←back to thread

Denial of service and source code exposure in React Server Components

(react.dev)
298 points sangeeth96 | 1 comments | 11 Dec 25 20:46 UTC | HN request time: 0.2s | source
Show context
rvz ◴[11 Dec 25 23:19 UTC] No.46238738[source]
React patches one vulnerability and two more are revealed, just like a Hydra.

At this point you might as well deprecate RSC as it is clearly a contraption for someone trying to justify a promotion at Meta.

Maybe they are going to silently remove “Built RSC at Meta!” in their LinkedIn bios after this. So what other vulnerabilities are going to be revealed in React after this one?

replies(1): >>46239360 #
1. marksomnian ◴[12 Dec 25 00:25 UTC] No.46239360[source]
Meta don’t use RSC: https://bsky.app/profile/en-js.bsky.social/post/3lmvwmr5rfs2...

> We are not using RSC at Meta yet, bc of limits of our packaging infra (it’s great at different things) and because Relay+GraphQL gives us many of the same benefits as RSCs. But we are fans and users of server driven UI and incrementally working toward RSC.

(as of April 2025)