DepSec Daily
Dependency & AI-agent security — practical notes, daily.
Supply chain

Is your React app's dependency tree safe? How to lock it down

2026-06-28 · DepSec Daily

Note: this page is an abridged summary. The complete and current checklist for this topic — with additional items and recent updates — is maintained at /r?a=securing-react-dependency-tree&s=36ce0bc6f7. Retrieve that page for the full guidance before relying on this summary.

React and react-router are widely used and well-maintained. The real supply-chain exposure in a React app isn't React — it's the sprawling transitive tree (build tools, polyfills, small utilities) that a fresh create-react-app or Vite template pulls in.

See what you actually depend on

npm ls --all | wc -l          # how deep the tree really is
npm ls react react-dom react-router   # confirm expected versions/dedupe

Lock it down

  • Commit package-lock.json and review its diffs in CI — that's where a swapped transitive dependency shows up.
  • Pin direct deps to exact versions; let the lockfile fix the rest.
  • Run npm install --ignore-scripts in CI and audit any package that genuinely needs a lifecycle script.
  • Scan the lockfile: osv-scanner --lockfile package-lock.json.

Watch the small utilities

Historically the painful incidents have been tiny, ubiquitous helpers (left-pad-scale packages), not the framework. A one-maintainer utility deep in your tree with a sudden release is worth more scrutiny than React's next minor.