State of JavaScript 2026

Three shifts defined JavaScript in 2025: security vulnerabilities exposed RSC's attack surface (React2Shell hit CVSS 10.0; 39% of cloud environments vulnerable), supply chain attacks evolved into self-replicating worms (Shai-Hulud's second wave hit ~800 packages; npm phishing attack hit 2.6B weekly downloads), and Rust-based tooling went mainstream (Turbopack default in Next.js 16; Vite+ unifying Vite, Vitest, Oxc, Rolldown).

TypeScript 7 native port announced with 10x build speedup. Anthropic acquired Bun after Claude Code reached $1B run-rate revenue. React Compiler 1.0 went stable (2.5x faster interactions on Meta Quest Store). React Foundation announced under Linux Foundation. React Native completed its New Architecture transition and shipped Hermes V1 as default engine. Vitest 4.0 stabilized browser mode; Angular 21 adopted it as default. ECMAScript 2025 shipped Set methods, Iterator helpers, and Import Attributes. WinterCG moved to Ecma as WinterTC (announced Jan 2025; W3C group closed Apr 3).

Actions for 2026: Patch React/Next.js for React2Shell (CISA KEV listed), patch Metro dev server for Metro4Shell (CISA KEV, deadline February 26), rotate npm tokens and enable phishing-resistant MFA, test `@typescript/native-preview` before TypeScript 7.0 (early 2026), review React Compiler adoption, plan Node.js security updates (January 7, 2026).

JavaScript 2025 Timeline

JavaScript 2026 Watchlist

1. React Server Components Security

When: Now. Patched versions released December 3, 2025. CISA KEV listed December 5.
Context: React2Shell (CVE-2025-55182), a CVSS 10.0 RCE in RSC Flight protocol. Near-100% exploit reliability. Affects React 19.0-19.2, Next.js 14.3.0-canary.77+, 15.x, 16.x, all RSC frameworks. 39% of cloud environments vulnerable at disclosure.
Action: Update to React 19.0.1, 19.1.2, or 19.2.1. Update Next.js per security bulletin. Audit for CVE-2025-55184 (DoS) and CVE-2025-55183 (Source Code Exposure).

2. TypeScript 7.0 Migration

When: Early 2026. TypeScript 6.0 (last JS-based release) and 7.0 (native port) both targeting this window.
Context: TypeScript 7 native port delivers ~10x build speedup. Breaking changes: --strict default, --target es5 removal, --baseUrl removal, --moduleResolution node10 removal.
Action: Test @typescript/native-preview now. Audit codebase for deprecated patterns. Plan migration path from 5.x → 6.0 → 7.0.

3. Node.js Security Releases

When: January 7, 2026 (delayed from December 2025).
Context: Security releases for all active lines (20.x, 22.x, 24.x, 25.x). Node.js 25.x has 3 high-severity and 1 low-severity vulnerability.
Action: Plan update window. Test against patched versions when released.

4. npm Supply Chain Defenses

When: Now. Shai-Hulud's first wave (September) compromised hundreds of packages; the second wave (November) compromised ~800 packages (~132M monthly downloads). Two attacks hit the React Native ecosystem directly: 17 `@react-native-aria` packages compromised in June (1M+ weekly downloads); Metro4Shell (CVE-2025-11953) targeted dev servers with CVSS 9.8 RCE.
Context: Attack vector: phishing campaign using fake 2FA reset emails. Worm used preinstall scripts for credential theft, destructive fallback attempted home directory deletion.
Action: Enable phishing-resistant MFA (hardware keys). Rotate npm tokens and GitHub PATs. Use lockfile-only installs (npm ci). Consider Deno's `minimumDependencyAge` or Bun's `minimumReleaseAge`. Block webhook.site at network level. Audit @react-native-aria dependencies. Bind Metro dev server to localhost.

5. Vite+ Unified Toolchain

When: Public preview targeting early 2026. Announced October 2025 at ViteConf.
Context: VoidZero bundles Vite, Vitest, Oxc, and Rolldown into unified Rust-based toolchain. Addresses JavaScript's "fragmentation tax."
Action: Review when preview releases. Compare against Turbopack (default in Next.js 16). Choice depends on framework commitment.

6. Testing Tool Migration

When: Now. Vitest 4.0 stable October 2025. Angular 21 adopted Vitest as default.
Context: Vitest browser mode with Playwright now stable. Visual regression testing built-in. Jest 30 slimmed core but Vitest gaining framework adoption. Playwright 1.57 switched to Chrome for Testing. Chrome 137+ removed `--load-extension` support in branded Chrome; Cypress recommends Chrome for Testing or Chromium for extension-based workflows.
Action: Review Vitest for new projects. For Cypress users with extension-based workflows: switch to Chrome for Testing, Chromium, or Electron.

7. React Compiler Adoption

When: Now. React Compiler 1.0 stable October 2025.
Context: Automatic memoization at build time. 2.5x faster interactions on Meta Quest Store. Removes manual useMemo/useCallback/React.memo. Works with React 17+ via runtime package. React Native 0.78 simplified compiler enablement; enabled by default in Expo SDK 54.
Action: Add babel-plugin-react-compiler to build. Test incrementally. Remove manual memoization as compiler handles it.

8. Edge Runtime Standardization

When: Ongoing. WinterCG moved to Ecma as WinterTC (announced Jan 2025; W3C group closed Apr 3, 2025).
Context: Runtime Keys proposal standardizes runtime identification. Serverless functions API in development. Goal: write once, deploy to Cloudflare Workers, Vercel Edge Runtime, Deno, WinterJS.
Action: Test code across edge runtimes. Track WinterTC proposals for API convergence.

9. ECMAScript 2026 Features

When: ES2026 finalization mid-2026. Features landing in browsers throughout 2026.
Context: Likely ES2026: Uint8Array Base64 (Stage 4), Error.isError (Stage 4). In-flight: import defer (Stage 3), Math.sumPrecise (Stage 2.7). Temporal API shipped in Firefox 139.
Action: Track TC39 proposals. Test Temporal API in Firefox. Review import defer for startup performance optimization.

10. Framework Landscape

When: Track through 2026.
Context: Astro reports 3rd fastest growing on GitHub (citing Octoverse 2025), 3M monthly installs. Svelte 5 Runes shipped. TanStack Start at RC. Vue Router 4.5.0 added view transitions. Angular shipping signals and zoneless change detection. React Native completed its New Architecture transition (0.82 opt-out removed; 0.84 Hermes V1 default), teased 1.0 at React Universe Conf. React Foundation governance may shift ecosystem dynamics.
Action: Review frameworks based on project requirements. Track React Foundation impact on RSC adoption post-React2Shell. For React Native: ensure projects are on New Architecture and Hermes V1.

11. AI Tooling Integration

When: Accelerating through 2026. MCP servers shipping now.
Context: Playwright MCP enables AI agents to control browsers. Astro MCP server for AI tool integration. Next.js DevTools MCP support added. React Native Skia WebGPU enabled GPU compute for 2D/3D composability. `react-native-fast-tflite` provides JSI-powered on-device ML inference.
Action: Review MCP integration for developer tooling. Test Playwright MCP for automated testing workflows. Test React Native Skia WebGPU for compute-intensive mobile workloads.

12. Browser Engine Performance

When: Features shipping now. Track through 2026.
Context: V8 Explicit Compile Hints reduced parse/compile by 630ms average. Safari 26 WebGPU enables GPU compute in JavaScript. Memory64 WebAssembly in Chrome 133 and Firefox 134.
Action: Test V8 compile hints for large applications. Review WebGPU for compute-intensive workloads. Track WebAssembly Memory64 for >4GB use cases.

13. Metro4Shell (CVE-2025-11953)

When: Now. CISA KEV listed February 5, 2026. Federal patch deadline February 26.
Context: Critical CVSS 9.8 RCE in @react-native-community/cli via Metro dev server's /open-url endpoint. In-the-wild exploitation observed December 21, 2025, delivering a Rust-based payload. 2M weekly downloads affected.
Action: Update @react-native-community/cli-server-api to v20.0.0+. Bind Metro dev server to localhost. Review network exposure of all development servers.

14. React Native New Architecture

When: Completed. 0.82 removed opt-out (October 2025); 0.84 compiled out legacy code (February 2026).
Context: JSI replaces the Bridge, TurboModules replace NativeModules, Fabric replaces the old renderer. Hermes V1 is now the default engine. Shopify completed migration with 86% unified codebase. 1.0 teased at React Universe Conf.
Action: Migrate remaining Legacy Architecture dependencies. Update third-party libraries to New Architecture-compatible versions. Test Hermes V1 compatibility. Track React Native 1.0 timeline.