2025 has been a roller coaster of emotions for frontend devs. The past calendar year featured insane improvements around every corner, massive security breaches, and framework reinventions. We saw AI dominate headlines and change the way we build applications. And some big names (TanStack, CSS, TypeScript) brought forth major updates that open up new possibilities for 2026 and beyond.
Instead of a traditional recap, I’m power ranking the year’s biggest frontend moments based on two criteria: the buzz they generated and their lasting impact on how we build for the web. We’ll start with the 10th most important storyline and work our way down to the story that — in my opinion — most defined 2025 in frontend dev.
The Replay is a weekly newsletter for dev and engineering leaders.
Delivered once a week, it's your curated guide to the most important conversations around frontend dev, emerging AI tools, and the state of modern software.
TypeScript did so well in 2025:
TypeScript isn’t replacing JavaScript; it’s just how developers write JavaScript now. Most codebases are authored in TypeScript and then compiled to JavaScript (the same way Sass compiles to CSS). You get type safety, better tooling, autocomplete that actually works, and AI coding assistants that perform 20% better with typed code.
Tailwind saw massive adoption in 2025, while styled-components and other runtime CSS solutions fell out of favor. Over 617,000 live websites are using Tailwind now, and it’s become the default styling choice for modern React apps. The “writing inline styles” criticism died completely; I think everyone now defaults to Tailwind; its use is no longer up for debate.
SSR stopped being a “nice to have” and became mandatory in 2025. Every major framework went all-in: Next.js made it default, Remix/React Router v7 built everything around it, TanStack Start launched with SSR out of the box, and even SvelteKit and Astro doubled down on server-first architectures.
Performance and SEO aren’t optional anymore. Google’s Core Web Vitals became stricter, and users expect instant page loads. But 2025’s SSR wasn’t the clunky server rendering from 2015.
Modern SSR is smart: frameworks now do partial hydration (only interactive parts need JavaScript), streaming SSR (send HTML as it’s ready), and selective hydration (hydrate what’s visible first). React Server Components took this further by letting you fetch data on the server without shipping that logic to the client.
React had a tough time with security in late 2025 (more on that in a second) — but they weren’t alone this year.
The npm ecosystem had its fair share of attacks as well. In September, attackers launched a coordinated supply chain assault that unfolded in two waves. First, on September 8, packages like chalk, debug, and ansi-styles — libraries with 2.6 billion combined weekly downloads — were compromised through a phishing attack on maintainer accounts.
The injected malware targeted cryptocurrency transactions. Then came the Shai Hulud worm (named after the sandworm from Dune). This self-replicating malware hit over 180 packages, stealing credentials and automatically propagating to other packages the compromised maintainer controlled.
Unlike traditional attacks, this was worm-like: when it found npm tokens in the environment, it would automatically publish malicious versions of any accessible packages, spreading exponentially without human intervention. What made this scary was the scale and automation.
If you ran npm install during the attack windows, you potentially pulled in malicious code. The npm team and maintainers responded quickly, but the damage was done; thousands of projects were exposed, and the entire ecosystem spent weeks auditing dependencies and rotating credentials.
CSS in 2025 wasn’t just about styling anymore; it became a programming language. The browser vendors went all-in on native CSS APIs that eliminate entire JavaScript libraries, and honestly, it’s about time. The motto was clear: less JavaScript, more CSS.
Anchor Positioning reached production-ready status in Safari in 2025, joining Chrome’s existing support. While Firefox added experimental support behind a flag, the feature is now usable in the two browsers powering most of the web. It allows developers to position tooltips, popovers, and dropdowns relative to other elements without JavaScript.
These animations matured significantly in 2025, running off the main thread for silky smooth 60fps performance. Instead of writing Intersection Observer JavaScript, you can use animation-timeline: scroll() or view() to tie animations directly to scroll position.
Chrome shipped full support, and you can even animate based on which element is snapped or whether a scroller is scrollable using the new @container scroll-state() queries introduced in Chrome 133.
Container queries hit 100% browser support and became the default for component-based design. Components can now respond to their parent’s width instead of viewport width (@container (min-width: 600px)), making truly reusable components possible. Pair that with CSS Nesting (now native in all browsers), and you’re writing component-scoped styles without Sass.
if() functionIt finally arrived, bringing conditional logic directly to CSS. You can now write background: if(style(--theme: dark), black, white) to conditionally apply values based on custom properties or style queries.
Frontend tooling had what I will refer to as an identity crisis in 2025, and Rust was the therapy we needed. Build tools that used to take minutes now finish in seconds because the ecosystem realized JavaScript wasn’t fast enough to build JavaScript.
The Rust wave that began in late 2024 became the standard in 2025. Rspack, which launched 1.0 in August 2024 with 23x faster builds (6.5 seconds in Webpack → 282ms), saw massive enterprise adoption throughout 2025.
Vercel’s Turbopack became the default in Next.js 15, delivering 700x faster HMR. SWC replaced Babel as the default transpiler with 20x faster compilation. Biome emerged as the Rust-powered alternative to ESLint and Prettier, while Oxc provided a complete Rust toolchain for parsing, linting, formatting, and minifying.
Companies like Microsoft, Amazon, Discord, TikTok, and Douyin all adopted these tools in production during 2025. The Rust renaissance wasn’t a choice; it was inevitable. When your builds take time, and CI pipelines cost money, you either rewrite in Rust or accept the norm. 2025 proved that if it matters for performance, it’s getting rewritten in Rust. Welcome to the oxidation era.
TanStack quietly took over React development in 2025, and honestly, most developers (me included) didn’t even see it coming. What started as React Query (a data-fetching library) evolved into an entire ecosystem that’s now replacing Redux, React Router, and a bunch of other tools developers have been using for years.
TanStack creator Tanner Linsley went all-in on open source two years ago, and it paid off big time. TanStack now has over 4 billion downloads, covering everything from data fetching (TanStack Query), to routing (TanStack Router), to tables (TanStack Table), forms, virtualization, and even a full-stack framework called TanStack Start.
The wildest part? They achieved a 20,000x performance improvement in route matching this year just by aiming for correctness, not speed. Every library is headless, type-safe, and framework-agnostic, which means you get full control without framework lock-in.
By the end of 2025, TanStack became the default recommendation for React apps that need serious data handling. Frameworks like Next.js still dominate, but if you’re building a custom stack with Vite or want full control over your architecture, TanStack is the new standard. The biggest problem with TanStack Router? Once you’ve worked with it, going back to other routing solutions feels painful; you get spoiled by the DX and type-safety.
The React 19.2 release gained significant buzz, and for good reason. Before its release, every single form submission, navigation click, and search box would need a good combination of useState for loading, try-catch for errors, useEffect for coordination, and fingers crossed you didn’t create a race condition.
React 19 flipped the script on all of us. At React Conf 2025, the team dropped “Async React”, a whole system for handling async stuff declaratively using React 19’s new primitives like useTransition, useOptimistic, and use(), plus React 18’s Suspense and concurrent features.
Now Actions track async work automatically (bye-bye isLoading flags), optimistic updates make UI feel instant while server requests run in the background, Suspense handles loading states without the jarring spinner flashes, and useDeferredValue keeps search boxes snappy even on slow connections. The Async React demo showed what’s possible: smooth UX on any network speed, zero manual state tracking.
The best part? Frameworks baked it in for us all. Next.js wraps navigation in transitions by default now. TanStack Query has Suspense support built in. Design systems started exposing “action” props, so buttons and tabs handle their own optimistic updates.
All that async coordination complexity moved from our code to the framework layer. We went from manually tracking every loading state to just describing what should happen, and React handles the rest. It’s wild how much boilerplate just disappeared. I have no clue why it took this long, but honestly, we can’t deny that async coordination finally feels like it belongs in 2025.
The second most year-defining story is the React 2Shell — aka CVE-2025-55182 — breach.
React had the worst December ever! On November 29th, security researcher Lachlan Davidson discovered a critical vulnerability in React Server Components that scored a perfect 10.0 CVSS, the maximum severity possible. This wasn’t a random: it was an unauthenticated remote code execution (RCE) vulnerability that let attackers run arbitrary code on servers with a single malicious HTTP request.
Financial applications became prime targets; one crafted request could expose sensitive banking information, manipulate transactions, or plant backdoors for persistent access. Enterprise dashboards, healthcare portals, and SaaS platforms running React Server Components were suddenly sitting ducks.
React 19’s Server Components were supposed to change full-stack development. Instead, they became React’s biggest security crisis ever. The entire ecosystem spent the final days of 2025 in emergency patch mode.
The lesson? With great power (Server Components) comes great responsibility, and always, always update your dependencies. Although it is important to mention that the React team moved lightning-fast: four days from report to patch. By December 3rd, fixes were published.
We witnessed over 30+ AI model releases this year: GPT 5, Claud Opus 4.5, and Gemini 3 Pro just recently, and also a surge of Chinese companies releasing the likes of DeepSeek, Qwen, ByteDance, and Moonshot.
It didn’t stop there: the agentic war between Windsurf and Cursor grew so big that it even drew a bidding war amongst investors.
We saw the likes of Bolt and v0 leading the all-you-need-to-code-your-app idea from programming to production. Our CLIs were transformed into coding agents as well. We saw Claude Code dominate that space, introducing the use of MCP as well. Naturally, other models followed: Gemini CLI, Qwen CLI, and Kimi CLI, and Codex.
These industries put in the most work in transforming the way we write frontend code. We had almost 2 models every other week this year, and they were specifically enhanced to replace devs. I have no clue why they were so after our jobs, but sincerely, we can’t deny that they made our lives easier. Just like other “wrapped” recaps from Spotify, you also can’t deny that these models and tools weren’t your most used this year 😂.
Quick plug for our AI power rankings, where we evaluate models and tools every month.
What a year it was in 2025!
Whether it was AI advances, security breaches, or constantly-evolving frameworks, we had plenty of events that changed the way we think about web dev.
Which stories did I miss? Where were my rankings off? Which stories will define 2026?
Sound off in the comments and let me know your take. Happy new year!
Large hosted LLMs aren’t always an option. Learn how to build agentic AI with small, local models that preserve privacy and scale.
Learn how to style React Native apps with Tailwind using NativeWind v4.
A practical guide to the best React Native UI libraries in 2026, with comparisons across performance, theming, accessibility, and Expo compatibility.
Learn more →
children correctly in TypeScriptLearn modern best practices for typing React children in TypeScript, including ReactNode, PropsWithChildren, ComponentProps, and why React.FC is no longer recommended.
Hey there, want to help make our blog better?
Join LogRocket’s Content Advisory Board. You’ll help inform the type of content we create and get access to exclusive meetups, social accreditation, and swag.
Sign up now