StackDiff

What changed in your stack this week.

You don't have time to read ten changelogs, twelve release notes, and a Discord backlog. StackDiff does. Breaking changes, CVEs, RFCs, and worth-knowing releases for your exact stack, in one Monday email. Under 3 minutes.

$ subscribe

Free weekly issue. No credit card. Unsubscribe anytime.

01

Pick your stack.

Next.js? Rust + Axum? FastAPI + Postgres? Tick the boxes. We track the releases, RFCs, and security advisories for each.

02

We read, you don't.

GitHub releases, RFC repos, CVE feeds, vendor blogs. We flag breaking changes, security patches, and anything genuinely new.

03

Monday, one email.

Breaking changes first. CVEs next. One-liners for the rest. Every item links to the source. Nothing to click through to read it.

Sample issue

Here's a real one.

Fictional engineer tracking Next.js, React, Postgres, Prisma, Vercel, Stripe, Tailwind, shadcn/ui, Playwright. This is the shape of every Monday email.

StackDiff: Week of April 21, 2026

TL;DR

  • 1 breaking change: next@15.4.0 tightens Server Action origin validation.
  • 1 security advisory: Prisma 6.x SSRF via connection-string templating (patched).
  • 7 releases worth a 30-second glance.

Breaking / needs migration

next 15.4.0

  • What changed: Server Actions now reject requests whose Origin header is missing or doesn't match allowedOrigins. Previously warned, now rejects.
  • Impact: Apps using Server Actions behind a proxy that strips Origin (some corporate gateways) will break.
  • Migration: Add your proxy's public host to experimental.serverActions.allowedOrigins in next.config.js, or configure the proxy to preserve Origin. "We're tightening this by default to close a CSRF vector reported last quarter."
  • Source: nextjs.org/blog/next-15-4 (fictional link for sample)

Security

CVE-2026-30815 · @prisma/client

  • Severity: High (7.4). Fixed in 6.7.2.
  • Action: Bump to @prisma/client@^6.7.2 and prisma@^6.7.2. Low-risk patch, no schema migration needed.

Worth knowing (30s each)

  • react@19.2.0: new useEffectEvent stabilized. "For reading the latest value of a prop without re-subscribing."
  • postgres@17.4: planner fix for large partitioned joins; users of range-partitioned time-series tables likely see 10 to 30% improvement on analytics queries.
  • stripe-node@18.1.0: default API version bumped to 2026-03-31. Idempotency-key behavior changed for split refunds, read the migration note before upgrading.
  • tailwindcss@4.1.1: @container query variants now stable. No action; pure capability add.
  • shadcn/ui: new DataTable primitive with built-in virtualization. Drop-in replacement if you're still on the old example.
  • playwright@1.51.0: Chromium 126 baseline; test.describe.configure retries can now be a function of the test title.
  • vercel cli 40.0: new vercel inspect --deployment-retention. Useful for audit logs if you're on Enterprise.

RFCs worth watching

  • React RFC #516: Activity API. Formal proposal for unmount-preservation (rebranded from the old Offscreen experiment). Likely lands in 19.3 behind a flag. "Preserve DOM state while hiding trees from the tree."
  • Postgres RFC: native incremental materialized views. Still early, but this is the one to watch if you've been patching around with triggers.

Your move this week

30 minutes total. (1) Bump @prisma/client to 6.7.2 and redeploy, CVE is the only real urgency. (2) If you're on Next 15.x, run a local request through your staging proxy and confirm Origin is preserved, or add it to allowedOrigins before your next prod deploy. The rest can wait.

Get next week's issue free.

Tick your stack. Get an issue tailored to it. No credit card.

One email per week. No upsells. Reply with feedback anytime.