React is a popular JavaScript library for building user interfaces. First deployed on Facebook's news feed in 2011 and then on Instagram in 2012, it was released as open source in May 2013, and React Native joined the family in March 2015.
Since then, React has grown into a proper open source phenomenon. With more than 100,000 GitHub stars (albeit a possibly dubious metric), over 300,000 dependent repositories, and more than 800 contributors, React is alongside Angular and Vue in the pantheon of modern frontend JavaScript frameworks.
What explains the success of React? Some value its elegant simplicity, others the breadth of its ecosystem.
For many others it's the confidence that React is "supported by Facebook."
But is it really?
That depends on what you mean by React, and what you mean by support.
So what exactly is âReact,â anyway?
For sure, itâs a library for building user interfaces. Itâs also an ecosystem of related packages. But whatâs often overlooked is that as typically used, it incorporates many, many other projects as dependencies. Many.
The Facebook team has done an excellent job of providing resources to help new developers get started using React, and one of them is the wonderful create-react-app. After going through the full setup, you can plainly see that this âHello Worldâ application has three direct dependencies: react-dom, react-scripts, and react. Great! All three of these packages are actively maintained by the React team at Facebook, so whatâs the issue?
As it turns out, these arenât the only dependencies of the default create-react-app output; it actually requires (as of this writing) 1,103 dependencies, with the remaining 1,100 getting pulled in transitively as requirements of react-dom, react-scripts, and react. In other words: a wall of text filled with open source dependencies.
So in reality, the top-level packages that many developers perceive as âReact,â which are actively maintained by the Facebook engineering team, are just the tip of an iceberg of open source software from other open source developers.
And all that software gets incorporated into your own React-based application.
Facebook's contributions to React and the JavaScript ecosystem around it are epic. Truly the stuff of legend.
But when we dive into the dependencies of the default create-react-app, only 24 of the 1,103 packages come from repositories in Facebookâs GitHub organizations. Thatâs less than 3% of the dependencies required to build the âHello, Worldâ app with create-react-app!
Furthermore, just because a project sits in a Facebook GitHub repository doesnât mean itâs âsupportedâ for your definition of support. When we asked professional software teams what assurances they require for the open source they incorporate into their applications, they told us that they need:
Facebook does the world a great service by releasing the source code for React under an open source license and driving its development.
But it doesn't offer a commercial service level agreement covering security, maintenance, and licensing even for the 24 packages in its own GitHub repositories, much less the full 1,103 packages packages in a default create-react-app project.
With Tidelift we're introducing a new model to bridge this gap.
The Tidelift Subscription provides commercial-grade security updates, maintenance, and legal assurances for the open source projects you depend on, provided directly by the experts who created them.
With Tidelift, commercial teams using React can easily purchase a single subscription providing security, legal, and maintenance assurances across a broad set of dependencies in the React ecosystem.
And if you're a maintainer of a package in the React ecosystem, including any of those 1,103 package dependencies, you can sign up as a Tidelift maintainer (we call them âliftersâ) and get paid for offering some straightforward extra assurances.
Tidelift provides a way to bring users and maintainers together in a scalable model that worksâfor everyone. Those who build and maintain open source software get compensated for their effortâand those who use their creations get more dependable software.
Weâre all indebted to Facebook for the substantial investments itâs made in driving the React ecosystem forward. If youâre a professional software team building with React, or any other open source technologies, consider the Tidelift Subscription as a way to complete the picture by adding the commercial security, licensing, and maintenance assurances you need.