So they are part of the standard distribution (like through npm install react), ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		TZubiri 8 days ago \| parent \| context \| favorite \| on: Denial of service and source code exposure in Reac... So they are part of the standard distribution (like through npm install react), but are unused by default? Something like that?

danabramov 7 days ago [–]

This code doesn’t exist in `react` or `react-dom`, no. Packages are released in lockstep to avoid confusion which is why everything got a version bump.

The vulnerable packages are the ones starting with `react-server-` (like `react-server-dom-webpack') or anything that vendors their code (like `next` does).

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact