It seems like the messaging behind React Server Components being a distinct environment, separate from SSR, was completely lost
People are just saying SSR now to mean "React code running on the server" 😭
Such a shame because it massively complicates the model and selling point for RSCs
Tom Sherman
Tom Sherman
npub1qux5...rsa9
Software Engineer in Norwich. he/him
Working on @frontpage.fyi
[tom-sherman.com](https://tom-sherman.com )
🌉 [bridged](https://fed.brid.gy/bsky/tom.sherman.is ) from 🦋 [tom.sherman.is](https://bsky.app/profile/tom.sherman.is ), follow nostr:npub1pqr3g2gk3vsnrqk9kwfqqcxc6d5cwjr0hyc0nlzz9py5nf92vd9sn02sck to interact
Web site: https://bsky.app/profile/tom.sherman.is
Link: https://tom.sherman.is
Link: https://tom-sherman.com
For anyone that missed it, the React Server Components critical vulnerability has a name and website now
Please refer to this before sharing any supposed POCs
[react2shell.com]( )
[React2Shell (CVE-2025-55182/CV...]( )
React2Shell (CVE-2025-55182)
React2Shell (CVE-2025-55182)
Next.js cache components are not ready for prime time. They're "GA" but it really feels the same as when they advertised app router as stable in v13
Many bugs and missing features
This message (and solution) is probably something that is very obvious to many on this app
[The Web is Going to Die]( )
marking myself safe from the atproto feed censorship event
I got an instance of @npub10vgn...h0np's scrobbler running, super super easy
Is there a tool to import existing last.fm scrobbles into my PDS?
Atproto PDS devs: Does anyone have recommendations on which endpoints to start developing first? I wanna prove a concept out as quickly as possible
I'm thinking:
putRecord, getRecord, subscribeRepos
Also very happy to see the other libraries by the same author (eg. openid-client) use the same no-nonsense style. Auth code really should have as few layers of indirection as possible
RE: 
View quoted note →
Bluesky Social
Tom Sherman (@tom.sherman.is)
The code inside github.com/panva/oauth4weba… is such a pleasure to read. I have to spelunk and debug through this code a few times and it's alway...
The code inside [github.com/panva/oauth4weba…](
) is such a pleasure to read. I have to spelunk and debug through this code a few times and it's always a pleasure. Absolutely zero layers of indirection, zero fluff.
[GitHub - panva/oauth4webapi: L...]( )
GitHub
GitHub - panva/oauth4webapi: Low-Level OAuth 2 / OpenID Connect Client API for JavaScript Runtimes
Low-Level OAuth 2 / OpenID Connect Client API for JavaScript Runtimes - panva/oauth4webapi
GitHub
GitHub - panva/oauth4webapi: Low-Level OAuth 2 / OpenID Connect Client API for JavaScript Runtimes
Low-Level OAuth 2 / OpenID Connect Client API for JavaScript Runtimes - panva/oauth4webapi
"trusted verifiers" makes a lot of sense, i'd like to be able to opt out of each verifier though as a user. ie. Bluesky trusts orgs X and Y, as a user I only trust X. Don't show the badge for accounts verified by Y