<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=420236&amp;fmt=gif">

Over $1M now available to pay open source maintainers! Get the details.

Who supports React? That depends on what you mean

Keenan Szulik
by Keenan Szulik
on August 14, 2018

React is a popular JavaScript library for building user interfaces. First deployed on Facebook's news feed in 2011 and then on Instagram in 2012, it was released as open source in May 2013, and React Native joined the family in March 2015.

Since then, React has grown into a proper open source phenomenon. With more than 100,000 GitHub stars (albeit a possibly dubious metric), over 300,000 dependent repositories, and more than 800 contributors, React is alongside Angular and Vue in the pantheon of modern frontend JavaScript frameworks.

What explains the success of React? Some value its elegant simplicity, others the breadth of its ecosystem.

For many others it's the confidence that React is "supported by Facebook."

But is it really?

That depends on what you mean by React, and what you mean by support.

Assess Your Open Source

How many dependencies?! 😨

So what exactly is “React,” anyway?

For sure, it’s a library for building user interfaces. It’s also an ecosystem of related packages. But what’s often overlooked is that as typically used, it incorporates many, many other projects as dependencies. Many.

The Facebook team has done an excellent job of providing resources to help new developers get started using React, and one of them is the wonderful create-react-app. After going through the full setup, you can plainly see that this “Hello World” application has three direct dependencies: react-dom, react-scripts, and react. Great! All three of these packages are actively maintained by the React team at Facebook, so what’s the issue?

As it turns out, these aren’t the only dependencies of the default create-react-app output; it actually requires (as of this writing) 1,103 dependencies, with the remaining 1,100 getting pulled in transitively as requirements of react-dom, react-scripts, and react. In other words: a wall of text filled with open source dependencies.


So in reality, the top-level packages that many developers perceive as “React,” which are actively maintained by the Facebook engineering team, are just the tip of an iceberg of open source software from other open source developers.

And all that software gets incorporated into your own React-based application.

How do you support the whole iceberg?

Facebook's contributions to React and the JavaScript ecosystem around it are epic. Truly the stuff of legend.

But when we dive into the dependencies of the default create-react-app, only 24 of the 1,103 packages come from repositories in Facebook’s GitHub organizations. That’s less than 3% of the dependencies required to build the “Hello, World” app with create-react-app!

Furthermore, just because a project sits in a Facebook GitHub repository doesn’t mean it’s “supported” for your definition of support. When we asked professional software teams what assurances they require for the open source they incorporate into their applications, they told us that they need:

  • Security: Timely notifications and help addressing vulnerabilities
  • Maintenance: Assurance of ongoing high-quality maintenance into the future
  • Licensing: Legal assurances documenting license status and whether current usage is compatible
  • Visibility: A clear way to understand all of an organization’s open source dependencies and better manage risk

Facebook does the world a great service by releasing the source code for React under an open source license and driving its development.

But it doesn't offer a commercial service level agreement covering security, maintenance, and licensing even for the 24 packages in its own GitHub repositories, much less the full 1,103 packages packages in a default create-react-app project.

You support the whole iceberg with a rising tide

With Tidelift we're introducing a new model to bridge this gap.

The Tidelift Subscription provides commercial-grade security updates, maintenance, and legal assurances for the open source projects you depend on, provided directly by the experts who created them.

With Tidelift, commercial teams using React can easily purchase a single subscription providing security, legal, and maintenance assurances across a broad set of dependencies in the React ecosystem.

And if you're a maintainer of a package in the React ecosystem, including any of those 1,103 package dependencies, you can sign up as a Tidelift maintainer (we call them “lifters”) and get paid for offering some straightforward extra assurances.

Tidelift provides a way to bring users and maintainers together in a scalable model that works—for everyone. Those who build and maintain open source software get compensated for their effort—and those who use their creations get more dependable software.

request a demo

We’re all indebted to Facebook for the substantial investments it’s made in driving the React ecosystem forward. If you’re a professional software team building with React, or any other open source technologies, consider the Tidelift Subscription as a way to complete the picture by adding the commercial security, licensing, and maintenance assurances you need.

2018 open source survey results