Tell me if you've heard this one before

Ready to transform artificial intelligence from a buzzword into your personal revenue generator

HubSpot’s groundbreaking guide "200+ AI-Powered Income Ideas" is your gateway to financial innovation in the digital age.

Inside you'll discover:

Download your guide today and unlock a future where artificial intelligence powers your success. Your next income stream is waiting.

Get Your Guide

What’s up, everyone? Welcome to Next in Dev. In this edition: critical vulnerability, code red, and Railway buckets.

You currently have {{rp_num_referrals}} referrals.

Starting this edition off a little differently because React had a big oopsie this week.

If you didn't hear, someone discovered a security vulnerability in React's server components. The flaw allows someone to send a request and run harmful code on your server. The vulnerability allows this to happen without credentials.

This is a severe security vulnerability, so you should upgrade immediately. You should upgrade even if you don't use server components in your project. You could still be vulnerable. People who don't use a server or framework that supports RSCs may not need to upgrade.

Many frameworks and tools have already issued patches. This includes Next.js and Payload CMS.

Why this matters:

Developers should take this vulnerability seriously. Attackers can use this type of vulnerability to steal user data or shut down an application.

As I mentioned, Payload CMS bumped the minimum required versions of Next and React to address the security vulnerability. The minimum version of React and React DOM is now 19.2.1, and Next.js is 15.4.8. Payload has only ever included these as peer dependencies, so be sure to update these on your own.

Version 3.66.0 introduced a few other features beyond that.

The first is that you're now able to use custom slugify functions in the slugField. The default slugify function takes care of English slugs well. But it fails to handle languages that contain non-English characters. All you need to do is pass in the slugify option and include an anonymous function with a valueToSlugify.

Also, the team deprecated fieldToUse and now favors useAsSlug. Be sure to update this option if you're using it.

The team introduced new accessibility testing and improvements. You don't need to do anything to opt into these changes. This ensures your Payload CMS admin stays accessible for all users.

You can now use external JSON schema file references in your type generation. This allows you to inject your own types into your project when types are generated by Payload CMS. This is set at the config level in typescript.schema.

The Payload CMS team updated the create-payload-app command. It won't prompt you to choose a database when you select the with-cloudflare-d1 option. When you select this template, it's assumed you want to use the D1 database. That makes sense.

The last feature introduced by the Payload CMS team is alignment support for upload nodes. Now, upload and media blocks can be aligned to the left, center, or right just like other Lexical nodes.

The Payload CMS MCP plugin is a powerful plugin that’s currently in beta. If you want to learn how to use it, you can check out my video on it here:

Figma updated its grid tools to make layouts more flexible for designers. Designers can now set columns and rows to "hug" their content. This makes the grid grow or shrink with the elements inside. They also added fractional units. This lets designers set columns to take up a part of the available space. Fractional units keep layouts consistent as the design scales.

Why this matters:

Designers can now build layouts that work more like CSS flexbox or grid on their websites. The use of fractional units mirrors the fr unit in CSS Grid. This ensures that the design translates into cleaner and responsive code. Aligning design and code in this way saves development teams time. How? By minimizing the need to fix layout inconsistencies.

Other than the React update I've mentioned, the Next.js team released a few updates to their canary branch. These canary releases intend to make your Next.js application more stable. The updates fix several problems related to data handling and development server logic. The updates fix issues, like the issue where the new caching system could hang up pages. They also clean up how the application handles data between routes.

The team is also working to speed up your development experience. Turbopack is now turned on by default, making your code changes appear faster.

Cloudflare (and a few other PaaS, like Railway) put new security rules into their system to mitigate the security issue that affected React. Cloudflare protects all customers whose traffic goes through their Web Application Firewall. Developers should not rely on this protection, though. I'll say it again: you should update your React and Next.js versions to protect yourself.

OpenAI has acquired neptune.ai. Neptune is a company that builds tools to help researchers track and monitor complex AI model training experiments in real-time. Neptune's expertise in providing a clear, dependable way to observe how a model evolves will be used to integrate deeply into OpenAI's training system. This acquisition aims to speed up OpenAI's research, help them learn more from each experiment, and ultimately make better decisions about how their most advanced AI models learn.

Sam Altman also issued a "code red" to employees. He's demanding improvements to ChatGPT, which has seemed to lag behind Google. The company is delaying work on advertising to focus on making the core chatbot better.

Anthropic has acquired Bun. The goal is to use Bun to improve Anthropic's Claude Code tool. Bun will remain open-source, and the core project will remain a focus of the team. This means Bun no longer has to come up with a viable business model, and it propels them into the AI coding tool market.

This matters because it guarantees the stability and future development of Bun. Developers can expect Anthropic to optimize Bun for AI-driven software development. This means even better performance and features for their own applications.

Anthropic has also launched "Claude for Nonprofits." This is a program that gives nonprofits discounts of up to 75% on Claude AI plans. The plan also offers free training on how to use AI in an effective way. The program also adds connectors to popular nonprofit tools like Blackbaud, Candid, and Benevity. It's now easier for organizations to integrate Claude into their existing work.

This initiative is important for web developers for nonprofits. AI tools are becoming much more accessible to a wider range of customers with lower budgets.

Railway have made Buckets generally available. This means I can finally work on a Payload CMS template for Railway. There's no CDN yet, but it's all private networking, and you only pay for storage ($0.015 per GB). There are no egress fees and no per-operation costs. This makes it comparable to Cloudflare's R2 yet still distinct. You don't have to worry about operations on Railway as you do for Cloudflare.

Magic Config is now powered by AI. It seems the primary update here is that it can detect a docker-compose.yml file. From there, it makes smart recommendations based on that file as it creates your project. Magic Config is still not generally available. So, try it out if you have it enabled on your account.

You can now restrict access to certain environments. Now everyone should have access to production. Everyone knows I shouldn't. So, Railway now gives you or your team the ability to adjust this using its built-in RBAC.

Railway has also improved its CLI as well as its cron job timing accuracy.

What did I miss? There’s so much happening in modern web dev that I’m sure I have missed something. Please share your thoughts in the comments or reply to this email. I want to address your suggestions and may include them in future newsletters.

Thanks for reading. See you next time.

Your readers want great content. You want growth and revenue. beehiiv gives you both. With stunning posts, a website that actually converts, and every monetization tool already baked in, beehiiv is the all-in-one platform for builders. Get started for free, no credit card required.