Five repos from your starred list shipped this week. Here's what moved, what's hot in discussions, and whether any of it warrants an upgrade.

Progress: Canary train is moving fast — this week alone saw nine canary tags (.22 through .31), with the headline additions being experimental.appShells, experimental.cachedNavigations enabled by default, and a new MCP compile_route tool landed in .24. The high-memory and CSS resolution order issues (#54708, #64921) remain open and have the most comments in the repo. A worker-pool rewrite (PR #90532) is in progress.

Hot discussion: Issue #54708 (dev mode memory leak) continues to accumulate reports. If you run next dev on large apps and notice memory climbing, you're not alone — the maintainer thread has a workaround in the comments.

Upgrade? If you're on stable, no new stable tag dropped this week — hold. If you track canary, the .26 tag (May 22) is the most complete build; .31 reverts an ISR regression.

Progress: 1.121 is the biggest AI-agent release VS Code has had. Remote Agents (Preview) lets you run agent sessions on SSH or Dev Tunnel machines that keep running after you disconnect. Built-in Mermaid diagram rendering merged (no extension needed). HTML files now preview in the integrated browser. The inline suggest pop-up no longer fires on every keystroke when Copilot is active — long-requested quality-of-life fix.

Hot discussion: The Claude Agent "Auto mode" / YOLO mode is getting the most attention in community threads — essentially fully unattended execution with no confirmation prompts.

Upgrade? Yes. 1.121 is a stable release with meaningful Copilot and editor quality improvements worth taking immediately.

Progress: Three parallel security-patch releases dropped on May 6 covering all currently-supported minor lines. The fix strengthens React Server Components type enforcement and adds performance improvements. A separate [email protected] patch (April 17) restored the accidentally-dropped component-hook-factories rule for backwards compatibility.

Hot discussion: RSC type hardening is quiet on the issue tracker — the security patches addressed the main concern. If you use RSC in production, these are security-motivated patches.

Upgrade? Yes — if you're on any 19.x line, bump to the latest patch (19.2.6 / 19.1.7 / 19.0.6). The ESLint plugin users should also pull 7.1.1.

Progress: Rust 1.95.0 is the current stable. It stabilized if let guards in match arms, cfg_select!, core::range, and core::hint::cold_path. The --remap-path-scope flag for controlling path info in binaries is now stable. Multiple atomic update/try_update methods landed for all atomic types. Two CVE patches (CVE-2026-6042, CVE-2026-40200) were applied to vendored musl. No new stable tag this week — 1.96 is presumably in beta.

Hot discussion: The array coercion inference change in 1.95 is drawing attention from crate maintainers — it occasionally causes downstream inference regressions worth scanning for.

Upgrade? Yes — 1.95 has been out a few weeks, patches are clean, and if let guards are genuinely useful for match-arm conditions.

Progress: v4.3.0 added @container-size, native scrollbar-{auto,thin,none} / scrollbar-thumb-* / scrollbar-track-* utilities (finally addressing the scrollbar-color CSS gap), a new zoom-* utility, and @variant support for stacked/compound variants. Two compatibility issues are the loudest open threads: @property not working in shadow DOM (#15005, labeled upstream), and hover: in v4 relying on a buggy Chromium :hover implementation (#16531, also upstream).

Hot discussion: Issue #17958 (lightningcss musl native binding missing in some Docker environments) is newly hot from May 9 — check if your CI uses a musl Linux image before upgrading.

Upgrade? Yes with one caveat — v4.3.0 is a solid feature drop. If your CI runs on musl Linux (Alpine, etc.), verify the lightningcss binary resolves first (#17958).