2025 brought 13 major framework releases and 52 security vulnerabilities across the most widely used fullstack frameworks. Many weren’t obscure edge cases, but issues that forced maintainers, platforms, and developers to confront the real cost of abstraction.
As a software engineer on the frameworks team at Netlify, my job is to track changes like these closely, support new releases on day one, and make sure they don’t become your problem.
This post covers what happened in 2025. I’ll walk through six themes that defined the year, with context on how we got here and what they signal for teams building and shipping in 2026.
What we’ll cover:
- Security under the microscope
- The Next.js team delivered
- Agent experience became a thing
- React Server Components matured
- Signals won – except in React
- Performance ‘Rustification’ continued
Security under the microscope
This year saw vastly increased scrutiny from security researchers. No fullstack web framework was spared.
| Framework | Vulnerabilities |
|---|---|
| Nuxt | 1 high-severity CVE (7.5) leading to CDN cache poisoning |
| Remix / React Router 7 | 3 high-severity CVEs (7.5, 7.5, 8.2), plus 6 more before publication |
| Next.js | 4 low, 5 moderate, 3 high, 2 critical—including a 10.0 that rippled across the React ecosystem |
| Astro | 2 low, 7 medium, 5 high |
| Angular | 3 high-severity CVEs (7.1, 7.7, 8.5) |
| SvelteKit | 4 high, 1 moderate |
The deep dive on the Remix/React Router vulnerability by Rachid Allam is worth nerding out on.
With most of these 52 vulnerabilities involving servers, some developers quietly held their “I told you so”s while yearning for a time when frontend frameworks didn’t touch the backend at all.
The Next.js team delivered
After years of criticism around transparency, vendor lock-in, and ecosystem fragmentation, 2025 was the year the Next.js team took constructive feedback to heart.
The team proposed a Deployment Adapter API and shipped an alpha in Next.js 16—designed in close collaboration with engineers at Netlify, Cloudflare, Google Firebase App Hosting, Deno, SST, and AWS Amplify.
This working group opened lines of communication across the ecosystem: they shared early RFC drafts, gave advance notice of upcoming releases, and coordinated planning. A security group was also established where Next.js platform providers receive early notice (under embargo) of CVEs, giving time to apply platform mitigations, patch adapters, and prepare customer communications.
These are major positive developments for Next.js developers and fans of the open web. Credit goes to Jimmy Lai and the whole Next.js team for turning over a new leaf.
Agent experience became a thing
As AI coding agents moved from weekend vibe coding to daily workflow, frameworks started explicitly shipping agent experience (AX) improvements.
Out of the box, browser logs weren’t visible to agents. Next.js shipped a dead-simple solution: forward these to the dev server logs. Other frameworks will follow.
soon in @nextjs, browser errors & logs can show in your terminal for your AI to read pic.twitter.com/3IaRXpmXpQ
— Rob Pruzan (@RobKnight__) June 25, 2025
Every major framework shipped its own MCP server in 2025:
In October, Ryan Florence and Michael Jackson unveiled their vision for Remix 3: a new framework built with agent experience in mind from the ground up.
React Server Components matured
React Server Components (RSCs) have had some ups and downs, after being first introduced five years ago.
It was a nice promise: What if you could render your site on the server and selectively opt parts of the component tree into client hydration—not just on initial page load, but on all subsequent interactions and navigation?
Source: joshwcomeau.com/react/server-components
Years of iteration and false starts followed. A stable implementation didn’t land until mid-2023 with Next.js 13.4. Then came another period of experimentation:
- Shopify built Hydrogen v1 on RSCs, then abandoned them completely with v2
- Remix showed an early prototype (and later pivoted away from React entirely with v3)
- Waku launched as an experimental minimal RSC framework
- The RedwoodJS team spent years working through RSC implementation challenges
- Tanner Linsley’s team quietly tinkered away on RSC support for TanStack Start
RSCs in 2025
In 2025, RSCs reached their next stage of maturity. Maintainers of React, React Router, Waku, Vite, and others came together to collaborate on a shared foundation: @vitejs/plugin-rsc.
It’s no coincidence that in the past year alone:
- React 19 shipped with stable RSC support
- Next.js 16 leaned further into RSCs with Cache Components
- React Router 7 launched RSC support in preview
- Parcel shipped native bundler support
- RedwoodSDK launched with RSC support on day one
- Waku moved to alpha
- TanStack Start moved closer than ever to experimental RSC support 👀
Signals won–except in React
As we discussed last year, rendering frameworks have rallied around Signals as the basis for reactivity. In 2025, the trend continued:
- Angular 20 stabilized its signal APIs
- Angular 21 introduced Signal Forms and made “zoneless” the default
- Vue shipped a beta of Vapor Mode (goodbye, Virtual DOM!)
Meanwhile, React, virtually (pun intended) the only holdout, dug in further with React Compiler 1.0, a band-aid to address shortcomings of its reactivity model.
Performance ‘Rustification’ continued
The ecosystem kept doubling down on step-function performance improvements by moving to Rust (and occasionally Go or Zig).
Next.js and Turbopack:
- Next.js 16 promoted Turbopack to stable and made it the default
- Result: 2–5x faster builds for everyone
- rspack also shipped Next.js support (yes, you can now use Next.js with three bundlers: webpack, rspack, and turbopack)
- Vercel added support for the Bun runtime (Zig!)
Vite and VoidZero:
- VoidZero’s efforts to rewrite a unified Rollup + esbuild replacement in Rust hit a milestone with the Vite 8 beta
- Typical improvement: 4–10x faster builds
TypeScript in Go:
- Microsoft announced in March they were rebuilding TypeScript in Go
- By December, they were gearing up for production
- Promise: stability and 10x speedups—worth opting in now
The year in brief
Money moved
The framework ecosystem saw significant consolidation and investment in 2025:
| Date | Event |
|---|---|
| March | Netlify sponsored TanStack |
| July | Vercel acquired NuxtLabs (employer of Nitro and most Nuxt core maintainers) |
| September | Mux, Webflow, and Cloudflare ($150K) sponsored Astro; Cloudflare sponsored TanStack |
| December | Anthropic acquired Bun |
| January 2026 | Cloudflare acquired Astro |
Infrastructure companies are betting on frameworks as a strategic layer. Vercel deepened its Vue ecosystem ties, Cloudflare went all-in on Astro, and Anthropic’s Bun acquisition signals AI companies see JavaScript runtimes as infrastructure worth owning.
Other notable releases
A few releases didn’t fit the “major framework” category but still shaped the year:
- Node.js 24 (May) – Continued the ESM transition and promoted
URLPatternto a built-in global - Vite 7 (June) – Incremental improvements ahead of the Rust-powered Vite 8
- Nitro v3 alpha (October) – The server engine powering Nuxt, AnalogJS, and SolidStart got a ground-up rewrite
Worth watching
The honorable mentions that didn’t get their own section; grouped by theme.
Data and caching patterns
Frameworks got smarter about when to fetch and when to cache. Astro shipped Live Content Collections, enabling runtime data fetching through the unified Content Layer API—useful for avoiding expensive rebuilds when CMS content changes frequently. Next.js 16 introduced Cache Components, a stable caching model that consolidates previous experiments (“use cache”, Partial Prerendering, Dynamic IO) into one coherent approach.
Middleware and server boundaries
The line between “frontend framework” and “backend framework” kept blurring. Next.js renamed middleware to proxy after years of confusion about its capabilities—clarifying that it handles routing decisions at the edge, not business logic. They also added Node.js runtime support, addressing a long-standing request.
React Router shipped actual middleware, and SvelteKit introduced Remote Functions: server-only code in .remote.ts files callable directly from components with full type safety, explicit module boundaries, and no JavaScript funny business.
Async patterns and component models
Svelte introduced experimental await support for use directly in components—their answer to React Server Components and <Suspense>. Meanwhile, Ryan Florence and Michael Jackson unveiled Remix 3’s radical new direction: ditching React entirely, embracing micro-packages built on the Web Platform, and returning to imperative this.update() state management. Their pitch? A baggage-free framework for the LLM era.
Ecosystem convergence
Vite’s dominance continued: Fresh switched to Vite, Ember completed its migration, and Angular defaulted to Vitest for testing. As predicted last year, Vite’s Environment API saw its first wave of adoption. TanStack Start ships fully on it, Astro 6 will follow, and React Router 7.10 and Nuxt 4.2 added opt-in support (stable soon in Nuxt 5).
Nitro’s role evolved from server engine to Vite plugin, with TanStack Start removing it from core in favor of letting users choose Nitro or alternatives like Netlify’s Vite plugin. Other Nitro-powered frameworks will likely follow.
OpenTelemetry gained momentum for framework observability: SvelteKit shipped built-in OTel traces, Nitro is working toward support, and TanStack Start is exploring automatic instrumentation for server functions, middleware, and route loaders.
The e18e (Ecosystem Performance) initiative quietly made everyone’s lives better by slimming and unifying dependencies across the board and cleaning up the ecosystem at large.
Finally, TanStack Start quietly added experimental Vue support (alongside React and Solid), leaning further into their framework-agnostic approach.
What to expect in 2026
Some reliable predictions for the year ahead:
Angular will drop v22 in May and v23 in November (per their fixed release schedule), going deeper into fine-grained reactivity and the Vite ecosystem.
Astro 6 will ship with a revamped dev experience and internal cleanup.
Nuxt 5 will ship shortly after Nitro v3 graduates to stable—with huge DX and performance gains from the rebuilt engine. You can try it today.
Waku 1.0 might graduate from alpha to stable as a minimal RSC alternative.
TanStack Start 1.0 will presumably launch its own RSC implementation and graduate from RC to stable.
Next.js 17 will likely drop in October. The Next.js team has increased roadmap transparency with partners like Netlify, though this hasn’t translated to much public visibility yet 🤐.
Security vulnerabilities will continue to target your projects. Keep dependencies up to date with Renovate or Dependabot, and follow the Netlify changelog.
Frameworks will keep converging on fundamentals (though don’t hold your breath for React to ditch its vision and move to Signals).
Coding agents will keep improving at web development, and frameworks will keep evolving to meet their needs. Expect a shift from MCP to Agent Skills.
Phew, you’re all caught up. What are you excited to try this year?
Stay informed in 2026 by following the Netlify changelog.
