React 19 vulnerability

[pavodev]

On December 3rd the React Team published an article(https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) relative to a serious vulnerability discovered in React 19, specifically involving React Server Components.
I’m not aware that Mirador 4 uses React Server Components but it seems that the vulnerability might also affect apps that use bundles such as Vite.

I’m considering to use Mirador 4 for a future project and I’m wondering if it’s anyhow affected by this.

[lutzhelm]

There is no trace of next, react-server-dom-webpack, react-server-dom-parcel or react-server-dom-turbopack in Mirador's dependency tree.

Vite itself is also unaffected, only Vite's React Server Component plugin @vitejs/plugin-rsc is. The latter is not used in Mirador.