Hey #Javascript folks, why does no one talking about the recent #React #CVE mentions defensive mechanisms like node's --disallow-code-generation-from-strings which from what I've seen would have prevented the RCE (there may be ways to exploit the prototype pollution but would make the attacker's job much harder).

There is also --disable-proto=delete but I don't know if it's practical.

Using Content Security Policies in the frontend is table stakes, why not also on the server?

#NodeJS #NextJS

Hey #Javascript folks, why does no one talking about the recent #React #CVE mentions defensive mechanisms like node's --disallow-code-generation-from-strings which from what I've seen would have prevented the RCE (there may be ways to exploit the prototype pollution but would make the attacker's job much harder).

There is also --disable-proto=delete but I don't know if it's practical.

Using Content Security Policies in the frontend is table stakes, why not also on the server?

#NodeJS #NextJS

I will never understand the urge the use a library designed to provide reactive DOM updates as a server framework. Here I am, wasting time parametrising my queries while some are shipping unprotected “eval()” in what looks like a very abstracted gRPC service.

https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp

#WebDev #React #NextJS