:48.784 --> 01:27:49.899 Oh, oh my God. 01:27:50.229 --> 01:27:50.669 That's crazy. 01:27:50.719 --> 01:27:50.809 With 01:27:50.809 --> 01:27:51.599 Mark: demos in the, blog post. 01:27:52.099 --> 01:27:52.579 Carl: Yeah. 01:27:52.879 --> 01:27:55.939 like not only is this a really interesting security attack, and 01:27:55.939 --> 01:27:59.029 not only is the writeup really effective, but it's also a really 01:27:59.029 --> 01:28:01.399 technically well produced blog post. 01:28:01.609 --> 01:28:04.609 So, I don't know, just like this is, this like, came outta nowhere. 01:28:04.609 --> 01:28:06.139 I've never heard of this person before. 01:28:06.139 --> 01:28:10.048 It's like a nineties esque style and everything, it's a 01:28:10.053 --> 01:28:11.233 really phenomenal blog post. 01:28:11.293 --> 01:28:11.953 Highly recommend. 01:28:12.133 --> 01:28:15.733 Anyway, that's way too much time for one So much for lightning, this stuff. 01:28:15.733 --> 01:28:16.723 Mark: Okay, moving right along. 01:28:16.773 --> 01:28:22.503 Dan Abramov has put together a server component explorer that lets you 01:28:22.503 --> 01:28:28.413 see examples of an app and the data and the progression of the loading. 01:28:28.773 --> 01:28:33.993 And he also put up a blog post explaining why he built this and how it works, and 01:28:33.993 --> 01:28:36.316 some links to example demos as well. 01:28:36.752 --> 01:28:42.662 in speaking of meaningful uses of server components, somebody built a 01:28:42.662 --> 01:28:50.042 clone of the GitHub repo code Explorer view entirely using server components. 01:28:50.222 --> 01:28:54.872 And I clicked through a couple repos like the react repo using this viewer. 01:28:55.412 --> 01:29:01.892 It loaded instantly, like I stunned at how fast it was in comparison to 01:29:01.892 --> 01:29:07.812 like the actual GitHub Like that right there is actually a powerful example of 01:29:07.812 --> 01:29:09.522 why server components could be useful. 01:29:10.022 --> 01:29:14.612 And then Kent C Dodds put up a blog post with his thoughts on why 01:29:14.612 --> 01:29:19.292 he likes React router's approach to bringing in server components. 01:29:19.842 --> 01:29:20.922 Changing topics. 01:29:20.952 --> 01:29:25.482 An author who I had not seen at all, but I, I looked up his name as Andrew Patton, 01:29:25.872 --> 01:29:29.622 put, put up two very good blog posts just like within the last week or two. 01:29:29.962 --> 01:29:35.692 The first one was titled How AI Coding Agents Hit a Time Bomb in our App. 01:29:36.202 --> 01:29:40.252 And the actual technical problem in here was that they were using the new 01:29:40.252 --> 01:29:45.552 activity component in their UI and activity does rendering in the background. 01:29:46.182 --> 01:29:53.192 And AI made a tweak to change something and it ended up doing recursive 01:29:53.192 --> 01:29:55.382 rendering of their footer component. 01:29:55.922 --> 01:29:59.192 But because the footer component rendered the footer component rendered, the footer 01:29:59.192 --> 01:30:00.692 component rendered the footer component. 01:30:00.962 --> 01:30:04.602 This was all happening invisibly in the background until the app ran out 01:30:04.602 --> 01:30:06.952 of memory and exploded repeatedly. 01:30:07.462 --> 01:30:12.452 And so it's both interesting in terms of, here's a real world use of activity and 01:30:12.452 --> 01:30:18.452 also here's a problem that can come up and, huh, wow, background rendering, huh? 01:30:18.512 --> 01:30:18.992 Okay. 01:30:18.992 --> 01:30:21.092 Carl: I'll say before we move on from that earlier I talked about 01:30:21.092 --> 01:30:23.042 how React was basically a scheduler. 01:30:23.072 --> 01:30:23.882 , this is why. 01:30:23.982 --> 01:30:27.542 Like, they wanted to avoid tearing and crashes and things like that. 01:30:27.781 --> 01:30:30.361 they said in the blog post that they took out the activity wrapper 01:30:30.361 --> 01:30:32.131 in it and it instantly crashed. 01:30:32.131 --> 01:30:35.791 Like, because it's recursively rendering out of memory immediately. 01:30:36.161 --> 01:30:40.331 But with activity, because React is such a good scheduler, it managed to 01:30:40.331 --> 01:30:45.281 stay functional for minutes before crashing because it's evaluating what 01:30:45.281 --> 01:30:49.841 resources are available and doing work only when it doesn't interrupt the user. 01:30:50.181 --> 01:30:55.641 So what naively is an instant crash, sustained along for minutes because 01:30:55.641 --> 01:30:56.901 React is such a good scheduler. 01:30:56.901 --> 01:30:57.651 Anyway, it's cool. 01:30:58.151 --> 01:31:01.121 Mark: The same author just put up a post a couple days ago talking about 01:31:01.121 --> 01:31:05.711 how they've been using React compiler in production for a while, and how the 01:31:05.711 --> 01:31:10.151 compiler does have some limitations in terms of bits of JavaScript syntax 01:31:10.151 --> 01:31:12.101 or patterns that it struggles with. 01:31:12.381 --> 01:31:15.621 I think one of the, one of the examples they gave was if you destructure props 01:31:15.681 --> 01:31:20.391 into your component, but then you reassign a different value to that 01:31:20.391 --> 01:31:25.311 same de structured variable than the component, the compiler will give up and 01:31:25.311 --> 01:31:28.251 bail out and not optimize that component. 01:31:28.561 --> 01:31:32.191 It was a good look at using the compiler and practice, like, not 01:31:32.191 --> 01:31:35.971 even the focus on the performance, but what is it like behavior wise? 01:31:36.411 --> 01:31:38.781 I've always been a very big fan of history stuff. 01:31:38.781 --> 01:31:41.031 That's kind of my shtick at this point, and. 01:31:41.451 --> 01:31:48.471 Someone put together a really long, really good post titled 30 Years of BR 01:31:48.651 --> 01:31:54.561 Tags and it's, a look back at like all the history of web development from 01:31:54.561 --> 01:32:02.751 handwritten HTML and Pearl and CGI bin to Web 2.0 and PHP to, Java stacks to 01:32:02.751 --> 01:32:04.491 react and next and everything else. 01:32:04.831 --> 01:32:09.181 It's great to see just the history of all the pieces and the mindsets 01:32:09.181 --> 01:32:13.531 and the problems and the tools that we've invented to try to solve 01:32:13.621 --> 01:32:15.601 all those problems in one place. 01:32:15.601 --> 01:32:16.951 I, I love that kind of post. 01:32:17.451 --> 01:32:17.741 Carl: Yeah. 01:32:17.776 --> 01:32:21.326 And uh, Nadia Makarevic did a really good blog post talking 01:32:21.326 --> 01:32:23.066 about bundle size investigation. 01:32:23.436 --> 01:32:26.046 This is like near and dear to my professional career. 01:32:26.356 --> 01:32:30.886 have done this so many times because If you don't think about bundle size, 01:32:31.186 --> 01:32:33.226 then it will cause you problems. 01:32:33.656 --> 01:32:38.326 This is a really good, like up to date explanation of the problem. 01:32:38.326 --> 01:32:42.426 You'd naively set up a project and add a forum and oh my God, it's over five 01:32:42.426 --> 01:32:46.266 megabytes, uncompressed, and still a megabyte after you compress it. 01:32:46.296 --> 01:32:50.486 So, like it's really , a downside of the JavaScript ecosystem, having 01:32:50.486 --> 01:32:54.596 really good package management is that it's really easy a lot of code. 01:32:55.086 --> 01:32:59.496 So you have to consciously think about how to prune the code you're using. 01:32:59.626 --> 01:33:03.796 I feel like I could have read a blog post like this in 2016. 01:33:03.916 --> 01:33:04.906 I certainly did. 01:33:05.276 --> 01:33:08.966 It's got a good bit talking about analyzing bundle size and using 01:33:08.966 --> 01:33:15.266 these visualizers to show, to reveal what is contributing to the overall 01:33:15.266 --> 01:33:19.286 size of the bundle in a nice visual hierarchical way through like nested 01:33:19.286 --> 01:33:24.565 boxes, tree maps, flame graphs for, I guess that's more execution time, stack. 01:33:25.165 --> 01:33:26.035 Yeah, really good. 01:33:26.105 --> 01:33:30.415 If you, I don't know, want to be thoughtful about how much data you're 01:33:30.415 --> 01:33:34.525 sending, this is a good technical writeup of an expert doing it. 01:33:35.025 --> 01:33:35.315 Cool. 01:33:35.780 --> 01:33:39.830 We've got a big feature preview for ES 2026. 01:33:39.880 --> 01:33:42.820 This is an article from the New Stack, which is a, it feels like 01:33:42.820 --> 01:33:46.930 a tech journalism outlet in a way that is not common at all. 01:33:46.930 --> 01:33:48.440 So, uh, yeah, I appreciate them. 01:33:48.840 --> 01:33:53.070 They put out a, a post talking about ES 26 solves JavaScript headaches 01:33:53.070 --> 01:33:55.110 with dates, math and modules. 01:33:55.170 --> 01:33:56.545 So love that. 01:33:56.850 --> 01:34:00.540 I have problems with dates, math and modules all the time. 01:34:00.970 --> 01:34:04.560 I need to, well, I don't, I'm not finding an actual list of 01:34:04.560 --> 01:34:05.760 things that will be coming out. 01:34:06.070 --> 01:34:09.400 I guess they've got like a, a better precision for 01:34:09.490 --> 01:34:12.310 summing values and math tools. 01:34:12.360 --> 01:34:13.649 Mark: Temporal is the big one. 01:34:14.074 --> 01:34:15.634 Carl: I am excited for temporal. 01:34:15.634 --> 01:34:21.684 I'm currently running into a problem where locally when I do `Date.now()` I 01:34:21.684 --> 01:34:24.414 get something in my local EST time zone. 01:34:24.444 --> 01:34:26.904 But all of the database things are in UTC. 01:34:26.904 --> 01:34:29.814 So it is, there's, it thinks things are happening at a five 01:34:29.814 --> 01:34:33.414 hour offset from when they are, which won't happen in production. 01:34:33.504 --> 01:34:35.994 And that's an example of how JavaScript sucks at dates. 01:34:36.024 --> 01:34:41.334 So I am excited for temporal because date.now should not always 01:34:41.334 --> 01:34:44.234 rely on your systems time zone. 01:34:44.324 --> 01:34:48.014 We need a way to encode time zones and date objects and JavaScript. 01:34:48.014 --> 01:34:48.644 We need it. 01:34:49.244 --> 01:34:50.144 It's so painful. 01:34:50.644 --> 01:34:51.244 So yeah. 01:34:51.304 --> 01:34:51.754 Exciting. 01:34:52.024 --> 01:34:52.864 Hopefully we'll get that. 01:34:53.239 --> 01:34:57.169 Mark: Recently mentioned examples of people doing someone did a React reconcile 01:34:57.169 --> 01:35:03.149 or for the Dear Image gooey tool that's GUI is for c plus plus that where, where 01:35:03.149 --> 01:35:05.399 everything gets redrawn, every frame. 01:35:05.819 --> 01:35:12.239 Meanwhile, someone did a React renderer for controlling blender with react. 01:35:12.609 --> 01:35:13.384 I think this is als. 01:35:13.744 --> 01:35:16.984 Looking at the examples appear to be written in closure or 01:35:16.984 --> 01:35:19.564 closure script instead of JSX. 01:35:19.834 --> 01:35:22.084 And I think I've seen some posts from this author where they've 01:35:22.084 --> 01:35:26.374 previously talked about using react from closure script as well. 01:35:26.824 --> 01:35:30.364 So more examples of things you did not know you could do with react. 01:35:30.864 --> 01:35:31.299 Carl: Love it. 01:35:31.799 --> 01:35:35.369 I forgot we had this in the document, and I love that I basically said 01:35:35.369 --> 01:35:36.929 some of the things from it earlier. 01:35:36.989 --> 01:35:43.609 But somebody tweeted about react fiber and it's just a really good post. 01:35:43.609 --> 01:35:44.479 , it's very long. 01:35:44.479 --> 01:35:46.819 It's very like, casual and silly 01:35:46.819 --> 01:35:49.099 Mark: and blog, post in tweet form. 01:35:49.459 --> 01:35:49.909 Carl: Yeah. 01:35:50.159 --> 01:35:50.879 But I, I like it. 01:35:50.879 --> 01:35:52.439 I'm gonna read some passages. 01:35:52.529 --> 01:35:55.259 "React Fiber is honestly one of those things that people think they get until 01:35:55.259 --> 01:35:56.339 they actually look under the hood. 01:35:56.339 --> 01:35:58.619 And then suddenly the whole thing feels like some alien technology 01:35:58.619 --> 01:35:59.819 living inside JavaScript. 01:36:00.419 --> 01:36:03.599 Everyone parrots those same cell lines, like react, like fiber is the new Diffing 01:36:03.599 --> 01:36:05.489 engine, or fiber is concurrent rendering. 01:36:06.149 --> 01:36:09.599 And it's just so much more deeper and more deranged than that." 01:36:09.809 --> 01:36:11.229 Like yes it is. 01:36:11.339 --> 01:36:12.609 It's a fucking scheduler! 01:36:12.609 --> 01:36:14.639 Like who re implements a scheduler? 01:36:14.849 --> 01:36:16.789 It's, you should never do that. 01:36:17.359 --> 01:36:18.199 There's always better. 01:36:18.199 --> 01:36:20.959 There's always more robust battle test and schedulers. 01:36:20.989 --> 01:36:24.869 That's like some core compiler interpreter, computer 01:36:24.869 --> 01:36:26.159 science degree kind of stuff. 01:36:26.159 --> 01:36:27.389 Like don't re-implement those. 01:36:27.389 --> 01:36:28.529 Those are the foundations. 01:36:28.713 --> 01:36:30.543 Mark: The other way to look is they basically reimplemented 01:36:30.543 --> 01:36:32.733 a JavaScript execution stack. 01:36:32.973 --> 01:36:34.833 Carl: Yeah, they literally did that. 01:36:35.333 --> 01:36:38.123 Like I, I've seen people complain about how like sometimes when 01:36:38.123 --> 01:36:42.773 you're debugging React stuff, you can't use certain developer tools 01:36:42.773 --> 01:36:45.593 because React manages its own stack. 01:36:45.893 --> 01:36:46.253 Like 01:36:46.523 --> 01:36:49.188 Mark: Boy, can I tell you about that one, thank you very much. 01:36:49.188 --> 01:36:51.198 It's what I've done at Replay for the last few years. 01:36:51.558 --> 01:36:52.008 Carl: right. 01:36:52.218 --> 01:36:56.358 Like it's literally duplicating logic that like V eight or, I don't, 01:36:56.358 --> 01:36:58.908 I don't remember any of the other runtimes off the top of my head. 01:36:59.013 --> 01:37:00.263 Mark: Monkey, JSC. 01:37:00.698 --> 01:37:01.328 Carl: Thank you. 01:37:01.388 --> 01:37:06.376 So like it's re-implementing things that every other JavaScript app 01:37:06.646 --> 01:37:10.306 gets for free from the runtime environment that it's executing in. 01:37:10.336 --> 01:37:13.816 But because React transcends individual runtimes, they need to 01:37:13.816 --> 01:37:15.256 re-implement that themselves anyway. 01:37:15.256 --> 01:37:16.006 It's fascinating. 01:37:16.006 --> 01:37:19.416 This is a good little reminder that like there be dragons in 01:37:19.416 --> 01:37:21.366 this tool that we use constantly. 01:37:21.536 --> 01:37:25.526 Mark: And finally at the two hour mark in this podcast. 01:37:25.526 --> 01:37:27.746 Thank you for those of you who have stuck with us. 01:37:27.751 --> 01:37:31.426 Ricky Hanlon's talk on Async React from React Con, I think was one of 01:37:31.426 --> 01:37:36.916 the biggest pieces of messaging from the React team and showing us where 01:37:36.916 --> 01:37:42.106 React has arrived at and where it's going to go in the next couple years. 01:37:42.526 --> 01:37:48.406 And Aurora Scharf and Jack Harrington have both done a lot great work in learning and 01:37:48.406 --> 01:37:50.506 teaching a lot of React concepts, right? 01:37:50.716 --> 01:37:55.276 Aurora has done a lot of conference talks and blog posts on Modern React features, 01:37:55.316 --> 01:37:57.540 suspense, async behavior, et cetera. 01:37:57.810 --> 01:38:01.530 And so they, they both put up blog posts on Blog Rocket within the last 01:38:01.530 --> 01:38:07.290 month or two talking about modern async React and what does it look like? 01:38:07.320 --> 01:38:09.870 What are the primitives, how do they fit together? 01:38:10.320 --> 01:38:12.390 How does this actually improve your code base? 01:38:12.450 --> 01:38:15.780 And what, why should you be using these things in your apps? 01:38:16.280 --> 01:38:19.520 And with that, I think we may finally, finally be done 01:38:20.210 --> 01:38:20.780 Carl: we're done. 01:38:21.050 --> 01:38:21.560 We're done. 01:38:21.560 --> 01:38:22.160 We did it. 01:38:22.280 --> 01:38:26.060 We did two hours of talking about React and by God we got it. 01:38:26.389 --> 01:38:27.799 Mark: Was, was this ever in doubt?? 01:38:28.299 --> 01:38:29.799 Carl: I mean, no, it's, yeah. 01:38:29.799 --> 01:38:30.519 This was good. 01:38:30.669 --> 01:38:32.349 I, I'm, I'm happy with this one. 01:38:32.889 --> 01:38:33.249 was good. 01:38:33.369 --> 01:38:34.149 Felt like a good chat. 01:38:34.649 --> 01:38:35.784 Thank you everyone for joining us. 01:38:35.784 --> 01:38:40.524 Even I, I can't believe we still have what, 10 people here listening to us 01:38:40.574 --> 01:38:42.464 do appreciate you, like genuinely. 01:38:43.074 --> 01:38:48.234 We will be back next month, I guess, in like six weeks at time of recording. 01:38:48.354 --> 01:38:51.444 But yeah, we'll be back here on the stage, back in your podcast 01:38:51.444 --> 01:38:52.554 feed just as soon as we can. 01:38:53.054 --> 01:38:54.704 And happy holidays. 01:38:54.734 --> 01:38:55.394 Merry Christmas. 01:38:55.394 --> 01:38:56.204 If you celebrate. 01:38:56.204 --> 01:38:56.894 Happy Hanukkah. 01:38:56.894 --> 01:38:58.019 If you, that's what you celebrate. 01:38:58.519 --> 01:38:59.809 Mark: Happy holidays folks. 01:38:59.809 --> 01:39:01.489 Thanks for listening to us. 01:39:01.489 --> 01:39:04.999 Thanks for being part of React Flux and part of the React community, and we 01:39:04.999 --> 01:39:09.439 continue to hope that hearing the three of us up here ramble is informative and 01:39:09.469 --> 01:39:13.053 provides value to you as a professional developer or non-professional 01:39:13.053 --> 01:39:14.403 developer as the case may be. 01:39:14.673 --> 01:39:15.993 Carl: Hopefully it's, I don't know, entertaining. 01:39:15.993 --> 01:39:17.553 We're, we're some fun personalities. 01:39:18.053 --> 01:39:19.913 We can be, we can be fun and useful. 01:39:20.266 --> 01:39:20.956 Thank you so much. 01:39:21.016 --> 01:39:24.456 If you see anything that is newsworthy that you think we should discuss let 01:39:24.456 --> 01:39:27.006 us know in the #tech-reads-and-news channel here in Reactiflux. 01:39:27.066 --> 01:39:30.246 Or you can send me an email at hello@reactiveflux.com. 01:39:30.816 --> 01:39:32.676 I read everything that comes in, so if you send it, I'll read it. 01:39:32.881 --> 01:39:35.436 This is a show that you get value from and wanna support. 01:39:35.436 --> 01:39:38.616 Best way to do so is by submitting a review on whatever platform you're 01:39:38.616 --> 01:39:42.186 listening to us on, and tell your friends and coworkers about us. 01:39:42.576 --> 01:39:45.986 Go to a meetup, say, "Hey, I like this podcast." Awesome. 01:39:46.226 --> 01:39:46.826 Thanks so much. 01:39:46.886 --> 01:39:47.486 See you next month. 01:39:47.986 --> 01:39:48.706 See you year.