so any package could declare some modules as “use server” and they’d be callable, whether the RSC server owner wanted them to or not? That seems less than ideal.
The vulnerability exists in the transport mechanism in affected versions. Default installs without custom code are also vulnerable even if they do not use any server components / server functions.
on the contrary it seems like title deflation as Amazon principal engineers typically work at a higher level than staff at most other orgs (at least I remember a Microsoft principal would be basically an Amazon L5-6 level)
Amazon L5 is SDE2. I am not sure how you can equate a Microsoft Principal to Amazon L5. Getting to L6 in Amazon is very easy these days due to title inflation. Managers also know how to rig the system to gather the data points for promotion. There was a time when Amazon promotion bar was high and Amazon SDE3 were considered same as Microsoft Principal. But things have changed now. A fresher needs only 2 promotions to get to L6. Some are getting there in 2-3 years. So Amazon L6 does not have the value that it used to have a decade ago. At Microsoft a fresher will need 6 promotions to reach Principal level. People are reaching principal levels early, but not in 2 years.
I read the part where they said they poured through "hundreds of sentry logs" and immediately was like "no you didn't."
This is not an error that would be difficult to spot in an error aggregator, it would throw some sort of constraint error with a reasonable error message.
reply