Given this (including the linked writeup on the mintlify RCE), after the React RCE, if think it should be pretty obvious that

1. content security policies should always be used to prevent such scripts (here they would prevent execution of scripts from the SVG)

2. The JavaScript ecosystem should be making ` --disallow-code-generation-from-strings` a default recommendation when running NodeJS on the server.

Vercel (and other nodejs as a service providers) should warn customers that don't use CSP and `--disallow-code-generation-from-strings` that their settings should be improved.

There are a bunch of other NodeJS flags that maybe you should look into too: https://sgued.fr/blog/react-rce/#node-js-mitigations