🦥 Critical React vulnerability (patch now) + Anthropic bought Bun

In partnership with

Hello humans!

Big week for security, frameworks, and of course… AI trends.

Here’s what happened in tech this week:

• React patched a 10.0 CVSS vulnerability that let attackers run code remotely through Server Components (patch immediately if you're on React 19)

• Angular 21 released (Still won't make Angular cool though 👀)

• Anthropic acquired Bun to power Claude Code. Bun now has a sugar daddy.

• AI is changing what matters in engineering turns out being a regular human is better than coding speed.

• Companies are hiring less Juniors since AI can handle entry-level tasks

Modernize your marketing with AdQuick

AdQuick unlocks the benefits of Out Of Home (OOH) advertising in a way no one else has. Approaching the problem with eyes to performance, created for marketers with the engineering excellence you’ve come to expect for the internet.

Marketers agree OOH is one of the best ways for building brand awareness, reaching new customers, and reinforcing your brand message. It’s just been difficult to scale. But with AdQuick, you can easily plan, deploy and measure campaigns just as easily as digital ads, making them a no-brainer to add to your team’s toolbox.

Learn more now.

Critical React Server Components vulnerability allows remote code execution

React disclosed a critical security vulnerability (CVE-2025-55182, rated CVSS 10.0) that allows unauthenticated remote code execution in React Server Components. The vulnerability was discovered by Lachlan Davidson on November 29 and patched within 4 days

The flaw exploits how React decodes payloads sent to Server Function endpoints. Even apps without Server Functions are vulnerable if they support Server Components. Affected versions:

• React 19.0, 19.1.0, 19.1.1, and 19.2.0.

• Patched versions: 19.0.1, 19.1.2, and 19.2.1.

• Frameworks affected include Next.js, React Router, Waku, and several bundler plugins.

Why this matter: A 10.0 CVSS score is as bad as it gets. If you're running React 19 with Server Components (which Next.js uses by default), you need to patch immediately. The blast radius is huge since Next.js and other popular frameworks auto-enable Server Components. Check your dependencies now.

Angular 21 ships with Signal Forms, zoneless by default, and AI tooling

Angular 21 launched with experimental Signal Forms (signal-based reactive forms with full type-safety), zoneless change detection as the default (zone.js no longer included, improving Core Web Vitals and reducing bundle size), Vitest as the new default test runner (replacing deprecated Karma), and Angular Aria in developer preview (8 UI patterns, 13 accessible components).

The Angular MCP server also became stable which allows you to do actions like having an ai tutor, get best practices, search documentation, and more.

Why it matters: This is Angular's biggest architectural shift in years. You get better performance, smaller bundles, and easier debugging out of the box. The AI tooling (MCP Server) also shows Google's bet on AI-assisted Angular development, giving you instant feedback on code quality and modernization suggestions, but is this enough to make Angular popular? 👀

Bun gets acquired by Anthropic to power Claude Code and AI coding tools

Anthropic acquired Bun, a fast JavaScript runtime/bundler/package manager to power Claude Code, Claude Agent SDK, and future AI coding products.

The most important things here (Bun’s post summarized it perfectly):

• Bun stays open-source & MIT license

• Will still be actively maintained by the same team

• Still built publicly on GitHub.

• Bun's roadmap will continue to focus on high performance JavaScript tooling, Node.js compatibility & replacing Node.js as the default server-side runtime for JavaScript

• Claude Code ships as a Bun executable to millions of users. If Bun breaks, Claude Code breaks. Anthropic has direct incentive to keep Bun excellent.

Why it matters: Bun and Anthropic are betting big on AI-powered development becoming the default. Jarred Sumner (Bun's creator) says most merged PRs in Bun's repo now come from a Claude Code bot, which could be a preview of where things are headed. Bun also gets long-term stability without having to figure out a monetization plan as Claude Code made $1B in just 6 months.

Engineering fundamentals matter more than ever in the AI era

A conversation with veteran engineer John Crickett reveals that as AI handles more routine coding tasks, the skills that matter most are clear communication, curiosity, continuous learning, and solid engineering fundamentals. Companies now care more about whether you can define problems clearly, gather requirements well, and work with people than whether you can code fast.

Why it matters: Whether you're using AI tools or not, these skills are what separate good engineers from great ones. If you're relying only on AI to write code without understanding how things work underneath, you'll struggle when tools go down. And if you're avoiding AI entirely, you're missing a chance to speed up the boring parts so you can focus more on problem-solving and collaboration.

AI is breaking the apprenticeship ladder in tech

Research from Stanford and Harvard shows companies using AI heavily are hiring fewer junior engineers while senior hiring stays stable or grows.

The problem: AI automates the simple work that juniors used to learn from, and senior engineers have been excused from mentorship for years.

The author of the article says that networking has never been more important.

• Students/juniors should focus on building relationship skills and network.

• Identify 10-20 key people, get intentional about adding value to them, and practice networking now. The sooner you do this, the greater the benefits.

• Seniors should embrace mentorship because teaching forces clarity and benefits the entire team.

Why it matters: This creates a timing mismatch. In 10-20 years when current seniors retire, where will the next generation of experienced engineers come from?

If you're starting out, your best move is doubling down on the human skills AI can't replicate: understanding people, navigating complex situations, and building genuine professional relationships that open doors when algorithms filter you out.

Someone built an OS from scratch with AI - A developer built a fully bootable 64-bit OS with a working Forth interpreter in 6 hours using Claude Code, with every prompt and bug documented.

Advent of Code has started! - A free daily coding challenge that runs every December with puzzles solvable in any language, designed for all skill levels from beginners to pros.

How to use Data Contracts in Python for Data Scientists - Learn how to use Pandera for data science tasks. You’ll be able to catch bad data before it breaks your code by setting simple rules.

How Databrick debugs 1000s of databases with AI - Learn how Databricks built an AI agent that cuts database debugging time by 90% by unifying metrics, logs, and expert knowledge into a single chat interface.

How good engineers write bad code at big companies - Big tech companies produce bad code because most engineers are constantly working on unfamiliar codebases.

Build a simple search engine that actually works - Learn how to build a search engine using just your existing database by tokenizing text three ways (words, prefixes, n-grams) and scoring matches with weighted SQL queries.

alt-sendme - A useful tool to send files and folders anywhere in the world without storing in cloud or paying anything.

Slop Evader - A browser extension that filters Google search results to only show content created before November 30, 2022 (ChatGPT's release date), helping you avoid AI-generated "slop" polluting the web.

TanStack AI -  A powerful, open-source AI SDK with a unified interface across multiple providers. No vendor lock-in, no proprietary formats, just clean TypeScript and honest open source. (I stole the description, don’t judge me)

Argument Rehearsal App

A project that records your imaginary comeback arguments, rates their effectiveness, suggests improvements you can use in the future.

That’s all from me!

Have a great week, be safe, make good choices, and have fun coding.

If I made a mistake or you have any questions, feel free to comment below or reply to the email!

See you all next week.

Want to advertise in Sloth Bytes?

If your company is interested in reaching an audience of developers and programming enthusiasts, you may want to advertise with us here.