Xcode agents + React RCE patch required — Dev Signal
Xcode agents + React RCE patch required
Share:
Tool of the Week
Apple ships seven bundled agent skills in Xcode 27
Export Apple-authored skill packs for SwiftUI, UIKit, testing, and security via `xcrun agent skills export` — read them as guidance or feed them to agents in your toolchain.
Coding agents struggle with brand-new APIs, deprecated patterns, and platform footguns. These skills embed Apple's own framework guidance directly in Xcode, replacing reliance on community documentation for cutting-edge patterns and reducing context cost for agent reasoning.
Ready now. Single command pulls seven Markdown folders containing Apple's recommendations for modern Swift/SwiftUI practice, UIKit migration, test modernization, security auditing, C bounds safety, and device interaction. Requires Xcode 27 with command line tools pointed at the new toolchain. Use immediately as reference docs or inject into agents outside Xcode.
“Xcode 27 now ships with a set of agent skills that Apple wrote itself”
“Exported 7 skills to /Users/you/Downloads/xcode-skills”
“These are plain Markdown files containing Apple's recommendations for modern Swift, SwiftUI, UIKit migration, testing, and security”
“A skill is a focused bundle of guidance that fills exactly those gaps”
“the newest SwiftUI APIs introduced this cycle, the area agents are least trained on”
xcode-27agent-skillsswiftswiftuitoolchain
Dev Signal
Get issues like this in your inbox — free, 3x a week.
Quick Signals
React Server Functions RCE requires immediate patching
CVE-2025-55182 exploits unauthenticated RSC protocol in Next.js 15–16 and React 19.0–19.2.0; upgrade to patched versions or deploy to Deno Deploy for runtime mitigation.
Any Next.js App Router deployment accepting RSC requests is exploitable for arbitrary server code execution without authentication. Remediation is a single version bump with no breaking changes.
Replaces: current Next.js/React versions. Requires: immediate upgrade to Next.js 16.0.7+, 15.5.6+, or react-server-dom packages 19.2.1+. Ready now—no migration complexity. Deno Deploy users protected by runtime mitigation but should still upgrade.
“unauthenticated remote code execution (RCE) vulnerability in React Server Functions”
“This vulnerability exists in all versions of React's "Server Function" protocol released to date (React 19.0, 19.1, and 19.2.0)”
“All Next.js applications using App Router, on Next 15 or Next 16”
“Next.js 16: update next to 16.0.7 or later”
“Next.js 15: update next to 15.5.6 or later”
securitynext-jsrceserver-functionscve-2025-55182
Deno Deploy goes GA with framework-agnostic deployment
Deploy any JS/TS framework without adapters or build config; GitHub repos get zero-config CD with per-PR isolated databases and automatic environment variable management.
Eliminates deployment friction and local-to-production parity issues. Per-PR database isolation and automatic observability (logs, traces, metrics) cut debugging time and reduce configuration drift across team environments.
Enjoying Dev Signal? Get every issue in your inbox.
Free forever · 3 issues a week · One-click unsubscribe
3 issues a week · Free forever · 4,200+ developers
Replaces traditional serverless platform setup (Vercel, Netlify) for framework-agnostic workloads. Requires GitHub connection for zero-config CD or `deno deploy` CLI for manual control. Ready now with free tier (1M requests/mo, 15 CPU hours). Deno Sandbox adds sandboxed code execution for AI-generated code with sub-second boot times.
“any JavaScript or TypeScript to the web”
“zero-config continuous deployment”
“environment variables are managed automatically by Deno Deploy”
“will automatically detect which framework you're using, and run the build commands specific to your framework”
“Deno Deploy will provision a new database for every pull-request opened”
“real linux microVMs that boot in under a second”
deploymentserverlessdenoci-cdsandbox
Gemma 4 multimodal models ship on Modular Cloud
Google DeepMind's Gemma 4 (31B dense, 26B MoE) now runs on Modular's MAX inference framework with 15% higher throughput than vLLM on NVIDIA B200, supporting 256K context and native video/image processing.
Eliminates inference framework switching between prototyping and production—same MAX engine handles both, reducing deployment friction for multimodal and long-context workloads. Hardware-agnostic optimization (NVIDIA/AMD) removes vendor lock-in guesswork at scale.
Replaces vLLM-based deployments if throughput is your constraint; requires Modular Cloud account or MAX self-hosted setup. Ready now—10-prompt free tier available. Worth trying if you're shipping Gemma 4 or need sub-B200 AMD inference parity.
“15% higher throughput when compared to vLLM on NVIDIA B200”
“256K context window”
“only 4B activated per forward pass”
“The same MAX-powered engine that handles your initial tests runs your production Modular Cloud endpoint, so there are no surprises when you scale”
“natively multimodal, supporting text, images, and video with dynamic resolution and aspect ratio”
Static pages now truly ship no JavaScript, islands, or preload headers—zero configuration required.
Eliminates the 5–9 KB gzip penalty on every page that doesn't use interactivity. Reduces payload and improves metrics for content-heavy sites without touching configuration.
Replaces the implicit client-entry script injected in 2.2. Requires only upgrade; existing islands and partials continue working. Worth upgrading immediately if you serve static content.
“pages ship no JavaScript unless they need to”
“Every page ended up with a small client-entry script to bootstrap the island reviver and partials engine, even when neither was used”
“Fresh now checks whether the page actually uses islands or partials (f-client-nav) before injecting anything”
“Static pages will just stop shipping JavaScript after upgrading”
Lightweight microVMs with secret materialization and egress control let you run untrusted AI-generated code without API key exfiltration.
Developers building LLM-powered platforms need sub-second sandbox isolation that prevents prompt-injected code from stealing credentials. Direct sandbox-to-production deployment eliminates rebuild friction when code is ready.
Replaces ad-hoc sandboxing approaches and multi-stage CI deploys. Requires Deno Deploy account and JavaScript/Python SDK adoption. Worth trying now if you're shipping user or AI-generated code—beta launch includes compute credits in Pro tier.
“LLM-generated code, calling external APIs with real credentials, without human review”
“The real key materializes only when the sandbox makes an outbound request to an approved host”
“lightweight Linux microVMs (running in the Deno Deploy cloud) to run untrusted code with defense-in-depth security”