(react.dev)

298 points sangeeth96 | 1 comments | 11 Dec 25 20:46 UTC | HN request time: 0s | source

Show context

hollowturtle ◴[11 Dec 25 22:57 UTC] No.46238501[source]▶

Wouldn't make more sense keeping React smaller and left those features to frameworks? I liked it more when it was marketed as the View in MVC. Surely can still be used like that today but it still feels bloated

replies(2): >>46238608 #>>46239099 #

TZubiri ◴[11 Dec 25 23:58 UTC] No.46239099[source]▶

>>46238501 #

But the react-components are a separate library, they are not installed by default

replies(1): >>46239180 #

hollowturtle ◴[12 Dec 25 00:04 UTC] No.46239180[source]▶

>>46239099 #

? afaik react server components made it to core

replies(1): >>46239506 #

silverwind ◴[12 Dec 25 00:45 UTC] No.46239506[source]▶

>>46239180 #

They shouldn't be loaded in a React SPA at least, e.g. `react-dom` and `react` packages should be unaffected.

replies(1): >>46241007 #

TZubiri ◴[12 Dec 25 04:58 UTC] No.46241007[source]▶

>>46239506 #

So they are part of the standard distribution (like through npm install react), but are unused by default? Something like that?

replies(1): >>46242313 #

1. danabramov ◴[12 Dec 25 09:16 UTC] No.46242313{3}[source]▶

>>46241007 #

This code doesn’t exist in `react` or `react-dom`, no. Packages are released in lockstep to avoid confusion which is why everything got a version bump.

The vulnerable packages are the ones starting with `react-server-` (like `react-server-dom-webpack') or anything that vendors their code (like `next` does).

↑

Denial of service and source code exposure in React Server Components