Inevitable when the line between the client and the server is blurred this much. RCE in a UI library is not a phrase you hear often.

Maybe one day we'll look back at JavaScript and conclude it was a gigantic mistake ship unaudited executable code to a few billion people every day.

JavaScript is fine, it's what and how people build with it that's the problem. It was never meant to be a systems language but we're desperate to make it one.

In light of this discussion:

https://news.ycombinator.com/item?id=46141771

that is an interesting observation.

I have seen a number of attempts at exploiting this on our deployment already. Luckily I saw and was able to apply the patch last night, but as a European, it wasn't great to only get the announcement after dinner time.