Dev Stack Weekly: 2 CVEs (express-rate-limit, Fastify), 97 Updates, ESLint 10.x (Mar 7)
Dev Stack Weekly
React/Next.js Ecosystem Intelligence - March 7, 2026
492 packages scanned | 97 updates detected | 2 CVEs
SECURITY: CVE ALERTS
CVE-2026-30827 - express-rate-limit - Rate Limiting Bypass via IPv4-Mapped IPv6
- Severity: HIGH
- Package: express-rate-limit v8.0.0-8.0.1, v8.1.0, v8.2.0-8.2.1
- Fixed in: v8.0.2, v8.1.1, v8.2.2
- Published: March 6, 2026
- Advisory: GHSA-46wh-pxpv-q5gq
Description: On servers with dual-stack networking (IPv4 + IPv6), attackers can bypass per-client rate limiting by sending requests through IPv4-mapped IPv6 addresses (e.g., ::ffff:192.168.1.1). The rate limiter treats these as different clients from their IPv4 equivalents, effectively doubling the allowed request rate.
Impact: Any Express application using express-rate-limit on a dual-stack server is affected. This is particularly critical for login endpoints, API rate limits, and abuse prevention.
Fix:
npm install express-rate-limit@8.3.0
Urgency: HIGH - Patch immediately if your server handles untrusted traffic with rate limiting.
CVE-2026-3419 - Fastify - Content-Type Validation Bypass
- Severity: MEDIUM
- Package: fastify v5.7.2-5.8.0
- Fixed in: v5.8.1 (v5.8.2 already available)
- Published: March 5, 2026
- Advisory: GHSA-573f-x89g-hqp9
Description: A missing end anchor in the subtypeNameReg regex allows malformed Content-Type headers to pass validation. Crafted payloads like application/json<malicious-suffix> can bypass content-type checks, potentially leading to parser confusion or security filter evasion.
Impact: Fastify servers that rely on content-type validation for security decisions. Standard JSON API servers have low risk since Fastify's JSON parser handles this gracefully.
Fix:
npm install fastify@5.8.2
Urgency: MEDIUM - Patch at next convenience. Low exploitation risk for typical API servers.
NOTABLE UPDATES
This was a busy week across the ecosystem. 97 packages received updates, with significant activity in AI/ML SDKs, UI component libraries, and developer tooling.
Major Highlights
ESLint 10.0.3 - The ESLint 10.x line continues to stabilize. If you haven't migrated from 9.x yet, the flat config system is now mature enough for production adoption.
react-helmet-async 3.0.0 - Major version bump. Review your SSR head management if upgrading.
recharts 3.8.0 - The recharts 3.x series brings significant API changes from 2.x. Minor update within 3.x.
tRPC 11.12.0 - Coordinated release across @trpc/server, @trpc/client, @trpc/react-query, and @trpc/next. The tRPC ecosystem moves fast.
AI SDK updates - Vercel AI SDK (ai@6.0.116) plus provider packages for Anthropic, OpenAI, and Google all updated. The AI tooling ecosystem remains the most actively developed category.
Updates Table
| Package | Version | Type | Category | Highlights |
|---|---|---|---|---|
| eslint | 10.0.3 | patch | linting | ESLint 10.x stabilization |
| framer-motion | 12.35.1 | patch | animation | Latest in rapid 12.x release cycle |
| recharts | 3.8.0 | minor | charts | Continued 3.x improvements |
| react-helmet-async | 3.0.0 | major | utilities | Major version - review before upgrading |
| @chakra-ui/react | 3.34.0 | minor | ui-components | Chakra v3 continues active development |
| @clerk/nextjs | 7.0.1 | patch | auth | Clerk 7.x early stabilization |
| @trpc/server | 11.12.0 | minor | api-tools | Coordinated tRPC release |
| @mantine/core | 8.3.16 | patch | ui-components | Mantine 8.x patch |
| @mui/material | 7.3.9 | patch | ui-components | MUI 7.x patch |
| @sentry/nextjs | 10.42.0 | minor | logging | Sentry 10.x for Next.js |
| @ai-sdk/anthropic | 3.0.58 | patch | ai-ml | Anthropic provider update |
| ai | 6.0.116 | patch | ai-ml | Vercel AI SDK core |
| openai | 6.27.0 | minor | ai-ml | OpenAI SDK update |
| pg | 8.20.0 | minor | database-orm | PostgreSQL client update |
| hono | 4.12.5 | patch | server | Hono framework patch |
| stripe | 20.4.1 | patch | payments | Stripe SDK patch |
| turbo | 2.8.14 | patch | monorepo | Turborepo patch |
| postcss | 8.5.8 | patch | styling | PostCSS patch |
| @biomejs/biome | 2.4.6 | patch | linting | Biome linter patch |
| dompurify | 3.3.2 | patch | security | XSS sanitizer patch |
ECOSYSTEM INSIGHTS
AI SDK velocity is extraordinary. The @ai-sdk/* family, langchain, and openai packages collectively had 9 updates this week alone. If you're building AI features, pin your versions carefully - this space moves faster than any other category in the ecosystem.
UI library fragmentation continues. Mantine, MUI, Chakra, and Radix/shadcn all received updates this week. The React UI component space shows no signs of consolidation. Pick one and commit.
express-rate-limit CVE is a wake-up call for dual-stack deployments. As IPv6 adoption grows, more applications will inadvertently run on dual-stack networks (especially in cloud environments). Security tooling needs to normalize IP addresses across protocols. Audit any IP-based security logic in your stack.
Storybook 10.x is shipping fast - 4 packages updated simultaneously (10.2.16). If you're on Storybook 7.x or 8.x, the migration path to 10.x is well-documented.
UPGRADE PRIORITY MATRIX
| Priority | Package | Action | Effort |
|---|---|---|---|
| URGENT | express-rate-limit | Patch CVE-2026-30827 | 5 min |
| HIGH | fastify | Patch CVE-2026-3419 | 5 min |
| MEDIUM | react-helmet-async | Review v3.0.0 breaking changes | 1-2 hrs |
| ROUTINE | eslint | Update to 10.0.3 if on 10.x | 10 min |
| ROUTINE | All others | Standard update cycle | Varies |
This week's recommended action: Patch the two CVEs first (10 minutes total). Then review if react-helmet-async v3 affects your SSR setup.
WHAT PAID SUBSCRIBERS GET
This is a free issue of Dev Stack Weekly. Paid subscribers ($19/mo) receive: - Real-time CVE alerts within hours of disclosure (not weekly) - Custom package watchlist - monitor your exact dependency tree - Automated PR generation - receive draft PRs for security patches - Breaking change impact analysis tailored to your codebase - JSON/CSV data exports for integration with your tooling
Subscribe at https://buttondown.com/yabaicreation | Report generated 2026-03-07T17:00:00Z
