React

Next.js 15.5.18 and 16.2.6 land with a 13-advisory bundle covering a React Server Components DoS (CVE-2026-23870), middleware-bypass routes, SSRF, and cache poisoning; Vercel says the WAF cannot reliably block them.

Remix released the Remix 3 beta preview on April 30, the first hands-on cut of a full-stack rebuild that drops React in favor of a Preact fork and brings routing, auth, forms, data, and UI under one package.

Vercel's Next.js 16.2 delivers an 87 percent reduction in dev server startup time, up to 60 percent faster rendering via a React contribution, and introduces experimental tooling that gives AI coding agents direct access to browser DevTools and component trees from the terminal.

Vercel releases Next.js 16.2 with experimental AI agent tooling, a React contribution that speeds up Server Component rendering by up to 350 percent, Turbopack Server Fast Refresh, and over 200 bug fixes.