The vulnerable code exists inside of the React Flight wire protocol that is used by Next.js but also Vite, Parcel, Waku and any other custom RSC implementation that exists. Your comment was accurate circa 2019 but not since React released server components.
This POC is not realistic and doesn't work against production builds of Next.js. It requires explicit exposure of gadgets by the user (eg. vm.runInContext) so is invalid as noted on https://react2shell.com
The React Server Components wire format (Flight) is relatively novel and very new (it has existed in React stable for just a year). This is not a simple JSON parsing bug.
The rails bugs weren't about Json parsing, they were deserializing into Ruby objects of classes that had side effects, and those side effects led to RCE possibilities. Since those happened, you'll find any deserialization library, especially in dynamic languages, will have a safe (or conversely unsafe) deserialize function to make it more explicit that there's risks involved.
Observables and Generators (iterators) are fundamentally different. Observables are push-based (like a promise) whereas iterators are pull-based (like a function).
Glossing over this fact leads to a flawed understanding, not a deeper one.
Things mostly just work. Remember Node.js is mostly APIs on top of JS the language. If those tools compile to JS in the browser, they can compile to Deno. Deno is a more stabdards-based runtime than Node, it's closer to how the browser works.
I don't think Firefox was reading any QR codes, but instead was recrawling the link in the "Recents" list on a new tab or bookmarks screen.
This is in no way a problem. There is precedent for browsers eagerly loading links, it happens all the time in regular webpages. This is most of the reason why anchors should be safe/side-effect free.
