|
|
|
|
|
|
by jfoster
2185 days ago
|
|
|
React itself is big & reputable, but the dependency tree is massive and I doubt that it's getting fully vetted on an ongoing basis. Even if you vet it today, any given dependency can be updated to something else tomorrow. There are definitely some things in React's dependency tree that are a bit questionable if you are sensitive enough to any given problem, beyond just security. For example, packages where the license being used is contradictory between the package.json vs the LICENSE file or the full license terms are not expressed within these but are clarified in the README.md. |
|
|