[tagraves]

It's really concerning that the biggest, most eye-grabbing part of this posting is the note with the following: "It’s common for critical CVEs to uncover follow‑up vulnerabilities."

Trying to justify the CVE before fully explaining the scope of the CVE, who is affected, or how to mitigate it -- yikes.

[treesknees]

What’s concerning about it? The first thing I thought when I read the headline was “wow, another react CVE?” It’s not a justification, it’s an explanation to the most obvious immediate question.

[vcarl]

It's definitely a defensive statement, proactively covering the situation as "normal". Normal it may be, but emphasizing that in the limited space of a tweet thread definitely indicates where their mind is on this, I'd think.

[treesknees]

Are you reading a different link? This statement is on a React blog post, not a Twitter thread.

[tom1337]

But it is another React CVE. Doesn't really matter why it was uncovered, it's bad that it existed either way

[brazukadev]

an insecure software will have multiple CVEs, not necessarily related to each other. Those 3 are probably not the only ones.

[rickhanlonii]

Thanks for the feedback, I adjusted it here so the first note is related to the impacted versions:

https://github.com/reactjs/react.dev/pull/8195

[tagraves]

I appreciate the follow up! I think it looks great now and doesn’t read as defensively anymore!

[rickhanlonii]

Yeah agreed, thanks again for the feedback. The priority here is clear disclosure and upgrade steps.

[haileys]

Perception management

https://en.wikipedia.org/wiki/Perception_management

[samdoesnothing]

Also kind of funny that they're comparing it to Log2Shell. Maybe not the best sort of company to be keeping...

[everfrustrated]

React is the new JavaBean

[zwnow]

Welcome to the React, Next, Vercel ecosystem. Our tech may be shite but we look fancy.

[brazukadev]

The Vercel CEO post congratulating his team for how they managed the vulnerability was funny

[hitekker]

There are a lot of careers riding on the optics here.

[IceDane]

No, there aren't. The react team isn't going to axe half the team because there's a high severity CVE.

[0xblinq]

I think the same. To me it looks like a Vercel marketing employee wrote that.

[TZubiri]

Very standard in security, announcements always always always try to downplay their severity.

[rickhanlonii]

fwiw, the goal here wasn't to downplay the severity, but to explain the context to an audience who might not be familiar with CVEs and what's considered normal. I moved the note down so the more important information like severity, impacted versions, and upgrade instructions are first.

[isodev]

> an audience who might not be familiar with CVEs

If there are so many React developers out there using server side components while not familiar with the concept of CVEs, we’re in very serious trouble.

[TZubiri]

It's ok, you gotta play the game. I'm more concerned about the fact that the downtime issue ranks higher than the security issue. But I'm assuming it relates to the specifics of the issue rather than reflecting on the priorities of the project as a whole.