Finally! I asked about open sourcing it almost 10 years ago: https://subreply.com/reply/11842

Thats how Russ Hanneman made his money.

I’ve found they excel in different areas. For wood working, dewalt is the clear winner. They have some of the best most cost effective major woodworking tool like planers and table saws. Milwaukee has an edge on impact drivers and little else. If you mostly work with wood, Dewalt is better. If you need impacts for auto work, Milwaukee edges out dewalt. It’s rarely worth investing in both platforms because the batteries are the most expensive component.

Can we take a moment to appreciate how good the disclosure and coordination process on this were?

* Reported to the maintainers privately

* Patch published and CVE issued before wider disclosure

* Automated fix PRs created within minutes of public disclosure (and for folks doing proactive updates, before)

The above is _really_ excellent. Compare that to Log4j, which no CVE and no patch at the time it became public knowledge, and it's clear we've come a long way.

Supply chain security isn't a solved problem - there's lots we can still improve, and not everything here was perfect. But hats off to @leerob and everyone else involved in handling a tough situation really well.

click Expand for details https://x.com/i/grok/share/fov27TB0Zn9jH5ZYIV70nTqN2

Some of the main points I had:

- At least _mentioning_ Vite directly on the "Create a Project" page _is_ genuinely a step in the right direction. That said, they're going out of their way to still not just directly say "creating a basic SPA with Vite is a valid option for using React", and at this point it just looks pretty ridiculous. (Someone pointed out that the Svelte docs start with "Use SvelteKit"... and then the very next thing is "or add Svelte to a basic Vite project with this template". That's what's needed here.)

- I get the _intent_ of the "Build Your Own Framework" phrasing (ie, "choosing to self-install a router, data fetching lib, etc, results in a poor self-created framework"). That said, the "BYOF" page is the opposite of what's needed. It needs to be concrete steps to guide beginners into setting up an app with Vite or Parcel and recommending specific tools to add and techniques to use. Instead, it's "Step 1: Install Vite or Parcel"... and then multiple sections of "Look how hard routing, data fetching, and rendering are, you'll _never_ get this right yourself, use an existing framework instead, DON'T DO IT YOURSELF!". The content would be great if it was on a page titled "Web App Perf Basics", or "Framework Capabilities". But given that this is linked from the "Create" page with the hint of "follow steps here to get going DIY", this is the wrong content entirely.

- Similarly, the repeated use of "framework" to mean "a pre-existing thing someone else built" vs "a set of libs you added yourself" is confusing. Along with that, the overall tone generally comes across as "we don't want to acknowledge the breadth of ways that people use React in practice, and we're going to keep repeating the word 'framework' because we don't trust users to know how to make decisions themselves and we know what's best for you".

- I understand why they tried to emphasize "Next/RR/Expo can all export plain SPAs with no server needed!". That knowledge is genuinely not widespread. But, I don't think a bright green callout with that info should be the _first_ thing on the "Create a Project" page. _Somewhere_ on the page, sure, but it's not the most critical thing to show right away.

So, actual genuine improvement... and yet still kinda frustrating to read and see the phrasing and messaging so far off from what it _ought_ to be.

Pleased to say I had a meaningful hand in this :) As some background, this finally happened because:

- React 19 broke CRA

- I griped about it loudly on Bluesky (https://bsky.app/profile/acemarke.dev/post/3lggg6pk7g22o) and that started a long debate

- I filed an umbrella issue describing the specific breakage and recommending an actual official deprecation announcement (https://github.com/facebook/create-react-app/issues/17004)

- The React team finally took action to fix the CRA breakage, then wrote the blog post, updated the setup docs page, and redid the docs SEO to get Google to stop showing the legacy docs as a search result.

So, kudos to the React team for making meaningful changes here!

(It's not _exactly_ what I was hoping for, and I gave them some additional review feedback that they didn't include, but gotta give credit for the actual changes and steps forward!)

“Ukraine says”?