I don't use #react so I didn't pay much attention to this, but #react2shell is quite a thing, wow.

From what I understand if you were running your RSC in @deno_land with *minimal permissions* then the exploit's consequences would have been limited. In the post I boosted below, the exploit was used to overwrite the authorized SSH keys. You'd *never* run Deno in prod with that kind of access (right? RIGHT???).

What surprises me a bit is that I don't see many posts from people who were running their React in Deno (properly) and therefore largely escaped this massive vuln. I feel like they'd be celebrating, but I don't see it. Does nobody run React in Deno in prod? Or did they still get pwned somehow? Something else?