(react.dev)

298 points sangeeth96 | 3 comments | 11 Dec 25 20:46 UTC | HN request time: 0.002s | source

Show context

tagraves ◴[11 Dec 25 21:53 UTC] No.46237728[source]▶

It's really concerning that the biggest, most eye-grabbing part of this posting is the note with the following: "It’s common for critical CVEs to uncover follow‑up vulnerabilities."

Trying to justify the CVE before fully explaining the scope of the CVE, who is affected, or how to mitigate it -- yikes.

replies(8): >>46237817 #>>46237826 #>>46237920 #>>46238009 #>>46238017 #>>46238302 #>>46239090 #>>46241026 #

1. rickhanlonii ◴[11 Dec 25 22:17 UTC] No.46238017[source]▶

>>46237728 #

Thanks for the feedback, I adjusted it here so the first note is related to the impacted versions:

https://github.com/reactjs/react.dev/pull/8195

replies(1): >>46238329 #

2. tagraves ◴[11 Dec 25 22:40 UTC] No.46238329[source]▶

>>46238017 (TP) #

I appreciate the follow up! I think it looks great now and doesn’t read as defensively anymore!

replies(1): >>46238791 #

3. rickhanlonii ◴[11 Dec 25 23:25 UTC] No.46238791[source]▶

>>46238329 #

Yeah agreed, thanks again for the feedback. The priority here is clear disclosure and upgrade steps.

↑

Denial of service and source code exposure in React Server Components