Launching soon · 14-day free preview

What changed in your stackthis week.

You do not have time to read ten changelogs, twelve release notes, and a Discord backlog. StackDiff does. Breaking changes, CVEs, RFCs, and worth-knowing releases for your exact stack, in one Monday email. Under 3 minutes.

$ subscribe See a real issue

No credit card3 min weekly readBuilt by engineers

Inbox — Monday, 7:02 AM

StackDiff

7:02 AM

to you

StackDiff: Week of April 21

TL;DR: 1 breaking change (next@15.4 origin validation), 1 CVE (prisma SSRF, patched in 6.7.2), and 7 worth-knowing releases across react, postgres, stripe, tailwind, playwright...

3 min readYour move: 30 min

How it works

Three inputs. One Monday email.

Pick your stack.

Next.js? Rust + Axum? FastAPI + Postgres? Tick the boxes. We track the releases, RFCs, and security advisories for each.

We read, you don't.

GitHub releases, RFC repos, CVE feeds, vendor blogs. We flag breaking changes, security patches, and anything genuinely new.

Monday, one email.

Breaking changes first. CVEs next. One-liners for the rest. Every item links to the source. Nothing to click through to read.

Peek inside the inbox

Three Mondays. Three different stacks.

Swipe through real issues — a Next.js + Postgres week, a genuinely quiet week, and a Rust backend week. Same voice. Same discipline.

Inbox · Mon, Apr 21, 7:02 AM

StackDiff <weekly@stackdiff.dev>

Mon, Apr 21, 7:02 AM

Subject: StackDiff: Week of April 21

StackDiff: Week of April 21, 2026

TL;DR

1 breaking change: next@15.4.0 tightens Server Action origin validation.
1 security advisory: Prisma 6.x SSRF via connection-string templating (patched).
7 releases worth a 30-second glance.

Breaking / needs migration

next 15.4.0

What changed: Server Actions now reject requests whose Origin header is missing or doesn't match allowedOrigins. Previously warned, now rejects.
Impact: Apps using Server Actions behind a proxy that strips Origin (some corporate gateways) will break.
Migration: Add your proxy's public host to experimental.serverActions.allowedOrigins in next.config.js, or configure the proxy to preserve Origin. "We're tightening this by default to close a CSRF vector reported last quarter."
Source: nextjs.org/blog/next-15-4 (fictional link for sample)

Security

CVE-2026-30815 · @prisma/client

Severity: High (7.4). Fixed in 6.7.2.
Action: Bump to @prisma/client@^6.7.2 and prisma@^6.7.2. Low-risk patch, no schema migration needed.

Worth knowing (30s each)

react@19.2.0: new useEffectEvent stabilized. "For reading the latest value of a prop without re-subscribing."
postgres@17.4: planner fix for large partitioned joins; users of range-partitioned time-series tables likely see 10 to 30% improvement on analytics queries.
stripe-node@18.1.0: default API version bumped to 2026-03-31. Idempotency-key behavior changed for split refunds, read the migration note before upgrading.
tailwindcss@4.1.1: @container query variants now stable. No action; pure capability add.
shadcn/ui: new DataTable primitive with built-in virtualization. Drop-in replacement if you're still on the old example.
playwright@1.51.0: Chromium 126 baseline; test.describe.configure retries can now be a function of the test title.
vercel cli 40.0: new vercel inspect --deployment-retention. Useful for audit logs if you're on Enterprise.

RFCs worth watching

React RFC #516: Activity API. Formal proposal for unmount-preservation (rebranded from the old Offscreen experiment). Likely lands in 19.3 behind a flag. "Preserve DOM state while hiding trees from the tree."
Postgres RFC: native incremental materialized views. Still early, but this is the one to watch if you've been patching around with triggers.

Your move this week

30 minutes total. (1) Bump @prisma/client to 6.7.2 and redeploy, CVE is the only real urgency. (2) If you're on Next 15.x, run a local request through your staging proxy and confirm Origin is preserved, or add it to allowedOrigins before your next prod deploy. The rest can wait.

Inbox · Mon, Apr 14, 7:00 AM

StackDiff <weekly@stackdiff.dev>

Mon, Apr 14, 7:00 AM

Subject: StackDiff: Week of April 14

StackDiff: Week of April 14, 2026

TL;DR

Zero breaking changes. Zero CVEs. A genuinely quiet week.
Three quality-of-life releases worth a 30-second glance.
One RFC in your stack that could reshape how you handle realtime.

Worth knowing (30s each)

typescript@5.9.2: perf fixes to isolatedDeclarations checker. 15-20% faster on large monorepos.
drizzle-orm@0.42.0: new $inferSelect and $inferInsert helpers fully stable. Migration guide shows how to drop the manual InferSelectModel wrapper.
node@22.15 (LTS): V8 12.7 bump. Minor perf wins on RegExp-heavy workloads. Boring release, safe to deploy.

RFCs worth watching

TC39 Signals proposal, Stage 2 → Stage 3 vote in Q3 2026. If passed, native reactivity primitives land in engines by 2027. "Designed to enable framework-agnostic reactive programming." Watch item, not action item yet.

Your move this week

Nothing urgent. Use the quiet week to delete one dependency. Go run npx depcheck, find a library you're using in fewer than 3 files, and rewrite those call sites with the native Node or Web API. You'll thank yourself next time a CVE lands in a transitive dep.

Inbox · Mon, Apr 7, 7:04 AM

StackDiff <weekly@stackdiff.dev>

Mon, Apr 7, 7:04 AM

Subject: StackDiff: Week of April 7

StackDiff: Week of April 7, 2026

Example brief for a Rust + Postgres backend engineer tracking tokio, axum, sqlx, serde, clap.

TL;DR

1 breaking change: sqlx@0.9.0 drops offline-mode auto-regeneration; requires manual cargo sqlx prepare.
2 security advisories: rustls cert validation, hyper header parsing.
5 releases worth a 30-second glance.

Breaking / needs migration

sqlx 0.9.0

What changed: sqlx::query! macro no longer auto-regenerates .sqlx/ metadata on every build. You must run cargo sqlx prepare before CI, or set SQLX_OFFLINE=false and give CI a live DB URL.
Impact: Any CI pipeline using offline-mode sqlx will fail with "query data not found" after this update.
Migration: Add cargo sqlx prepare --check to your pre-commit hook, and cargo sqlx prepare to your "before release" script. "Auto-regeneration hid a lot of missed-migration bugs."

Security

CVE-2026-31201 · rustls

Severity: Medium (6.5). Fixed in rustls@0.24.1.
Action: Bump rustls in your Cargo.toml, or if transitive, run cargo update -p rustls.

CVE-2026-30998 · hyper

Severity: Medium (5.9). Fixed in hyper@1.5.2.
Action: cargo update -p hyper. Transitively fixes most axum/tower users.

Worth knowing (30s each)

tokio@1.42: JoinSet::spawn_blocking stabilized. Cleaner for mixed-async/blocking workloads.
axum@0.8: Router::into_make_service_with_connect_info ergonomics fix. No migration needed.
serde@1.0.210: minor perf win on large-enum deserialization.
clap@4.6: derive macro now preserves attribute order for help output. Mostly cosmetic.
tower-http@0.6: CompressionLayer defaults now include zstd. 20-30% better payloads for JSON-heavy APIs.

Your move this week

45 minutes. (1) Patch the two CVEs — cargo update -p rustls -p hyper, verify with cargo audit. (2) If you're on sqlx <0.9, add cargo sqlx prepare to your pre-release checklist before the next dependency bump forces the migration on you. That's it.

Why it's different

Not another dev newsletter.

TLDR and Bytes are great, but they cover the whole ecosystem. You don't need "this week in JavaScript", you need "this week in YOUR stack." StackDiff is Bytes if Bytes only showed you what breaks YOUR code.

Your exact stack

Tick 20 boxes in the onboarding form. We only write about those libraries.

CVEs, not hype

One of your deps has a CVE? You know Monday morning, in plain English, with the exact upgrade command.

Breaking first

Breaking changes at the top. CVEs second. Nice-to-know releases last. In that order, every week.

No marketing posts

If a blog post is just a feature announcement dressed as a thought leadership piece, we don't link to it.

Before you sign up

Fair questions.

How is this different from TLDR, Bytes, or This Week in React?+

Those are great, but they cover the whole ecosystem. StackDiff covers only what you tick in the stack-list when you sign up. No React content if you're a Vue dev. No Rails content if you're on Django. Nothing you'll skim past.

What if my stack is esoteric (Elm, OCaml, Zig, etc.)?+

Add it in the 'Other' field on the signup form. The more niche stacks cluster faster than you'd think — if 5 Zig devs sign up, Zig gets covered. If 1 does, I'll hand-curate yours until there's a cohort.

Will I get spam?+

One email per week, Monday 7am. No drip sequences, no 'check out our sponsor.' I read every reply personally — which both keeps me honest and makes it impossible to scale spam.

What does this cost later?+

Free while I'm testing. $29/month when paid flips on, and everyone on the free waitlist stays grandfathered at that price forever. Your company will expense it on the CVE line-item alone.

What if the whole week is genuinely quiet?+

Then the brief is short and honest. 'No breakages this week, 3 small releases worth 90 seconds, 1 RFC worth watching.' A brief that fakes drama every week is the brief you unsubscribe from.

Get on the list

Get next Monday's issue free.

Tick the stack you actually use. Get an issue tailored to it. No credit card, no trial, no upsell.

We send one email per week. No upsells. Reply with feedback anytime.