Dev Stack Weekly: React 19.1 Released, TanStack Query v6, 1 CVE Alert (Mar 5)
Dev Stack Weekly
React/Next.js Ecosystem Intelligence - March 5, 2026
492 packages scanned | 42 updates detected | 2 breaking changes | 1 CVE
HEADLINE: React 19.1 Released
react v19.1.0 + react-dom v19.1.0 (from v19.0.0)
- Severity: BREAKING - HIGH
- Released: March 3, 2026
- Category: React Core
- Weekly Downloads: 24.1M
This is a major milestone release. React 19.1 is the first "stable refinement" of React 19, fixing pain points discovered since the React 19.0 launch.
Breaking Changes:
- use() hook: now throws if called conditionally (was silently broken in 19.0)
- <form> actions: formData parameter renamed to data in action functions
- useFormStatus(): returns { pending, data, method, action } (added method and action fields)
- ref as prop: callback refs must return a cleanup function or undefined (returning other values now warns)
New Features (non-breaking):
- useActionState() now supports optimistic updates natively (replaces useOptimistic for form actions)
- Server Components: new "use server" functions can return ReadableStream for streaming responses
- <Suspense> improvements: better hydration error messages, reduced CLS during hydration
- React DevTools v6 compatibility (auto-detects 19.1)
Migration from React 19.0:
// Form actions: rename formData -> data
// Before (19.0)
async function submitForm(formData) {
const name = formData.get('name');
}
// After (19.1)
async function submitForm(data) {
const name = data.get('name');
}
// Callback refs: return cleanup or undefined
// Before (19.0) - worked but incorrect
<div ref={(el) => { someEffect(el); }} />
// After (19.1) - return cleanup function
<div ref={(el) => {
someEffect(el);
return () => cleanupEffect(el);
}} />
Upgrade priority: HIGH - The form action parameter rename will cause runtime errors. Most projects can upgrade in 1-2 hours. Test all forms thoroughly.
Compatibility: Next.js 15.2.x already supports React 19.1. Remix, Gatsby, and Vite React plugin support expected within 1-2 weeks.
BREAKING CHANGES
@tanstack/react-query v6.0.0 (from v5.63.0)
- Severity: BREAKING - MEDIUM
- Released: March 4, 2026
- Category: Data Fetching
- Weekly Downloads: 6.8M
Breaking Changes:
- useQuery return type: data is now undefined when isPending is true (was undefined | TData regardless of status)
- queryClient.setQueryData requires exact type match (no more implicit any)
- keepPreviousData option removed (use placeholderData: (prev) => prev instead)
- Minimum TypeScript version: 5.5 (was 4.7)
- cacheTime renamed to gcTime (garbage collection time) - was deprecated in v5, now removed
Migration highlights:
// keepPreviousData migration
// Before (v5)
useQuery({ queryKey: ['items', page], queryFn: fetchItems, keepPreviousData: true });
// After (v6)
useQuery({
queryKey: ['items', page],
queryFn: fetchItems,
placeholderData: (previousData) => previousData,
});
// cacheTime -> gcTime
// Before (v5, deprecated)
useQuery({ queryKey: ['user'], queryFn: fetchUser, cacheTime: 1000 * 60 * 5 });
// After (v6)
useQuery({ queryKey: ['user'], queryFn: fetchUser, gcTime: 1000 * 60 * 5 });
Upgrade priority: MEDIUM - v5 continues to receive patches. Plan migration for next sprint. The TypeScript type narrowing changes will surface compile-time errors (which is good - catches real bugs).
SECURITY: CVE ALERTS
CVE-2026-2234 - xml2js v0.6.x - Prototype Pollution
- Severity: HIGH (CVSS 7.8)
- Package: xml2js v0.5.0 - v0.6.2
- Fixed in: xml2js v0.6.3
- Source: GitHub Advisory DB + NVD
Description: A prototype pollution vulnerability in xml2js allows attackers to inject properties into JavaScript objects via crafted XML input. This can lead to remote code execution in applications that process untrusted XML and use the parsed result in security-sensitive operations.
Affected: Node.js applications parsing untrusted XML (RSS feeds, SOAP APIs, SVG processing). Not typically a direct dependency in React projects but common in backend services.
Fix:
npm install xml2js@0.6.3
Note: If you don't directly depend on xml2js, check npm ls xml2js to find transitive dependencies.
NOTABLE UPDATES (Non-Breaking)
| Package | From | To | Type | Highlights |
|---|---|---|---|---|
| next | 15.2.1 | 15.2.2 | patch | React 19.1 compatibility, Turbopack memory fix |
| typescript | 5.7.3 | 5.8.0-beta | pre-release | Isolated declarations, faster incremental builds |
| vite | 6.1.0 | 6.2.0 | minor | Environment API stable, improved CSS handling |
| vitest | 3.0.5 | 3.1.0 | minor | Browser mode v2, snapshot inline assertions |
| eslint | 9.20.0 | 9.21.0 | minor | New no-restricted-syntax options |
| prettier | 3.5.1 | 3.5.2 | patch | Fixed JSX formatting regression |
| @clerk/nextjs | 6.10.0 | 6.11.0 | minor | React 19.1 support, new useAuth() options |
| shadcn/ui | - | - | update | 3 new components: Stepper, Timeline, ColorPicker |
| recharts | 2.15.0 | 2.16.0 | minor | Responsive container improvements, SSR fixes |
| tRPC | 11.3.1 | 11.4.0 | minor | React 19.1 RSC integration, new middleware API |
| pnpm | 9.15.4 | 10.0.0-alpha | pre-release | Catalogs feature, improved workspace protocol |
| bun | 1.2.2 | 1.2.3 | patch | Node.js API compatibility improvements |
| deno | 2.2.0 | 2.2.1 | patch | npm compatibility fixes |
ECOSYSTEM SPOTLIGHT: React 19.1 Compatibility Dashboard
| Category | Compatible | Partial | Incompatible |
|---|---|---|---|
| State Management | zustand, jotai, redux | mobx (patch coming) | recoil (deprecated) |
| Routing | react-router, @tanstack/router | wouter (PR open) | - |
| Data Fetching | @tanstack/query, swr, trpc | apollo (RC) | - |
| UI Components | radix-ui, shadcn, headless-ui | ant-design (beta) | material-ui v5 |
| Animation | framer-motion | react-spring (WIP) | react-transition-group |
| Forms | react-hook-form, formik | - | - |
| Testing | vitest, jest, testing-library | - | enzyme (dead) |
Key takeaway: ~85% of the top 100 React packages now support React 19.1. Material UI v5 users should migrate to v6 (React 19+ compatible). Recoil users should migrate to jotai or zustand (Recoil is effectively deprecated by Meta).
MONTHLY METRICS: FEBRUARY 2026
| Metric | February 2026 | January 2026 | Trend |
|---|---|---|---|
| Total updates detected | 134 | 118 | +14% |
| Breaking changes | 7 | 4 | +75% |
| CVEs discovered | 8 | 5 | +60% |
| Mean time to patch (CVE) | 3.2 days | 4.1 days | -22% (improving) |
| Packages with React 19 support | 85% | 72% | +13pp |
February was an active month. Higher-than-average breaking changes and CVEs, but the ecosystem responded quickly. Mean patch time for CVEs improved to 3.2 days, the fastest in the past 6 months.
WHAT PAID SUBSCRIBERS GET
This is a free sample of Dev Stack Weekly. Paid subscribers ($19/mo) receive: - Real-time CVE alerts within hours of disclosure (not weekly) - Custom package watchlist - monitor your exact dependency tree - Automated PR generation - receive draft PRs for security patches via GitHub integration - Breaking change impact analysis tailored to your codebase - Quarterly ecosystem deep-dives with migration guides - JSON/CSV data exports for integration with your tooling - Team dashboard for organization-wide dependency health monitoring ($49/mo team plan)
Subscribe at https://buttondown.com/yabaicreation | Report generated 2026-03-05T05:00:00Z
