←back to thread

Denial of service and source code exposure in React Server Components

(react.dev)
298 points sangeeth96 | 8 comments | 11 Dec 25 20:46 UTC | HN request time: 0s | source | bottom
1. hollowturtle ◴[11 Dec 25 22:57 UTC] No.46238501[source]
Wouldn't make more sense keeping React smaller and left those features to frameworks? I liked it more when it was marketed as the View in MVC. Surely can still be used like that today but it still feels bloated
replies(2): >>46238608 #>>46239099 #
2. ivanjermakov ◴[11 Dec 25 23:07 UTC] No.46238608[source]
git checkout v15.0.0

There we go.

replies(1): >>46238996 #
3. hollowturtle ◴[11 Dec 25 23:47 UTC] No.46238996[source]
Can I have v15 with the rendering optimizations of further versions?
4. TZubiri ◴[11 Dec 25 23:58 UTC] No.46239099[source]
But the react-components are a separate library, they are not installed by default
replies(1): >>46239180 #
5. hollowturtle ◴[12 Dec 25 00:04 UTC] No.46239180[source]
? afaik react server components made it to core
replies(1): >>46239506 #
6. silverwind ◴[12 Dec 25 00:45 UTC] No.46239506{3}[source]
They shouldn't be loaded in a React SPA at least, e.g. `react-dom` and `react` packages should be unaffected.
replies(1): >>46241007 #
7. TZubiri ◴[12 Dec 25 04:58 UTC] No.46241007{4}[source]
So they are part of the standard distribution (like through npm install react), but are unused by default? Something like that?
replies(1): >>46242313 #
8. danabramov ◴[12 Dec 25 09:16 UTC] No.46242313{5}[source]
This code doesn’t exist in `react` or `react-dom`, no. Packages are released in lockstep to avoid confusion which is why everything got a version bump.

The vulnerable packages are the ones starting with `react-server-` (like `react-server-dom-webpack') or anything that vendors their code (like `next` does).