Yes this is still possible if you log any user-modifiable value. One example would be logging out a user agent header - if an attacker spoofs this to include a JDNI URI then the vulnerability can be exploited.
This is why this CVE is so scary - I would imagine the majority of applications using log4j will log out a user-supplied value at some point.
How about feeding the magic string via Host header in your requests and then cutting off? You wouldn't even need to establish the full TLS handshake, SNI is sent in the clear, and you would get to hit every single load-balancer and middle box - and everything they send their logs to.
Within create-react-app, the local dev server does indeed use Webpack. For deploying into prod, the recommend approach is to use the `build` script which will output the static files to be deployed to a host e.g. S3 or Zeit Now.
If you require server-side rendering, Next.js can be run just as any other Node server so will be fine in Docker. Alternatively, Next has support for running in AWS Lambda/Lambda@Edge do you don't need to have infra running 24/7.
On your point about using CNAMEs - if you have the domain set up with Route 53, you can create an A/AAAA alias record on the domain apex pointing to CloudFront.
I believe us-east-1 is one of the regions included in the minimal set of regions for a new AWS service to be considered 'available'. If I recall, eu-west-1 is another such region.
As mentioned in the article, this only applies to repositories with a handful of collaborators and as such organisations with private repos will still need to pay a subscription.
GitHub enterprise will also continue to provide a revenue stream.
