State of JavaScript 2026

Three shifts defined JavaScript in 2025: security vulnerabilities exposed RSC's attack surface (React2Shell hit CVSS 10.0; 39% of cloud environments vulnerable), supply chain attacks evolved into self-replicating worms (Shai-Hulud's second wave hit ~800 packages; npm phishing attack hit 2.6B weekly downloads), and Rust-based tooling went mainstream (Turbopack default in Next.js 16; Vite+ unifying Vite, Vitest, Oxc, Rolldown).

TypeScript 7 native port announced with 10x build speedup. Anthropic acquired Bun after Claude Code reached $1B run-rate revenue. React Compiler 1.0 went stable (2.5x faster interactions on Meta Quest Store). React Foundation announced under Linux Foundation. Vitest 4.0 stabilized browser mode; Angular 21 adopted it as default. ECMAScript 2025 shipped Set methods, Iterator helpers, and Import Attributes. WinterCG moved to Ecma as WinterTC (announced Jan 2025; W3C group closed Apr 3).

Actions for 2026: patch React/Next.js for React2Shell (CISA KEV listed), rotate npm tokens and enable phishing-resistant MFA, test @typescript/native-preview before TypeScript 7.0 (early 2026), evaluate React Compiler adoption, plan Node.js security updates (January 7, 2026).

March 11 — Microsoft announced TypeScript 7—a native port of the compiler to Go. Anders Hejlsberg: "The native implementation will drastically improve editor startup, reduce most build times by 10x, and substantially reduce memory usage."

May 6 — Node.js 24 released with npm v11 and a shell safety improvement: deprecating args when { shell: true } for spawn()/execFile() to prevent unsafe argument concatenation.

May 22 — @typescript/native-preview landed on npm—first public preview of TypeScript's native port.

June 4 — Jest 30 shipped with slimmed core and 50% speedup at Happo.

June 13 — Mark Erikson published "The React Community in 2025" at React Summit, analyzing ecosystem tensions. Key thesis: "It is not so much Vercel and Next.js taking over React... as the React team taking over Next.js."

July 18 — eslint-config-prettier compromised (CVE-2025-54313) with malicious versions targeting Windows.

July 31 — Node.js 22.18.0 enabled experimental type stripping by default—.ts files run without build step.

August 26 — "s1ngularity" attack: malicious versions of Nx packages published via stolen npm token. Active for ~4 hours before removal. 2,349 credentials leaked including GitHub PATs, AWS, OpenAI, and Anthropic API keys.

September 8 — Largest npm supply chain attack: 18+ packages including chalk, debug, ansi-styles, strip-ansi trojaned via phishing campaign using fake 2FA reset emails from npmjs.help. Malicious versions live for ~2 hours, affecting 2.6B weekly downloads.

September 14-15 — Shai-Hulud worm emerged: patient zero package (rxnt-authentication) published September 14; ReversingLabs first detected the worm September 15. Sysdig's analysis estimated ~200 infected packages early on, with hundreds impacted in the first wave.

October 7-8 — React Conf 2025. Linux Foundation announced intent to launch the React Foundation (founding members: Amazon, Callstack, Expo, Meta, Microsoft, Software Mansion, Vercel). React Compiler 1.0 stable—automatic memoization, 2.5x faster interactions on Meta Quest Store.

October 9-10 — ViteConf 2025. Vite+ announced—unified toolchain bundling Vite, Vitest, Oxc, Rolldown.

October 15 — Node.js 25 shipped with V8 14.1, --allow-net permission flag, Web Storage enabled by default.

October 21 — Next.js 16 made Turbopack default bundler (5-10x faster Fast Refresh, 2-5x faster builds).

October 22 — Vitest 4.0 stabilized browser mode with Playwright, visual regression testing, Playwright traces. Angular 21 adopted Vitest as default.

November 24 — Shai-Hulud 2.0: 796 packages compromised, ~132M monthly downloads affected. Used preinstall scripts to steal credentials, installed backdoors, destructive fallback attempted to destroy home directories. Detection took ~12 hours.

November 29 — React2Shell (CVE-2025-55182) reported to Meta Bug Bounty by Lachlan Davidson. CVSS 10.0 RCE in RSC Flight protocol. Meta security confirmed November 30; fix created December 1.

December 2 — TypeScript 7 progress update—native previews stable in editors, close to 10x speedup without --incremental. TypeScript 6.0 will be last JS-based release. Breaking changes in 7.0: --strict default, --target es5 removal, --baseUrl removal, --moduleResolution node10 removal. Both 6.0 and 7.0 targeting early 2026.

December 2-3 — Anthropic acquired Bun—first acquisition. Claude Code hit $1B run-rate revenue in 6 months. Bun remains MIT-licensed with 7M+ monthly downloads.

December 3 — React2Shell patches released: React 19.0.1, 19.1.2, 19.2.1. Near-100% exploit reliability against unpatched systems. Affected: React 19.0-19.2, Next.js 14.3.0-canary.77+, 15.x, 16.x, all RSC frameworks. 39% of cloud environments vulnerable. WAF mitigations deployed by Cloudflare, AWS, Fastly, Google Cloud.

December 5 — CISA added CVE-2025-55182 to KEV catalog—active exploitation confirmed.

December 10 — Deno 2.6 integrated TypeScript's native port via --unstable-tsgo.

December 11 — Additional RSC vulnerabilities disclosed: CVE-2025-55184 (DoS, CVSS 7.5), CVE-2025-55183 (Source Code Exposure, CVSS 5.3).

When: Now. Patched versions released December 3, 2025. CISA KEV listed December 5.

Context: React2Shell (CVE-2025-55182)—CVSS 10.0 RCE in RSC Flight protocol. Near-100% exploit reliability. Affects React 19.0-19.2, Next.js 14.3.0-canary.77+, 15.x, 16.x, all RSC frameworks. 39% of cloud environments vulnerable at disclosure.

Action: Update to React 19.0.1, 19.1.2, or 19.2.1. Update Next.js per security bulletin. Audit for CVE-2025-55184 (DoS) and CVE-2025-55183 (Source Code Exposure).

When: Early 2026. TypeScript 6.0 (last JS-based release) and 7.0 (native port) both targeting this window.

Context: TypeScript 7 native port delivers ~10x build speedup. Breaking changes: --strict default, --target es5 removal, --baseUrl removal, --moduleResolution node10 removal.

Action: Test @typescript/native-preview now. Audit codebase for deprecated patterns. Plan migration path from 5.x → 6.0 → 7.0.

When: January 7, 2026 (delayed from December 2025).

Context: Security releases for all active lines (20.x, 22.x, 24.x, 25.x). Node.js 25.x has 3 high-severity and 1 low-severity vulnerability.

Action: Plan update window. Test against patched versions when released.

When: Now. Shai-Hulud's first wave (September) compromised hundreds of packages; the second wave (November) compromised ~800 packages (~132M monthly downloads).

Context: Attack vector: phishing campaign using fake 2FA reset emails. Worm used preinstall scripts for credential theft, destructive fallback attempted home directory deletion.

Action: Enable phishing-resistant MFA (hardware keys). Rotate npm tokens and GitHub PATs. Use lockfile-only installs (npm ci). Consider Deno's minimumDependencyAge or Bun's minimumReleaseAge. Block webhook.site at network level.

When: Public preview targeting early 2026. Announced October 2025 at ViteConf.

Context: VoidZero bundles Vite, Vitest, Oxc, and Rolldown into unified Rust-based toolchain. Addresses JavaScript's "fragmentation tax."

Action: Evaluate when preview releases. Compare against Turbopack (default in Next.js 16). Choice depends on framework commitment.

When: Now. Vitest 4.0 stable October 2025. Angular 21 adopted Vitest as default.

Context: Vitest browser mode with Playwright now stable. Visual regression testing built-in. Jest 30 slimmed core but Vitest gaining framework adoption. Playwright 1.57 switched to Chrome for Testing. Chrome 137+ removed --load-extension support in branded Chrome; Cypress recommends Chrome for Testing or Chromium for extension-based workflows.

Action: Evaluate Vitest for new projects. For Cypress users with extension-based workflows: switch to Chrome for Testing, Chromium, or Electron.

When: Now. React Compiler 1.0 stable October 2025.

Context: Automatic memoization at build time. 2.5x faster interactions on Meta Quest Store. Eliminates manual useMemo/useCallback/React.memo. Works with React 17+ via runtime package. Enabled by default in Expo SDK 54.

Action: Add babel-plugin-react-compiler to build. Test incrementally. Remove manual memoization as compiler handles it.

When: Ongoing. WinterCG moved to Ecma as WinterTC (announced Jan 2025; W3C group closed Apr 3, 2025).

Context: Runtime Keys proposal standardizes runtime identification. Serverless functions API in development. Goal: write once, deploy to Cloudflare Workers, Vercel Edge Runtime, Deno, WinterJS.

Action: Test code across multiple edge runtimes. Monitor WinterTC proposals for API convergence.

When: ES2026 finalization mid-2026. Features landing in browsers throughout 2026.

Context: Likely ES2026: Uint8Array Base64 (Stage 4), Error.isError (Stage 4). In-flight: import defer (Stage 3), Math.sumPrecise (Stage 2.7). Temporal API shipped in Firefox 139.

Action: Monitor TC39 proposals. Test Temporal API in Firefox. Evaluate import defer for startup performance optimization.

When: Monitor through 2026.

Context: Astro reports 3rd fastest growing on GitHub (citing Octoverse 2025), 3M monthly installs. Svelte 5 Runes shipped. TanStack Start at RC. Vue Router 4.5.0 added view transitions. Angular shipping signals and zoneless change detection. React Foundation governance may shift ecosystem dynamics.

Action: Evaluate frameworks based on project requirements. Monitor React Foundation impact on RSC adoption post-React2Shell.

When: Accelerating through 2026. MCP servers shipping now.

Context: Playwright MCP enables AI agents to control browsers. Astro MCP server for AI tool integration. Next.js DevTools MCP support added.

Action: Evaluate MCP integration for developer tooling. Test Playwright MCP for automated testing workflows.

When: Features shipping now. Monitor through 2026.

Context: V8 Explicit Compile Hints reduced parse/compile by 630ms average. Safari 26 WebGPU enables GPU compute in JavaScript. Memory64 WebAssembly in Chrome 133 and Firefox 134.

Action: Test V8 compile hints for large applications. Evaluate WebGPU for compute-intensive workloads. Monitor WebAssembly Memory64 for >4GB use cases.