It is very strange that this didn't make it to the front page of HN. I've just received an email from DigitalOcean that my VPS/droplet had been used in a DDoS attack, and a few hours latter another email, again from DigitalOcean, saying that I'm running software that has a vulnerability with CVE score of 10. I guess not a lot of CVEs get a score of 10, and not for a framework as widespread as React and Next.