Not really, I didn't keep receipts. This stuff was discussed heavily on X a couple years ago when they were first launched and a lot of people questioned the wisdom of implicit RPC and blurring the lines between client/server, and the increasing complexity of React. I'm sure there were some articles written as well.

I believe one of the React email services got pwned because they leaked sensitive info via RSC, and there was a whole fiasco around Next.js encrypting server secrets and sending them to the client.

Lo and behold just a couple years later, a lvl 10 RCE because of the complexity of their RPC approach coupled with the blurring of the lines between client/server...it's not like it's surprising to us. A repro of the vulnerability is on X & Github if you want to search for it, it's a classic deserialization bug that only exists because their format is so complex (and powerful).

Remember a lot of us use React as a UI library and to see it causing our servers to get pwned is what people were uneasy about when they announced RSC.

Unfortunately much of this discussion is on X which makes it hard to find, especially because I think Dan Abromov deleted his X account.