←back to thread

Denial of service and source code exposure in React Server Components

(react.dev)
298 points sangeeth96 | 1 comments | 11 Dec 25 20:46 UTC | HN request time: 0.52s | source
Show context
dizlexic ◴[12 Dec 25 03:46 UTC] No.46240671[source]
I'm not going to let go my argument with Dan Abramov on x 3 years ago where he held up rsc as an amazing feature and i told him over and over he was making a foot gun. tahdah!

I'm a nobody PHP dev. He's a brilliant developer. I can't understand why he couldn't see this coming.

replies(5): >>46240967 #>>46241390 #>>46241865 #>>46242231 #>>46242388 #
1. danabramov ◴[12 Dec 25 06:23 UTC] No.46241390[source]
For what it’s worth, I’ve just built an app for myself with RSC, and I’m still a huge fan of this way of building and structuring web software.

I agree I underestimated the likelihood of bugs like this in the protocol, though that’s different from most discussions I’ve had about RSC (where concerns were about user code). The protocol itself has a fairly limited surface area (the serializer and deserializer are a few kloc each), and that’s where all of the exploits so far have concentrated.

Vulnerabilities are frustrating, and this seems to be the first time the protocol is getting a very close look from the security community. I wish this was something the team had done proactively. We’ll probably hear more from the team after things stabilize a bit.