The Weekly Dev's Brew #6 ☕

Vue's Next Decade: An Exciting Future Percolating

The Vue.js ecosystem is brewing something special as it enters its second decade of existence. According to the newly released State of Vue.js Report 2025, Vue has firmly established itself as one of the most popular JavaScript framework, with 93.4% of developers likely to use Vue for their next project. That's up from 90% in 2021!

Evan You, Vue's creator, shared insights on the framework's roadmap in the report, highlighting the upcoming Vue 3.6 with its reactivity system refactor using Johnson Chu Alien Signal. "We now have a PR that has successfully done that and is fully compatible with everything in the Vue ecosystem," Evan explained.

The most anticipated feature, Vapor Mode, appears to be making steady progress after being on hold for several months. Evan mentioned that Vapor Mode will be available in 3.6 as an experimental feature. "You can start up into vapor mode at a component level without having to do anything special," he noted.

Vue's creator also expanded on VoidZero, his new venture focused on building a unified JavaScript toolchain. VoidZero leverages Vite's adoption momentum to create enterprise-ready tools that improve the developer experience. Unlike previous unified toolchain attempts (like Rome), VoidZero builds on Vite's established foundation rather than starting from scratch.

TypeScript adoption among Vue developers has skyrocketed, with 82% now choosing it compared to just 38% in 2021. The ecosystem is also seeing a significant shift in state management tools, with Pinia dominating at 80% usage while former champion Vuex has tumbled to 38.4%.

React 19.1 Serves a Fresh Batch of Features

React's team has released version 19.1.0, bringing several enhancements to the framework. The standout feature is Owner Stack, a development-only stack trace that helps identify components responsible for rendering. Unlike Component Stacks, which show the hierarchy leading to an error, Owner Stacks reveal direct rendering relationships. It's like finally knowing which barista crafted your perfectly poured latte art.

The release also improves Suspense boundaries, allowing them to be used anywhere—client, server, or during hydration. Other updates include reduced unnecessary client rendering through improved hydration scheduling, and various bug fixes for frozen fallback states.

React Server Components received attention too, with a new experimental API called unstable_prerender for prerendering React Server Components. You know an API is great if it starts with unstable. It's kinda like that fourth espresso shot—probably not recommended for everyone, but some devs will swear by it.

Quick Sips

• Material UI v7 has officially launched with improved ESM support through package.json exports field, standardized slot patterns, and opt-in CSS layer support for integrating with tools like Tailwind CSS v4.

• Vike introduced vike-server, a stable 1.0.0 release that can integrate Vite with any server (Express.js, Hono, Fastify, Elysia, H3) and any deployment. It offers server code transpiled by Vite, zero-config setup, and HMR without full server reloads.

• Josh Goldberg shared thoughts on hybrid linters that combine native speed with TypeScript-first lint rules, arguing that parsing and type checking should be native for performance while coordination and lint rule layers should remain in TypeScript for accessibility.

• OpenAI released 4o Image Generation, bringing improved capabilities in text rendering, multi-turn generation, and instruction following. The system can handle up to 10-20 different objects and maintains consistency across multiple iterations. And speaking of images, is it just me, or is the number of Studio Ghibli-style profile pictures and memes on social media too damn high since this released? My timeline looks like Spirited Away, except everyone's avatars are now adorable anime versions of themselves standing in a field of flowers.

• styled-components has officially entered maintenance mode, according to core maintainer Evan Jacobs (quantizor). The popular CSS-in-JS library won't receive major new features as the ecosystem shifts away from CSS-in-JS toward solutions like Tailwind. "For new projects, I would not recommend adopting styled-components or most other css-in-js solutions," Jacobs wrote, citing React's deprecation of certain APIs and his own decreasing usage of the library.

• Vitest released v3.1.0 with several tasty new features for test enthusiasts. The update introduces the %$ option to add test numbers to titles, configureVitest plugin hook for deeper customization, and improved browser testing with new locator filters. For reporter improvements, the update adds always-rendered test time and a --silent=passed-only flag to log only failed tasks.

• Express.js announced version 5.1.0 as the new default on npm, finally completing the transition from v4 to v5 with a defined LTS timeline. The Express Technical Committee outlined three support phases: CURRENT (new major versions for minimum 3 months), ACTIVE (latest on npm for minimum 12 months), and MAINTENANCE (previous major versions for 12 months). Version 4 enters MAINTENANCE phase now and will reach EOL no sooner than October 2026. The release itself includes modernized dependencies, improved performance and some long-awaited features like support for Uint8Array in res.send(). A mature blend that's been carefully roasted to perfection.

NPM Security Alert: New Backdoor Attack Threatens Developers

Security researchers have discovered a concerning new attack on npm packages that covertly patches legitimate, locally installed packages to inject persistent reverse shell backdoors. Unlike typical malicious packages, this technique means the backdoor remains even after removing the malicious packages.

Researchers at Reversing Labs identified two packages, 'ethers-provider2' and 'ethers-providerz', which modify legitimate packages like 'ethers' by replacing authentic files with trojanized versions. These modified files establish reverse shell connections to attacker-controlled servers.

What makes this attack particularly dangerous is its persistence mechanism—since it modifies legitimate packages that remain installed, removing the initial malicious package doesn't eliminate the threat. Developers are advised to scan their environments using the provided YARA rules (listed in the blog post as well) and carefully verify package sources before installation.

Coffee Fact of the Week ☕

That decaf coffee you're sipping isn't just about what's been removed—it's about where that caffeine goes afterward! When factories like Atlantic Coffee Solutions in Houston decaffeinate coffee beans, they don't just discard the extracted caffeine. This valuable byproduct—about 1,200 pounds per batch—is sold to beverage companies like Coca-Cola and Pepsi to fuel your favorite sodas and energy drinks. So that afternoon Diet Coke giving you a boost? It might contain the very caffeine that was extracted from someone else's morning decaf! It's a fascinating circular economy where caffeine fuels both developers and their code, whether it comes from a coffee mug or a soda can. Next time you reach for that energy drink during a late-night coding session, remember you're consuming coffee's stimulating essence in a different form.

See y’all next week. Happy coding & brewing!