Supply Chain Alerts, Security Upgrades, and Raycast’s Engine

Supply Chain Alerts, Security Upgrades, and Raycast’s Engine

Welcome to Issue #20! Reaching twenty issues is an incredible milestone, but the software ecosystem never misses a chance to keep us on our toes. This week, we are looking closely at supply chain health, production constraints, and the hidden limits of our architecture. First up, the TanStack team has provided an incredibly transparent, step-by-step postmortem and follow-up regarding their recent npm registry supply chain compromise. Coupled with Vercel’s urgent May 2026 security release for Next.js, this week serves as an essential reminder to audit dependencies, pin versions, and keep production environment keys locked down tightly. On the architectural front, we check out a stellar technical breakdown of the new Raycast rewrite, explore why treating React Server Functions as your core API boundary can backfire on security, and analyze the underlying execution footprint of React's incoming <Activity/> primitives. Plus, if you've been putting off shifting from web to native apps, Expo's new case study outlines how to bridge that gap in just one week. Let’s unpack this week's links.

Postmortem: TanStack npm supply-chain compromise On 2026-05-11, an attacker chained a pull_request_target Pwn Request, GitHub Actions cache poisoning across the fork↔base trust boundary, and OIDC token extraction from runner memory to publish 84 malicious versions across 42 @tanstack/* packages on npm. Full postmortem. Hardening TanStack After the npm Compromise A companion to our incident postmortem From React web to Native in one week A React web developer's end-to-end journey building a real iOS app in a week with Expo, Claude Code, and Expo Skills. What transferred, what didn't. Build fast, no matter what: how Expo is optimizing for speed (and how you can, too) New M4 Mac Minis, compiler caching, and prebuilt binaries are speeding up EAS builds. Learn how to build less often with fingerprints and OTA updates. A Technical Deep Dive Into the New Raycast The story behind Raycast's cross-platform rewrite and the details that make it feel fast, delightful, and familiar. The hidden cost of React.Activity React.Activity preserves state, but it also tears down and recreates Effects. In React Native, that trade can get expensive fast on heavy screens and list items. RSC Server Functions Are Not An API Boundary Long Ho writes and builds around frontend infrastructure, build systems, and product engineering. Next.js May 2026 security release Next.js 15.5.18 and 16.2.6 patch 13 security advisories covering middleware bypass, denial of service, SSRF, cache poisoning, and cross-site scripting.

Security and pragmatism are the loudest lessons from this edition. As our modern stacks become increasingly interconnected, the transparency we see from teams like TanStack is what helps the whole community level up securely. Check your package files, run your upgrades, and protect your pipelines. Have an amazing week of building, and I will see you right here for Issue #21!