[aosaigh]

This might be a hot take, but I feel like the blurring of lines between back-end and front-end apps with platforms like Vercel will lead to more and more of these exploits. I’m an experienced full-stack dev and I’m constantly confused as to “where I am” in a Next code base. Server? Client? Edge? Proponents might say “that’s the point - you don’t have to worry about there you are, it’s one code base” but these sort of issues indicate otherwise.

All platforms can be exploited I guess, but I still wonder at the complexity of the platforms we now rely on and whether it’s justified.

[brazukadev]

> All platforms can be exploited I gues

React did not have this kind of security vulnerability in 10 years. The Vercel/NextJS/RSC rugpull is responsible for that and the people that made those changes should be named. The lack of shared governance is abysmal.

[codingdave]

That touches on why I never pursued server-side React in any form. It seemed to twist what was a clean break between layers into spaghetti. I totally get that it solves other problems, but it always felt to me more like trying to force React to be something it was not. The better strategy seemed to me to use React on sites where users can handle the bulk of a front-end React app, and don't use it elsewhere.

Specific to security, keeping React 100% client-side keeps things simple: Don't trust the front-end.