react-router-dom is the React Router library. The official package is well-maintained — which is exactly why attackers publish typosquats and lookalikes whose names are a keystroke away. Here's how to install react-router-dom and confirm you're getting the real one.
Install
npm install react-router-dom
Confirm it's the real package
npm view react-router-dom maintainers repository.url time.modified
Check the repository URL resolves to real, active source, the maintainers are who you expect, and the release history is long and steady rather than a single surprise version.
Is react-router-dom safe? quick checklist
- Exact name matches the official docs — watch for swapped letters, extra hyphens, scope changes.
- Download counts and age look like a mainstream package, not a fresh lookalike.
- No suspicious install-time scripts making network/shell calls.
- No open advisories against the version you're pulling.
Pin the version
npm install react-router-dom@
Record it in your lockfile and review lockfile diffs in CI — that's where a swapped dependency surfaces.
Red flags & a quick scan
- A near-identical name with far fewer downloads and a recent creation date.
- A lone maintainer publishing a sudden release after a long quiet stretch.
- Install scripts running network calls — inspect before executing:
npm install --ignore-scripts react-router-dom
osv-scanner --lockfile package-lock.json
Related questions
- How do I install react-router-dom? Run
npm install react-router-dom(details above). - Is react-router-dom safe to use? Yes, the official package is well-maintained — verify you have the real one with the checklist above, not a typosquat.
- What is the latest version of react-router-dom? Check it deliberately rather than trusting a floating tag — see the verify step above — then pin the exact version.
- Does react-router-dom have known vulnerabilities? Scan your lockfile with
osv-scanner --lockfile package-lock.jsonand cross-check advisories on OSV for the exact version you use. - Is the react-router-dom npm package a supply-chain risk? The bigger risk is its transitive dependencies and install scripts — pin versions and review lockfile diffs.