[Flight] Enforce "simple object" rule in production #27502

sebmarkbage · 2023-10-11T04:47:31Z

We only allow plain objects that can be faithfully serialized and deserialized through JSON to pass through the serialization boundary.

It's a bit too expensive to do all the possible checks in production so we do most checks in DEV, so it's still possible to pass an object in production by mistake. This is currently exaggerated by frameworks because the logs on the server aren't visible enough. Even so, it's possible to do a mistake without testing it in DEV or just testing a conditional branch. That might have security implications if that object wasn't supposed to be passed.

We can't rely on only checking if the prototype is Object.prototype because that wouldn't work with cross-realm objects which is unfortunate. However, if it isn't, we can check wether it has exactly one prototype on the chain which would catch the common error of passing a class instance.

react-sizebot · 2023-10-11T04:56:14Z

Comparing: dddfe68...ff89f2b

Critical size changes

Includes critical production bundles, as well as any change greater than 2%:

Name	+/-	Base	Current	+/- gzip	Base gzip	Current gzip
oss-stable/react-dom/cjs/react-dom.production.min.js	=	174.46 kB	174.46 kB	=	54.27 kB	54.27 kB
oss-experimental/react-dom/cjs/react-dom.production.min.js	=	176.31 kB	176.31 kB	=	54.88 kB	54.88 kB
facebook-www/ReactDOM-prod.classic.js	=	564.48 kB	564.48 kB	=	99.37 kB	99.37 kB
facebook-www/ReactDOM-prod.modern.js	=	548.21 kB	548.21 kB	=	96.44 kB	96.44 kB
oss-stable-semver/react-server-dom-esm/cjs/react-server-dom-esm-client.browser.production.min.js	+2.53%	10.23 kB	10.49 kB	+2.22%	3.93 kB	4.01 kB
oss-stable/react-server-dom-esm/cjs/react-server-dom-esm-client.browser.production.min.js	+2.53%	10.23 kB	10.49 kB	+2.22%	3.93 kB	4.01 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.browser.production.min.js	+2.36%	10.95 kB	11.21 kB	+2.02%	4.21 kB	4.29 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.browser.production.min.js	+2.36%	10.95 kB	11.21 kB	+2.02%	4.21 kB	4.29 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-client.browser.production.min.js	+2.34%	11.08 kB	11.34 kB	+1.98%	4.24 kB	4.33 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-client.browser.production.min.js	+2.34%	11.08 kB	11.34 kB	+1.98%	4.24 kB	4.33 kB
oss-stable-semver/react-server-dom-turbopack/umd/react-server-dom-turbopack-client.browser.production.min.js	+2.32%	11.22 kB	11.48 kB	+2.14%	4.30 kB	4.39 kB
oss-stable/react-server-dom-turbopack/umd/react-server-dom-turbopack-client.browser.production.min.js	+2.32%	11.22 kB	11.48 kB	+2.14%	4.30 kB	4.39 kB
oss-stable-semver/react-server-dom-webpack/umd/react-server-dom-webpack-client.browser.production.min.js	+2.29%	11.34 kB	11.60 kB	+1.94%	4.34 kB	4.42 kB
oss-stable/react-server-dom-webpack/umd/react-server-dom-webpack-client.browser.production.min.js	+2.29%	11.34 kB	11.60 kB	+1.94%	4.34 kB	4.42 kB
oss-experimental/react-server-dom-esm/cjs/react-server-dom-esm-client.browser.production.min.js	+2.24%	11.54 kB	11.80 kB	+2.09%	4.27 kB	4.36 kB
oss-experimental/react-server/cjs/react-server-flight.production.min.js	+2.23%	18.67 kB	19.09 kB	+1.56%	6.60 kB	6.70 kB
oss-stable-semver/react-server-dom-esm/cjs/react-server-dom-esm-client.node.production.min.js	+2.15%	12.09 kB	12.35 kB	+2.05%	4.54 kB	4.64 kB
oss-stable/react-server-dom-esm/cjs/react-server-dom-esm-client.node.production.min.js	+2.15%	12.09 kB	12.35 kB	+2.05%	4.54 kB	4.64 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.browser.production.min.js	+2.11%	12.26 kB	12.52 kB	+1.84%	4.55 kB	4.64 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-client.browser.production.min.js	+2.09%	12.38 kB	12.64 kB	+1.79%	4.59 kB	4.67 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.unbundled.production.min.js	+2.08%	12.47 kB	12.73 kB	+1.91%	4.72 kB	4.81 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.unbundled.production.min.js	+2.08%	12.47 kB	12.73 kB	+1.91%	4.72 kB	4.81 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.unbundled.production.min.js	+2.08%	12.47 kB	12.73 kB	+1.91%	4.72 kB	4.81 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.unbundled.production.min.js	+2.08%	12.47 kB	12.73 kB	+1.91%	4.72 kB	4.81 kB
oss-experimental/react-server-dom-turbopack/umd/react-server-dom-turbopack-client.browser.production.min.js	+2.08%	12.53 kB	12.79 kB	+1.83%	4.65 kB	4.74 kB
oss-experimental/react-server-dom-webpack/umd/react-server-dom-webpack-client.browser.production.min.js	+2.05%	12.65 kB	12.91 kB	+2.03%	4.69 kB	4.78 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.production.min.js	+2.03%	12.80 kB	13.06 kB	+1.84%	4.84 kB	4.93 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.production.min.js	+2.03%	12.80 kB	13.06 kB	+1.84%	4.84 kB	4.93 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.production.min.js	+2.03%	12.80 kB	13.06 kB	+1.79%	4.85 kB	4.94 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.production.min.js	+2.03%	12.80 kB	13.06 kB	+1.79%	4.85 kB	4.94 kB

Significant size changes

Includes any change greater than 0.2%:

Expand to show

Name	+/-	Base	Current	+/- gzip	Base gzip	Current gzip
oss-stable-semver/react-server-dom-esm/cjs/react-server-dom-esm-client.browser.production.min.js	+2.53%	10.23 kB	10.49 kB	+2.22%	3.93 kB	4.01 kB
oss-stable/react-server-dom-esm/cjs/react-server-dom-esm-client.browser.production.min.js	+2.53%	10.23 kB	10.49 kB	+2.22%	3.93 kB	4.01 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.browser.production.min.js	+2.36%	10.95 kB	11.21 kB	+2.02%	4.21 kB	4.29 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.browser.production.min.js	+2.36%	10.95 kB	11.21 kB	+2.02%	4.21 kB	4.29 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-client.browser.production.min.js	+2.34%	11.08 kB	11.34 kB	+1.98%	4.24 kB	4.33 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-client.browser.production.min.js	+2.34%	11.08 kB	11.34 kB	+1.98%	4.24 kB	4.33 kB
oss-stable-semver/react-server-dom-turbopack/umd/react-server-dom-turbopack-client.browser.production.min.js	+2.32%	11.22 kB	11.48 kB	+2.14%	4.30 kB	4.39 kB
oss-stable/react-server-dom-turbopack/umd/react-server-dom-turbopack-client.browser.production.min.js	+2.32%	11.22 kB	11.48 kB	+2.14%	4.30 kB	4.39 kB
oss-stable-semver/react-server-dom-webpack/umd/react-server-dom-webpack-client.browser.production.min.js	+2.29%	11.34 kB	11.60 kB	+1.94%	4.34 kB	4.42 kB
oss-stable/react-server-dom-webpack/umd/react-server-dom-webpack-client.browser.production.min.js	+2.29%	11.34 kB	11.60 kB	+1.94%	4.34 kB	4.42 kB
oss-experimental/react-server-dom-esm/cjs/react-server-dom-esm-client.browser.production.min.js	+2.24%	11.54 kB	11.80 kB	+2.09%	4.27 kB	4.36 kB
oss-experimental/react-server/cjs/react-server-flight.production.min.js	+2.23%	18.67 kB	19.09 kB	+1.56%	6.60 kB	6.70 kB
oss-stable-semver/react-server-dom-esm/cjs/react-server-dom-esm-client.node.production.min.js	+2.15%	12.09 kB	12.35 kB	+2.05%	4.54 kB	4.64 kB
oss-stable/react-server-dom-esm/cjs/react-server-dom-esm-client.node.production.min.js	+2.15%	12.09 kB	12.35 kB	+2.05%	4.54 kB	4.64 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.browser.production.min.js	+2.11%	12.26 kB	12.52 kB	+1.84%	4.55 kB	4.64 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-client.browser.production.min.js	+2.09%	12.38 kB	12.64 kB	+1.79%	4.59 kB	4.67 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.unbundled.production.min.js	+2.08%	12.47 kB	12.73 kB	+1.91%	4.72 kB	4.81 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.unbundled.production.min.js	+2.08%	12.47 kB	12.73 kB	+1.91%	4.72 kB	4.81 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.unbundled.production.min.js	+2.08%	12.47 kB	12.73 kB	+1.91%	4.72 kB	4.81 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.unbundled.production.min.js	+2.08%	12.47 kB	12.73 kB	+1.91%	4.72 kB	4.81 kB
oss-experimental/react-server-dom-turbopack/umd/react-server-dom-turbopack-client.browser.production.min.js	+2.08%	12.53 kB	12.79 kB	+1.83%	4.65 kB	4.74 kB
oss-experimental/react-server-dom-webpack/umd/react-server-dom-webpack-client.browser.production.min.js	+2.05%	12.65 kB	12.91 kB	+2.03%	4.69 kB	4.78 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.production.min.js	+2.03%	12.80 kB	13.06 kB	+1.84%	4.84 kB	4.93 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.production.min.js	+2.03%	12.80 kB	13.06 kB	+1.84%	4.84 kB	4.93 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.production.min.js	+2.03%	12.80 kB	13.06 kB	+1.79%	4.85 kB	4.94 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.production.min.js	+2.03%	12.80 kB	13.06 kB	+1.79%	4.85 kB	4.94 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.edge.production.min.js	+2.00%	13.02 kB	13.28 kB	+1.70%	4.93 kB	5.01 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.edge.production.min.js	+2.00%	13.02 kB	13.28 kB	+1.70%	4.93 kB	5.01 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-client.edge.production.min.js	+2.00%	13.03 kB	13.29 kB	+1.74%	4.93 kB	5.02 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-client.edge.production.min.js	+2.00%	13.03 kB	13.29 kB	+1.74%	4.93 kB	5.02 kB
oss-experimental/react-server-dom-esm/cjs/react-server-dom-esm-client.node.production.min.js	+1.94%	13.41 kB	13.67 kB	+1.79%	4.91 kB	5.00 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.unbundled.production.min.js	+1.88%	13.80 kB	14.06 kB	+1.65%	5.10 kB	5.18 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.unbundled.production.min.js	+1.88%	13.80 kB	14.06 kB	+1.65%	5.10 kB	5.18 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.production.min.js	+1.84%	14.12 kB	14.38 kB	+1.63%	5.21 kB	5.29 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.production.min.js	+1.84%	14.13 kB	14.39 kB	+1.59%	5.22 kB	5.30 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.edge.production.min.js	+1.81%	14.33 kB	14.59 kB	+1.65%	5.28 kB	5.37 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-client.edge.production.min.js	+1.81%	14.34 kB	14.60 kB	+1.57%	5.30 kB	5.38 kB
oss-stable-semver/react-server/cjs/react-server-flight.production.min.js	+1.69%	16.92 kB	17.21 kB	+1.69%	6.09 kB	6.20 kB
oss-stable/react-server/cjs/react-server-flight.production.min.js	+1.69%	16.92 kB	17.21 kB	+1.69%	6.09 kB	6.20 kB
oss-experimental/react-server-dom-esm/cjs/react-server-dom-esm-server.node.production.min.js	+1.52%	27.36 kB	27.77 kB	+1.17%	9.35 kB	9.46 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.browser.production.min.js	+1.48%	28.13 kB	28.55 kB	+1.04%	9.50 kB	9.60 kB
oss-experimental/react-server-dom-turbopack/umd/react-server-dom-turbopack-server.browser.production.min.js	+1.47%	28.31 kB	28.73 kB	+1.09%	9.60 kB	9.71 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.edge.production.min.js	+1.46%	28.45 kB	28.87 kB	+1.08%	9.61 kB	9.71 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-server.browser.production.min.js	+1.44%	28.88 kB	29.30 kB	+1.07%	9.69 kB	9.80 kB
oss-experimental/react-server-dom-webpack/umd/react-server-dom-webpack-server.browser.production.min.js	+1.44%	29.04 kB	29.46 kB	+1.01%	9.82 kB	9.92 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-server.edge.production.min.js	+1.43%	29.09 kB	29.50 kB	+0.95%	9.77 kB	9.87 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.node.unbundled.production.min.js	+1.42%	29.38 kB	29.79 kB	+1.03%	9.95 kB	10.05 kB
oss-stable-semver/react-client/cjs/react-client-flight.production.min.js	+1.41%	10.25 kB	10.39 kB	+0.96%	3.97 kB	4.01 kB
oss-stable/react-client/cjs/react-client-flight.production.min.js	+1.41%	10.25 kB	10.39 kB	+0.96%	3.97 kB	4.01 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.node.production.min.js	+1.39%	29.88 kB	30.30 kB	+0.99%	10.11 kB	10.21 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.unbundled.production.min.js	+1.38%	30.18 kB	30.59 kB	+0.95%	10.15 kB	10.24 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.production.min.js	+1.36%	30.69 kB	31.11 kB	+0.98%	10.31 kB	10.41 kB
oss-experimental/react-client/cjs/react-client-flight.production.min.js	+1.26%	11.44 kB	11.58 kB	+0.91%	4.30 kB	4.34 kB
oss-stable-semver/react-server-dom-esm/esm/react-server-dom-esm-client.browser.production.min.js	+1.22%	40.23 kB	40.72 kB	+1.33%	9.82 kB	9.95 kB
oss-stable/react-server-dom-esm/esm/react-server-dom-esm-client.browser.production.min.js	+1.22%	40.23 kB	40.72 kB	+1.33%	9.82 kB	9.95 kB
oss-stable-semver/react-server-dom-esm/cjs/react-server-dom-esm-server.node.production.min.js	+1.12%	25.57 kB	25.86 kB	+1.12%	8.87 kB	8.97 kB
oss-stable/react-server-dom-esm/cjs/react-server-dom-esm-server.node.production.min.js	+1.12%	25.57 kB	25.86 kB	+1.12%	8.87 kB	8.97 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.browser.production.min.js	+1.09%	26.29 kB	26.58 kB	+1.07%	9.00 kB	9.09 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.browser.production.min.js	+1.09%	26.29 kB	26.58 kB	+1.07%	9.00 kB	9.09 kB
oss-experimental/react-server-dom-esm/esm/react-server-dom-esm-client.browser.production.min.js	+1.09%	45.32 kB	45.81 kB	+1.27%	10.81 kB	10.94 kB
oss-stable-semver/react-server-dom-turbopack/umd/react-server-dom-turbopack-server.browser.production.min.js	+1.08%	26.47 kB	26.76 kB	+0.95%	9.11 kB	9.20 kB
oss-stable/react-server-dom-turbopack/umd/react-server-dom-turbopack-server.browser.production.min.js	+1.08%	26.47 kB	26.76 kB	+0.95%	9.11 kB	9.20 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.edge.production.min.js	+1.07%	26.61 kB	26.90 kB	+0.98%	9.10 kB	9.19 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.edge.production.min.js	+1.07%	26.61 kB	26.90 kB	+0.98%	9.10 kB	9.19 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-server.browser.production.min.js	+1.06%	27.04 kB	27.33 kB	+1.04%	9.19 kB	9.29 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-server.browser.production.min.js	+1.06%	27.04 kB	27.33 kB	+1.04%	9.19 kB	9.29 kB
oss-stable-semver/react-server-dom-webpack/umd/react-server-dom-webpack-server.browser.production.min.js	+1.06%	27.20 kB	27.49 kB	+1.11%	9.31 kB	9.41 kB
oss-stable/react-server-dom-webpack/umd/react-server-dom-webpack-server.browser.production.min.js	+1.06%	27.20 kB	27.49 kB	+1.11%	9.31 kB	9.41 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-server.edge.production.min.js	+1.05%	27.25 kB	27.53 kB	+0.96%	9.26 kB	9.35 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-server.edge.production.min.js	+1.05%	27.25 kB	27.53 kB	+0.96%	9.26 kB	9.35 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.node.unbundled.production.min.js	+1.04%	27.60 kB	27.88 kB	+1.04%	9.45 kB	9.55 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.node.unbundled.production.min.js	+1.04%	27.60 kB	27.88 kB	+1.04%	9.45 kB	9.55 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.node.production.min.js	+1.02%	28.10 kB	28.39 kB	+1.05%	9.60 kB	9.70 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.node.production.min.js	+1.02%	28.10 kB	28.39 kB	+1.05%	9.60 kB	9.70 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.unbundled.production.min.js	+1.01%	28.40 kB	28.68 kB	+1.00%	9.65 kB	9.75 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.unbundled.production.min.js	+1.01%	28.40 kB	28.68 kB	+1.00%	9.65 kB	9.75 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.production.min.js	+0.99%	28.91 kB	29.20 kB	+0.97%	9.82 kB	9.91 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.production.min.js	+0.99%	28.91 kB	29.20 kB	+0.97%	9.82 kB	9.91 kB
oss-stable-semver/react-server-dom-esm/esm/react-server-dom-esm-client.browser.development.js	+0.62%	52.81 kB	53.13 kB	+0.58%	12.81 kB	12.88 kB
oss-stable/react-server-dom-esm/esm/react-server-dom-esm-client.browser.development.js	+0.62%	52.81 kB	53.13 kB	+0.58%	12.81 kB	12.88 kB
oss-stable-semver/react-client/cjs/react-client-flight.development.js	+0.61%	52.86 kB	53.18 kB	+0.50%	13.20 kB	13.27 kB
oss-stable/react-client/cjs/react-client-flight.development.js	+0.61%	52.86 kB	53.18 kB	+0.50%	13.20 kB	13.27 kB
oss-stable-semver/react-server-dom-esm/cjs/react-server-dom-esm-client.browser.development.js	+0.61%	53.01 kB	53.33 kB	+0.55%	12.87 kB	12.94 kB
oss-stable/react-server-dom-esm/cjs/react-server-dom-esm-client.browser.development.js	+0.61%	53.01 kB	53.33 kB	+0.55%	12.87 kB	12.94 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.browser.development.js	+0.58%	56.26 kB	56.58 kB	+0.53%	13.84 kB	13.92 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.browser.development.js	+0.58%	56.26 kB	56.58 kB	+0.53%	13.84 kB	13.92 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-client.browser.development.js	+0.57%	56.77 kB	57.09 kB	+0.54%	14.02 kB	14.09 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-client.browser.development.js	+0.57%	56.77 kB	57.09 kB	+0.54%	14.02 kB	14.09 kB
oss-experimental/react-server-dom-esm/esm/react-server-dom-esm-client.browser.development.js	+0.56%	57.85 kB	58.18 kB	+0.53%	13.81 kB	13.88 kB
oss-experimental/react-client/cjs/react-client-flight.development.js	+0.56%	57.91 kB	58.23 kB	+0.48%	14.20 kB	14.27 kB
oss-stable-semver/react-server-dom-turbopack/umd/react-server-dom-turbopack-client.browser.development.js	+0.56%	59.84 kB	60.18 kB	+0.54%	14.06 kB	14.13 kB
oss-stable/react-server-dom-turbopack/umd/react-server-dom-turbopack-client.browser.development.js	+0.56%	59.84 kB	60.18 kB	+0.54%	14.06 kB	14.13 kB
oss-experimental/react-server-dom-esm/cjs/react-server-dom-esm-client.browser.development.js	+0.56%	58.06 kB	58.38 kB	+0.53%	13.87 kB	13.94 kB
oss-stable-semver/react-server-dom-webpack/umd/react-server-dom-webpack-client.browser.development.js	+0.55%	60.38 kB	60.72 kB	+0.50%	14.24 kB	14.31 kB
oss-stable/react-server-dom-webpack/umd/react-server-dom-webpack-client.browser.development.js	+0.55%	60.38 kB	60.72 kB	+0.50%	14.24 kB	14.31 kB
oss-stable-semver/react-server-dom-esm/cjs/react-server-dom-esm-client.node.development.js	+0.55%	59.08 kB	59.40 kB	+0.48%	14.46 kB	14.53 kB
oss-stable/react-server-dom-esm/cjs/react-server-dom-esm-client.node.development.js	+0.55%	59.08 kB	59.40 kB	+0.48%	14.46 kB	14.53 kB
oss-stable-semver/react-server/cjs/react-server-flight.development.js	+0.54%	66.65 kB	67.00 kB	+0.35%	16.39 kB	16.45 kB
oss-stable/react-server/cjs/react-server-flight.development.js	+0.54%	66.65 kB	67.00 kB	+0.35%	16.39 kB	16.45 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.unbundled.development.js	+0.53%	60.86 kB	61.19 kB	+0.46%	15.00 kB	15.07 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.unbundled.development.js	+0.53%	60.86 kB	61.19 kB	+0.46%	15.00 kB	15.07 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.unbundled.development.js	+0.53%	60.89 kB	61.22 kB	+0.46%	15.03 kB	15.10 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.unbundled.development.js	+0.53%	60.89 kB	61.22 kB	+0.46%	15.03 kB	15.10 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.browser.development.js	+0.53%	61.31 kB	61.63 kB	+0.52%	14.84 kB	14.92 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-client.browser.development.js	+0.53%	61.82 kB	62.14 kB	+0.51%	15.01 kB	15.09 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.development.js	+0.52%	62.30 kB	62.62 kB	+0.45%	15.39 kB	15.46 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.development.js	+0.52%	62.30 kB	62.62 kB	+0.45%	15.39 kB	15.46 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.development.js	+0.52%	62.32 kB	62.65 kB	+0.45%	15.44 kB	15.51 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.development.js	+0.52%	62.32 kB	62.65 kB	+0.45%	15.44 kB	15.51 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.edge.development.js	+0.52%	62.96 kB	63.29 kB	+0.46%	15.52 kB	15.60 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.edge.development.js	+0.52%	62.96 kB	63.29 kB	+0.46%	15.52 kB	15.60 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-client.edge.development.js	+0.52%	62.99 kB	63.32 kB	+0.45%	15.57 kB	15.64 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-client.edge.development.js	+0.52%	62.99 kB	63.32 kB	+0.45%	15.57 kB	15.64 kB
oss-experimental/react-server-dom-turbopack/umd/react-server-dom-turbopack-client.browser.development.js	+0.51%	65.19 kB	65.53 kB	+0.49%	15.08 kB	15.15 kB
oss-experimental/react-server-dom-webpack/umd/react-server-dom-webpack-client.browser.development.js	+0.51%	65.73 kB	66.07 kB	+0.44%	15.26 kB	15.33 kB
oss-experimental/react-server-dom-esm/cjs/react-server-dom-esm-client.node.development.js	+0.51%	64.13 kB	64.45 kB	+0.48%	15.47 kB	15.55 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.unbundled.development.js	+0.49%	65.91 kB	66.23 kB	+0.47%	16.01 kB	16.09 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.unbundled.development.js	+0.49%	65.94 kB	66.27 kB	+0.47%	16.04 kB	16.12 kB
oss-experimental/react-server/cjs/react-server-flight.development.js	+0.49%	73.39 kB	73.74 kB	+0.48%	17.52 kB	17.61 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.development.js	+0.48%	67.34 kB	67.67 kB	+0.46%	16.41 kB	16.48 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.development.js	+0.48%	67.37 kB	67.69 kB	+0.46%	16.45 kB	16.53 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.edge.development.js	+0.48%	68.01 kB	68.34 kB	+0.46%	16.54 kB	16.62 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-client.edge.development.js	+0.48%	68.04 kB	68.36 kB	+0.46%	16.59 kB	16.66 kB
oss-stable-semver/react-server-dom-esm/cjs/react-server-dom-esm-server.node.development.js	+0.35%	100.67 kB	101.02 kB	+0.23%	24.13 kB	24.18 kB
oss-stable/react-server-dom-esm/cjs/react-server-dom-esm-server.node.development.js	+0.35%	100.67 kB	101.02 kB	+0.23%	24.13 kB	24.18 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.browser.development.js	+0.35%	102.94 kB	103.30 kB	+0.25%	25.02 kB	25.08 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.browser.development.js	+0.35%	102.94 kB	103.30 kB	+0.25%	25.02 kB	25.08 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.edge.development.js	+0.35%	103.35 kB	103.71 kB	+0.23%	25.13 kB	25.19 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.edge.development.js	+0.35%	103.35 kB	103.71 kB	+0.23%	25.13 kB	25.19 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-server.edge.development.js	+0.34%	105.42 kB	105.77 kB	+0.21%	25.69 kB	25.75 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-server.edge.development.js	+0.34%	105.42 kB	105.77 kB	+0.21%	25.69 kB	25.75 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-server.browser.development.js	+0.34%	105.52 kB	105.88 kB	+0.23%	25.75 kB	25.81 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-server.browser.development.js	+0.34%	105.52 kB	105.88 kB	+0.23%	25.75 kB	25.81 kB
oss-stable-semver/react-server-dom-turbopack/umd/react-server-dom-turbopack-server.browser.development.js	+0.34%	108.82 kB	109.19 kB	+0.30%	25.36 kB	25.44 kB
oss-stable/react-server-dom-turbopack/umd/react-server-dom-turbopack-server.browser.development.js	+0.34%	108.82 kB	109.19 kB	+0.30%	25.36 kB	25.44 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.node.unbundled.development.js	+0.34%	106.08 kB	106.43 kB	+0.24%	25.35 kB	25.41 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.node.unbundled.development.js	+0.34%	106.08 kB	106.43 kB	+0.24%	25.35 kB	25.41 kB
oss-experimental/react-server-dom-esm/cjs/react-server-dom-esm-server.node.development.js	+0.33%	107.63 kB	107.99 kB	+0.30%	25.40 kB	25.48 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.unbundled.development.js	+0.33%	108.50 kB	108.86 kB	+0.24%	25.97 kB	26.03 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.unbundled.development.js	+0.33%	108.50 kB	108.86 kB	+0.24%	25.97 kB	26.03 kB
oss-stable-semver/react-server-dom-webpack/umd/react-server-dom-webpack-server.browser.development.js	+0.33%	111.55 kB	111.92 kB	+0.28%	26.10 kB	26.17 kB
oss-stable/react-server-dom-webpack/umd/react-server-dom-webpack-server.browser.development.js	+0.33%	111.55 kB	111.92 kB	+0.28%	26.10 kB	26.17 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.node.development.js	+0.33%	108.72 kB	109.08 kB	+0.22%	26.22 kB	26.28 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.node.development.js	+0.33%	108.72 kB	109.08 kB	+0.22%	26.22 kB	26.28 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.browser.development.js	+0.32%	110.36 kB	110.71 kB	+0.29%	26.42 kB	26.50 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.edge.development.js	+0.32%	110.77 kB	111.12 kB	+0.28%	26.54 kB	26.61 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.development.js	+0.32%	111.14 kB	111.49 kB	+0.23%	26.88 kB	26.94 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.development.js	+0.32%	111.14 kB	111.49 kB	+0.23%	26.88 kB	26.94 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-server.edge.development.js	+0.32%	112.83 kB	113.19 kB	+0.25%	27.10 kB	27.17 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-server.browser.development.js	+0.32%	112.94 kB	113.30 kB	+0.28%	27.15 kB	27.22 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.node.unbundled.development.js	+0.32%	113.05 kB	113.40 kB	+0.30%	26.63 kB	26.71 kB
oss-experimental/react-server-dom-turbopack/umd/react-server-dom-turbopack-server.browser.development.js	+0.31%	116.62 kB	116.99 kB	+0.29%	26.79 kB	26.87 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.unbundled.development.js	+0.31%	115.47 kB	115.83 kB	+0.28%	27.26 kB	27.33 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.node.development.js	+0.31%	115.69 kB	116.04 kB	+0.27%	27.46 kB	27.53 kB
oss-experimental/react-server-dom-webpack/umd/react-server-dom-webpack-server.browser.development.js	+0.31%	119.35 kB	119.71 kB	+0.28%	27.53 kB	27.61 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.development.js	+0.30%	118.11 kB	118.46 kB	+0.26%	28.12 kB	28.20 kB

Generated by 🚫 dangerJS against ff89f2b

sebmarkbage · 2023-10-11T05:02:34Z

packages/react-server/src/ReactFlightServer.js

+    const proto = getPrototypeOf(value);
+    if (
+      proto !== ObjectPrototype &&
+      (proto === null || getPrototypeOf(proto) !== null)


This is the only new change. The other is just refactoring.

Since all objects in the common case should be proto === ObjectPrototype, it's really just one extra getPrototypeOf call per object.

sophiebits

Does this forbid class instances that have toJSON?

sebmarkbage · 2023-10-11T14:30:36Z

It does not. That is a DEV only error. https://github.com/facebook/react/blob/main/packages/react-server/src/ReactFlightServer.js#L895-L900

sebmarkbage · 2023-10-11T14:36:34Z

If we do switch to a custom JSON.stringify alternative serialization, then it gets a bit easier to ban because we'd just not implement toJSON.

It's much more likely to be an array than Map or TypedArray.

gnoff

Why do we consider null prototype a problem? I assume it's mostly used for dictionaries. I suppose it's unsafe to parse on the receiving end b/c you end up with a prototype there.

sebmarkbage · 2023-10-11T16:14:28Z

Yes that's why.

We only allow plain objects that can be faithfully serialized and deserialized through JSON to pass through the serialization boundary. It's a bit too expensive to do all the possible checks in production so we do most checks in DEV, so it's still possible to pass an object in production by mistake. This is currently exaggerated by frameworks because the logs on the server aren't visible enough. Even so, it's possible to do a mistake without testing it in DEV or just testing a conditional branch. That might have security implications if that object wasn't supposed to be passed. We can't rely on only checking if the prototype is `Object.prototype` because that wouldn't work with cross-realm objects which is unfortunate. However, if it isn't, we can check wether it has exactly one prototype on the chain which would catch the common error of passing a class instance.

…experimental prefix for server action APIs (#56809) The latest React canary builds have a few changes that need to be adopted for compatability. 1. the `useFormState` and `useFormStatus` hooks in `react-dom` and the `formData` opiont in `react-dom/server` are no longer prefixed with `experimental_` 2. server content (an undocumented React feature) has been removed. Next only had trivial intenral use of this API and did not expose a coherent feature to Next users (no ability to seed context on refetches). It is still possible that some users used the React server context APIs which is why this should go into Next 14. ### React upstream changes - facebook/react#27513 - facebook/react#27514 - facebook/react#27511 - facebook/react#27508 - facebook/react#27502 - facebook/react#27474 - facebook/react#26789 - facebook/react#27500 - facebook/react#27488 - facebook/react#27458 - facebook/react#27471 - facebook/react#27470 - facebook/react#27464 - facebook/react#27456 - facebook/react#27462 - facebook/react#27461 - facebook/react#27460 - facebook/react#27459 - facebook/react#27454 - facebook/react#27457 - facebook/react#27453 - facebook/react#27401 - facebook/react#27443 - facebook/react#27445 - facebook/react#27364 - facebook/react#27440 - facebook/react#27436 --------- Co-authored-by: Zack Tanner <zacktanner@gmail.com> Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> Co-authored-by: Jiachi Liu <inbox@huozhi.im>

We only allow plain objects that can be faithfully serialized and deserialized through JSON to pass through the serialization boundary. It's a bit too expensive to do all the possible checks in production so we do most checks in DEV, so it's still possible to pass an object in production by mistake. This is currently exaggerated by frameworks because the logs on the server aren't visible enough. Even so, it's possible to do a mistake without testing it in DEV or just testing a conditional branch. That might have security implications if that object wasn't supposed to be passed. We can't rely on only checking if the prototype is `Object.prototype` because that wouldn't work with cross-realm objects which is unfortunate. However, if it isn't, we can check wether it has exactly one prototype on the chain which would catch the common error of passing a class instance.

We only allow plain objects that can be faithfully serialized and deserialized through JSON to pass through the serialization boundary. It's a bit too expensive to do all the possible checks in production so we do most checks in DEV, so it's still possible to pass an object in production by mistake. This is currently exaggerated by frameworks because the logs on the server aren't visible enough. Even so, it's possible to do a mistake without testing it in DEV or just testing a conditional branch. That might have security implications if that object wasn't supposed to be passed. We can't rely on only checking if the prototype is `Object.prototype` because that wouldn't work with cross-realm objects which is unfortunate. However, if it isn't, we can check wether it has exactly one prototype on the chain which would catch the common error of passing a class instance. DiffTrain build for commit e61a60f.

sebmarkbage requested review from gnoff and acdlite October 11, 2023 04:47

facebook-github-bot added CLA Signed React Core Team Opened by a member of the React Core Team labels Oct 11, 2023

Enforce "simple object" rule in production

748ab8a

sebmarkbage force-pushed the prodplainobjects branch from b685a5c to 748ab8a Compare October 11, 2023 04:52

sebmarkbage requested a review from sophiebits October 11, 2023 04:52

sebmarkbage commented Oct 11, 2023

View reviewed changes

sophiebits reviewed Oct 11, 2023

View reviewed changes

Move isArray check higher

ff89f2b

It's much more likely to be an array than Map or TypedArray.

gnoff approved these changes Oct 11, 2023

View reviewed changes

sebmarkbage merged commit e61a60f into facebook:main Oct 11, 2023
36 checks passed

gnoff mentioned this pull request Oct 13, 2023

Update React from d900fadbf to 09fbee89d. Removes server context and experimental prefix for server action APIs vercel/next.js#56809

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Flight] Enforce "simple object" rule in production #27502

[Flight] Enforce "simple object" rule in production #27502

sebmarkbage commented Oct 11, 2023

react-sizebot commented Oct 11, 2023 •

edited

Loading

sebmarkbage Oct 11, 2023

sophiebits left a comment

sebmarkbage commented Oct 11, 2023

sebmarkbage commented Oct 11, 2023

gnoff left a comment

sebmarkbage commented Oct 11, 2023

[Flight] Enforce "simple object" rule in production #27502

[Flight] Enforce "simple object" rule in production #27502

Conversation

sebmarkbage commented Oct 11, 2023

react-sizebot commented Oct 11, 2023 • edited Loading

Critical size changes

Significant size changes

sebmarkbage Oct 11, 2023

Choose a reason for hiding this comment

sophiebits left a comment

Choose a reason for hiding this comment

sebmarkbage commented Oct 11, 2023

sebmarkbage commented Oct 11, 2023

gnoff left a comment

Choose a reason for hiding this comment

sebmarkbage commented Oct 11, 2023

react-sizebot commented Oct 11, 2023 •

edited

Loading