zlacker

[return to "RCE Vulnerability in React and Next.js"]
1. ashish+A22[view] [source] 2025-12-04 04:42:08
>>rayhaa+(OP)
JavaScript is meant to be run in a browser. Not on a backend server [1].

Those who are choosing JS for the backend are irresponsible stewards of their customers' data.

1- https://ashishb.net/tech/javascript/

◧◩
2. odie55+f62[view] [source] 2025-12-04 05:28:08
>>ashish+A22
TypeScript is really nice though.
◧◩◪
3. ashish+be2[view] [source] 2025-12-04 06:57:36
>>odie55+f62
> TypeScript is really nice though.

Even if that's true, it is irrelevant.

  - You need to decide package manager and everyone has their favorite one: npm, yarn, bun, pnpm ...
  - You need to depend on npmjs.com for dependencies, which has an unusually high number of malicious packages compared to other dependency sources.
  - You need to use some framework like Next.js, which itself is a cesspool of backward-incompatible changes, combined with outrageous security issues
◧◩◪◨
4. steve_+PO3[view] [source] 2025-12-04 18:03:25
>>ashish+be2
If you use deno you can consume dependencies much more securely from arbitrary URLs, such as your own. You can also set permissions for the runtime, though that might not save you depending on the severity of exploits.

Arguably the safest approach is to embed all dependencies in your source, and vet all of them for each release. But I'm glad deno lets me choose which registry I use.

Bun also allows for this but it feels a bit more tacked-on and less like an early architectural decision based around security concerns.

[go to top]