Description
What is the documentation issue?
Package server-only has no documentation and it's hard to say if it's a official package, or unofficial one, or recommended one. It's also very hard to say where it's sourced from without extensive detective work. It's being used both in NextJS docs as well as react.dev documentation.
The package should be documented, most likely owned one of the orgs and the source should be clearly available.
Is there any context that might help us understand?
This issue is about general confusion about server-only package.
Everything probably starts somewhere around https://github.com/reactjs/rfcs/blob/main/text/0227-server-module-conventions.md where Ryo and Dan have a propsal around server-module-conventions. It describes poisoning imports using a package.
At the same time, https://www.npmjs.com/package/server-only/v/0.0.1 is published to npm by @sebmarkbage , that contains absolutely no documentation and points to reactjs.org, making it seem that it's somehow related to React itself, despite not living under any Meta related namespace.
There's two usages of the package documented very loosely on the internet, first one can be found in the NextJS docs that clearly says that "install this package, use it like this", and it's probably fine: https://nextjs.org/docs/app/building-your-application/rendering/composition-patterns#keeping-server-only-code-out-of-the-client-environment
Closest thing to the source code is probably this pull request in NextJS #44861 that brings those imports to the NextJS codebase, the actual source code of server-only seems to match that, despite different author and being released a year before the package. Maybe I am missing something here?
Finally in the react.dev docs itself, server-only is used as a concept, but also as an actual package in https://react.dev/reference/react/experimental_taintUniqueValue#using-server-only-and-taintuniquevalue-to-prevent-leaking-secrets
Ideally, secrets like this are abstracted into a single helper file that can only be imported by trusted data utilities on the server. The helper can even be tagged with server-only to ensure that this file isn’t imported on the client.