惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Tenable Blog
K
Kaspersky official blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
T
The Exploit Database - CXSecurity.com
Cisco Talos Blog
Cisco Talos Blog
P
Palo Alto Networks Blog
Latest news
Latest news
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
C
CXSECURITY Database RSS Feed - CXSecurity.com
P
Privacy International News Feed
The Hacker News
The Hacker News
T
Tor Project blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
C
Cisco Blogs
阮一峰的网络日志
阮一峰的网络日志
Recent Commits to openclaw:main
Recent Commits to openclaw:main
博客园_首页
N
News and Events Feed by Topic
W
WeLiveSecurity
罗磊的独立博客
GbyAI
GbyAI
T
Troy Hunt's Blog
Y
Y Combinator Blog
Recorded Future
Recorded Future
The Cloudflare Blog
TaoSecurity Blog
TaoSecurity Blog
爱范儿
爱范儿
美团技术团队
Attack and Defense Labs
Attack and Defense Labs
C
Check Point Blog
Engineering at Meta
Engineering at Meta
Cyberwarzone
Cyberwarzone
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
F
Fortinet All Blogs
The GitHub Blog
The GitHub Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Apple Machine Learning Research
Apple Machine Learning Research
Know Your Adversary
Know Your Adversary
AWS News Blog
AWS News Blog
D
DataBreaches.Net
Recent Announcements
Recent Announcements
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
M
MIT News - Artificial intelligence
Webroot Blog
Webroot Blog
Security Latest
Security Latest
T
Tailwind CSS Blog
V2EX - 技术
V2EX - 技术
aimingoo的专栏
aimingoo的专栏
S
Security @ Cisco Blogs
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed

Socket

White House Launches Gold Eagle Initiative to Manage Surge i... Suno Breached via Shai-Hulud Worm, Leaked Code Exposes AI Mu... Next.js moves to scheduled security releases - Socket 11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windo... Compromised npm Packages in the AsyncAPI Namespace Deliver M... jscrambler npm Package Compromised in Supply Chain Attack - ... Fake Braintree NuGet Package Skims Credit Cards and Harvests... Compromised Injective SDK npm Package Exfiltrates Wallet Key... npm v12 Ships With Install Scripts Off by Default, Begins De... Malicious Go Module Exposes GitHub Malware Lure Network Span... pnpm 11.10 Hardens Registry Authentication to Block Token Re... Coordinated npm and PyPI Campaign Typosquats Popular Secure ... Node.js Considers Public Workflow for Security Reports Amid ... PolinRider: North Korea-Linked Supply Chain Campaign Expands... Risky Biz Podcast: AI Agents Are Raising the Stakes for Soft... Chrome and Firefox Extensions Posing as Free VPNs Add Clipbo... Miasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packages - S... Miasma Mini Shai-Hulud Hits LeoPlatform npm Packages and Git... Frontier AI Is Now Critical Infrastructure - Socket The Code You Didn't Write Is Still Yours to Defend - Socket GitHub Actions Checkout Now Blocks Risky pull_request_target... Introducing Repository Access Permissions and Custom Roles -... Socket MCP Adds Org Alerts, Threat Feed Review, and Package ... Socket Firewall Now Blocks Malicious VS Code and Open VSX Ex... 140+ Mastra npm Packages Compromised in Coordinated Supply C... npm Package Uses Prompt Injection and Token Flooding to Disr... Introducing Manifest Alerts - Socket GlassWASM: WebAssembly Malware Found in Trojanized Open VSX ... Socket for Linear Is Now Available - Socket US Government Forces Anthropic to Pull Claude Fable Days After Launch 152 Chrome Live Wallpaper Extensions Hid Ad Tracking and Faked Google Search Traffic Andrew Becherer Joins Socket as Chief Information Security Officer Socket Partners with Replit to Block Malicious Packages in AI-Powered Development npm Tooling Bug Incorrectly Marks One-Character Packages as Security Holders Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics and MCP Developers via Malicious PyPI Wheels Shai-Hulud Descends to Hades: Miasma Worm Campaign Spreads with New PyPI Wave RubyGems Adds Cooldown Feature to Bundler for Newly Published Gems RubyGems Adds Cooldown Feature to Bundler for Newly Published Gems pnpm 11.5 Adds Support for Recognizing npm Staged Publishes pnpm 11.5 Adds Support for Recognizing npm Staged Publishes Federal Audit Finds NIST Wasted Funds With No Plan to Clear NVD Backlog Federal Audit Finds NIST Wasted Funds With No Plan to Clear NVD Backlog Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages Famous Chollima Targets PHP Developers Through Compromised Packagist Package Famous Chollima Targets PHP Developers Through Compromised Packagist Package Rust Moves to Restrict LLM Use in Contributions After Months of Internal Debate Rust Moves to Restrict LLM Use in Contributions After Months of Internal Debate Malicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and Passwords Malicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and Passwords Feross on TBPN: Socket's Series C and the State of Software Supply Chain Security Feross on TBPN: Socket's Series C and the State of Software Supply Chain Security OSV Withdraws 157 Malware Reports After Automated False Positives Hit npm and PyPI OSV Withdraws 157 Malware Reports After Automated False Positives Hit npm and PyPI TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.io TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.io Laravel Lang Compromised with RCE Backdoor Across 700+ Versions Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects AI Has Taken Over Open Source npm Invalidates Granular Access Tokens as Mini Shai-Hulud Sweeps the Registry Coruna Respawned: Compromised art-template npm Package Leads to iOS Browser Exploit Kit Socket raises $60M Series C at $1B valuation led by Thrive Capital to secure AI-driven software development Socket Raises $60M Series C at a $1B Valuation to Help Enterprises Build Securely With AI Popular Go Decimal Library Targeted by Long-Running Typosquat with DNS Backdoor Active Supply Chain Attack Compromises @antv Packages on npm Popular node-ipc npm Package Infected with Credential Stealer TeamPCP and BreachForums Launch $1,000 Contest for Supply Chain Attacks Packagist Urges Immediate Composer Update After GitHub Actions Token Leak GemStuffer Campaign Abuses RubyGems as Exfiltration Channel Targeting UK Local Government Socket Named to Rising in Cyber 2026 List of Top Cybersecurity Startups TanStack npm Packages Compromised in Ongoing Mini Shai-Hulud Supply-Chain Attack fsnotify Maintainer Dispute Sparks Supply Chain Concerns Socket Releases Free Certified Patches for Critical vm2 Sandbox Escape 5 Malicious NuGet Packages Impersonate Chinese UI Libraries to Distribute Crypto Wallet and Credential Stealer pnpm 11 Adds Supply Chain Protection Defaults for Minimum Release Age and Exotic Subdependencies PyPI Fixes High-Severity Access Control Issues Found in Security Audit Malicious Ruby Gems and Go Modules Impersonate Developer Tools to Steal Secrets and Poison CI Mini Shai-Hulud Spreads to Packagist: Malicious Intercom PHP Package Follows npm Compromise Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack lightning PyPI Package Compromised in Supply Chain Attack Malicious npm Package Brand-Squats TanStack to Exfiltrate Environment Variables SAP CAP npm Packages Hit by Supply Chain Attack Socket Has Acquired Secure Annex 73 Open VSX Sleeper Extensions Linked to GlassWorm Show New Malware Activations Introducing Reachability for PHP Introducing Data Exports Malicious Checkmarx Artifacts Found in Official KICS Docker Repository and Code Extensions Introducing Organization Notifications in Socket Introducing Reports: An Extensible Reporting Framework for Socket Data Socket for Jira Is Now Available Socket Named Top Sales Organization by RepVue NIST Officially Stops Enriching Most CVEs as Vulnerability Volume Skyrockets Socket Selected for OpenAI's Cybersecurity Grant Program Feross on the 10 Minutes or Less Podcast: Nobody Reads the Code 108 Chrome Extensions Linked to Data Exfiltration and Session Theft via Shared C2 Infrastructure Node.js Drops Bug Bounty Rewards After Funding Dries Up The Hidden Blast Radius of the Axios Compromise
Rolldown Pulls Rust React Compiler Integration After Binary ...
Sarah Gooding · 2026-06-26 · via Socket

Sidebar CTA Background

Secure your dependencies with us

Socket proactively blocks malicious open source packages in your code.

Install

Rolldown and Vite pulled a Rust-based React Compiler integration after maintainers decided the binary-size cost was too high for a feature that would ship to all users by default. Boshen, a maintainer involved in Rolldown and Oxc, said the increase could not be justified for the full Vite user base.

“We withdrew the Rust React Compiler integration from Rolldown and Vite because it increased the binary size from 28.7MB to 33.8MB, a 17% increase,” he wrote.

React Compiler Reaches Rolldown Through Oxc#

The work has been in discussion for over a year. In March 2025, the React team opened an Oxc issue about adding React Compiler support as an Oxc plugin. The goal was to let React apps drop Babel pipelines when they only needed Babel for React Compiler. That matters for Vite because its Rolldown integration is meant to move more of Vite’s build pipeline onto a Rust-based bundler.

In June, Boshen merged an Oxc PR integrating the Rust port of React Compiler. The PR showed the tradeoff clearly: the React Compiler path added measurable transform overhead and increased the Oxc napi transform addon from 3.51 MiB to 8.66 MiB, a 5.14 MiB increase.

A follow-up Rolldown PR wired that work into Rolldown behind a new transform.reactCompiler option. That PR was closed on June 9.

The React-Specific Code Sparked Pushback#

The decision drew pushback from both sides. Some argued the integration should not live in Vite or Rolldown core at all. React Compiler is useful for React projects, but Vite is used across frameworks, and critics saw the integration as framework-specific bloat in a tool that is supposed to stay framework-agnostic.

Several developers asked why React-specific compiler support should add weight to every install when it could ship through vite-plugin-react or another opt-in package instead.

Others thought the size concern was overblown. In that view, a roughly 5MB increase is a small price for a development dependency. Several commenters argued that the team could ship the integration first to make builds faster, and trim the size over time, rather than blocking it on the initial binary-size cost.

Evan You pushed back on that argument, saying it reflects “a clear disconnect between those who use React only vs. those who don’t use React at all.”

“Vite is framework agnostic, vendor agnostic, and we can’t go down that slippery slope,” You wrote. He asked what happens if Vite adds another 5MB for a Rust Vue compiler, then more for Svelte, Solid, and Astro. “One can argue React is the most popular so it deserves special treatment, but where should that line be drawn? Why NOT other frameworks?”

You also pointed to scale. Vite is downloaded 12 million times a week, and every uncached download consumes bandwidth and CI time. In a follow-up, he added that 5MB looks different when the whole tool is “20ish mb,” and said the team is willing to do the work to make it smaller.

The maintainer side is looking at a different cost. A default binary is paid for by every user, including projects that do not use React. Vite is not a React-only tool, and Rolldown is meant to serve more than one framework. From that perspective, even a few megabytes become harder to justify if the feature only benefits part of the user base.

The plugin answer sounds obvious, but compiler work complicates it. A JavaScript plugin can preserve opt-in behavior, but it may also reintroduce the overhead that a native Rust integration is trying to avoid.

Evan You argued that React Compiler exposes a performance tradeoff in Oxc. A Rust-based plugin is already much faster than Babel, he said, but still up to 50% slower than a direct Oxc integration because of data passing and AST cloning overhead.

Frontend build-tool rival Rspack shipped version 2.1 today with Rust React Compiler support as a headline feature, including benchmarks showing the Rust version running 7–13x faster than Babel. The release makes the tradeoff around native-addon size more immediate: Rust-backed tooling can deliver major build-time gains, but the ecosystem still needs practical ways to ship those gains without making installs significantly heavier.

The size discussion is already producing adjacent work. John-David Dalton, a participant in the debate, opened a new napi-rs proposal for an optional --compress flag that would ship native addons in compressed form. In his Vite 8.1.0 example, the native addon footprint drops from 25.74MB to 8.15MB on darwin-arm64, while runtime speed stays unchanged after the compressed addon is decompressed and cached.

React is not the only framework running into this shift. Angular has also teased Rust compiler work, another sign that native tooling is becoming less of a side experiment and more of a default direction for frontend frameworks.

The Oxc PR shows some of that complexity. Boshen traced part of the binary growth to the Rust port keeping the JavaScript plugin’s interface: it returned a JSON-serialized Babel AST, which Oxc then parsed back into Rust types in the same process. Removing that full-file JSON round trip cut transform time on a large test file from 14.95 ms to 10.83 ms and reduced the napi addon by another 759 KiB.

Longer term, You said the team wants to make raw AST transfer available to transform plugins, which could let Oxc plugins avoid the AST cloning overhead that makes the direct integration faster today.

Boshen is now experimenting with a smaller implementation. He said early Claude-assisted work shows up to a 2x performance improvement with only a 1.4MB binary size increase. The next step, in his words, is to “de-slopify” the code, get it into a maintainable state, and upstream some of the changes.

If that work holds up, React users could still get the direct Oxc implementation without making every Vite and Rolldown user carry the original 5MB increase.