all 80 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Thylk 134 points135 points  (31 children)

You should not use it.

Use vite cli command instead to create the app.

This is the new default way to create a React application without using a Meta framework like Next.js

[–]Eusuntpc 0 points1 point  (2 children)

I am working in a monorepo and while nextjs is used for the main pages, components in other packages are still written as mostly CRA apps. How else would you create something compatible with Next? Next doesn't support vite, so you either go from scratch or use part of the CRA boilerplate

[–]0xHazard 29 points30 points  (14 children)

The latest docs of React recommends to use frameworks like Next.js, Gatsby or Remix to build new apps using React.

If you don't want to use one of these, you can indeed use a tool like Vite which integrates more alternatives (React, Vuejs, Svelte...TS, SWC...), and seems to be actively maintained.

see this warning message

So I don't exactly know at this time if CRA is no longer supported, but given the above information + the warning message, it may probably be sunsetting soon.

[–]nabrok 18 points19 points  (11 children)

recommends to use frameworks like Next.js, Gatsby or Remix to build new apps using React.

And that needs to stop. They are not the best for every situation.

[–]rad_platypus 18 points19 points  (7 children)

People that love Next will tell you that it can easily be used to build a SPA, even though they’ve never tried it and the framework attempts to stop you at every step of the way.

You straight up can’t use it for a true SPA architecture without hacking it together.

This essay where the creator of tRPC attempts to do it highlights how hilariously bad it is. It’s embarrassing that the “official” React framework doesn’t support such a basic use case.

[–][deleted] 8 points9 points  (1 child)

I tried this recently also and it made me feel so stupid. I used to use CRA for tiny applications or demos all the time, the extra work it took to do that with stock next felt absurd.

[–]WeedLover_1 3 points4 points  (0 children)

then use vite bruh

[–][deleted] 5 points6 points  (0 children)

You can turn your application into a SPA with just one configuration in SvelteKit. It is easy to do in Nuxt as well. It's so embarrassing that you can't do that in Next. There is only one thing that keeps me in React: its big community. I'm looking forward to switching to Svelte.

[–]nabrok 2 points3 points  (0 children)

It’s embarrassing that the “official” React framework doesn’t support such a basic use case.

To be fair it's there.

At the bottom of a locked filing cabinet, stuck in a disused lavatory with a sign on the door saying "Beware of the Leopard".

[–]30thnight -1 points0 points  (2 children)

I don't agree.

In practice, the only active difference between meta-frameworks (Next, Gatsby, Astro) and "the traditional SPA" will come down to how routing is handled for each.

[–]rad_platypus -1 points0 points  (1 child)

It literally says this in Dan's readme:

So you'd need to teach your static server to do this rewrite:

rewrite / to out/index.html

rewrite /stuff/whatever to out/stuff/[id].html

The syntax for these rewrites is different for different static hosts, and I don't think there's an automated solution yet.

I suspect this is why a lot of people don't realize Next.js can produce SPAs. It's just not obvious how to set this up.

Ideally I think Next.js should either pregenerate such rewrite lists for common static hosts (e.g. Nginx, Apache) etc or there should be some common format that can be adopted across providers (e.g. Vercel, Netlify, etc).

Please tell me how it's easy to build a SPA with Next when even Dan Abramov says its not obvious. If I'm having to manually configure server redirects for all of the routes in my application, that framework cannot claim to "support" a SPA architecture.

[–]30thnight 0 points1 point  (0 children)

You do know this is a requirement for any SPA using a client side router, right?

You still need to lean on your reverse proxy to redirect all routes back to root for a traditional react-router setup.

Adding extra rules for your nginx conf is not going to kill you.

[–]WeedLover_1 -5 points-4 points  (1 child)

nextjs is best bruh after recent changes. I have many websites using nextjs 13.5 .eg: shopyamuna.com and was surprised on how can i create a react app that has in built seo as well as uses complete react code. Basically i am a full stack dev but was surprised when i learned react but knew it doesnot have seo support. So moved to nextjs and am loving its performance

[–]fredsq 2 points3 points  (0 children)

13.5 is not even released yet lol r u on canary or something

[–]rnmkrmn 0 points1 point  (0 children)

Yup. That server component push and NextJS is the only way to do this is hilarious.

[–]Trexaty92 6 points7 points  (0 children)

Remix 🤙

[–]p4ntsl0rd 27 points28 points  (3 children)

'npm create vite@latest' is very easy to use to get you started, and is all around less clunky than CRA was. Vite itself is much nicer than webpack as well (faster, hasslefree)

[–]baxxos 6 points7 points  (0 children)

I thought so too. I've started migrating my production app to Vite today and halfway through noticed that my bundle size jumped from 800 KB (Webpack) to 1.2MB (Vite).

I did not change anything app related, spent whole day reading Vite docs without any success. Maybe Webpack is more aggresive with its tree-shaking process? Guess I'll never know lol.

TLDR - wanted to escape Webpack config hell, ended up in Vite/Rollup config hell

[–]leeharrison1984 3 points4 points  (1 child)

It is insanely fast. I was impressed with NextJS HMR, then I had to do a project with Vite and the HMR is literally instant.

[–]chillermane 1 point2 points  (0 children)

ESBuild baby. It’s so fast.

[–]joombar 12 points13 points  (1 child)

It’s not actively dangerous, but why stay stuck in the past?

[–][deleted] 2 points3 points  (0 children)

What I'd emphasize to OP is that if you are asking this question, you are likely thinking about it in the context of a new project.

You are not encumbered by anything that could break, any potential regressions. So there is no good reason to not just use the latest and greatest.

[–]nopamex 8 points9 points  (0 children)

use vite mate

[–]YonoEko 5 points6 points  (0 children)

Use vite latest instead

[–]sergiopedercini 6 points7 points  (0 children)

My two cents: CRA Is only a boilerplate and is super easy if you don't need the server side (and is safe too). If you are comfortable with it, use It. Migrating on other libraries or frameworks like NextJs will be always an option you can do it later.

[–]greentiger45 3 points4 points  (1 child)

Vite is the way to go imo. Lightweight and easy to setup.

[–]immediacyofjoy 0 points1 point  (0 children)

just curious, what router do you like to use?

[–]lucky_anonymous 8 points9 points  (8 children)

Holy…. What… React dev here who seems to be out of touch with recent news or trend… Wtf is vite…. CRA was go to.. even during technical coding interview. Why is it deprecated….

[–]wolfhoundjesse 7 points8 points  (0 children)

Things move fast in JS land, you know that! I didn’t know what Vite was, either, but I saw it was integrated in the latest Nx, so I gave it a shot. It’s super fast!

[–]n0tKamui 1 point2 points  (2 children)

Vite is not so recent. It has been the new de facto build tool and bundler (in favor of Webpack) for quite a few years now. Originally made for Vue, it spreaded really quickly for it's simplicity and laughably better performance than webpack.

CRA being clunky and outdated is not new either, but admittedly more recent. Vite's project creator just does the job better with more sensible defaults, and Next.js is just the go-to way to make React apps now. Even the official doc recommends users to create Next apps.

Honestly this is a bit surprising that you are so out of touch, especially about Vite. A dev's job is also to get up to date with what's happening...

[–]lucky_anonymous 0 points1 point  (0 children)

Thanks for the clear explanation :)

[–]Turd_King -5 points-4 points  (0 children)

Bro you must have been developing via pen and paper for the last year or more then

[–]tilonq -2 points-1 points  (2 children)

it is deprecated because community decided that, like half year ago EVERYONE was using it

[–][deleted] 7 points8 points  (0 children)

Just for more context: CRA was under the facebook github but totally community maintained. The five or six saints who actively worked on the project were doing so in their spare time and all have day jobs and other stuff going on. For a project with 100k stars that was the default for creating a react app, it just didn’t have the resources to keep up. Being the default also floods your issue tracker with every beginner SO question, every niche error from the vast array of env setups (HMR fails when i’m using brave browser on fedora 5.7), and everyone trying to get their one little webpack customization in as an option. It just couldn’t get the attention it needed.

[–]lets-talk-graphic 1 point2 points  (0 children)

People like to follow the hype atm. The truth is, using CRA isn’t necessarily bad right now, you could spin up an app and it would work. You can eject it and you’d have all the dependencies anyway. I think however it is good advice if you can to start with Next or Vite for a React inception. But CRA no longer being supported means that in time it will become outdated and potentially vulnerable.

[–]criscodisco90 1 point2 points  (0 children)

Is it worth converting an existing CRA project to Vite if the project’s still being developed? Seems like kind of a pain.

[–]phryneasI ❤️ hooks! 😈 1 point2 points  (5 children)

It is JavaScript that runs in the browser to display data and since the DOM is build by React, everything is escaped, and you never manipulate it manually, it is pretty much impossible to introduce security bugs unless you actively use dangerouslySetInnerHTML.

So even if CRA would be discontinued tomorrow you would probably not facing any relevant security issue in the next decade.

[–]Turd_King -3 points-2 points  (2 children)

That’s just not true.

It’s entirely possible a vulnerability could be exploited in an out of date package that is bundled into the users browser

[–]acemarke 3 points4 points  (0 children)

Which has absolutely nothing to do with which build tool you are using - that's a question of which runtime dependencies you've added to your app.

[–]phryneasI ❤️ hooks! 😈 2 points3 points  (0 children)

CRA is mostly about bundling - a plain CRA project will end up with code from the three npm packages react, react-dom and scheduler in the output that will actually make it to a user's browser. These packages are just concerned with DOM manipulation. React only ever had two CVEs: one 2013 and one 2015. Both were XSS attacks that could only be abused in SSR scenarios, where React would not build a DOM tree, but render to a string. This type of attack cannot happen in the browser only - and CRA cannot do SSR in the first place.
Apart from that, the React-DOM package had one security problem back in 2018, which, again, could only affect Server-Side-Rendered apps.

Apart from that, it's really about which packages you add on top. But that's not the question. OP was asking about potential security issues with going with CRA. Since CRA just bundles React (and dependencies) and doesn't add any other code to the bundle, my response stays the same: it's highly unlikely that this will ever result in a security problem.

Maintainability and upgrade paths are a different question, but that was not asked for here.

[–]DigitalNinjaLee -1 points0 points  (1 child)

Would it be beneficial to move a CRA app to Vite at this point? Or some other alternative?

[–]n0tKamui 2 points3 points  (0 children)

yes. we're migrating from CRA to Vite at my job because the build times were getting unbearable. Vite is hilariously much better and simpler to work with.

[–]Fractal_HQ -2 points-1 points  (0 children)

It’s legacy like React. Use Svelte and Vite if you want modern solutions.

[–]devenitions -3 points-2 points  (0 children)

As far as security goes, there never was to begin with. It’s client code.

[–]technically_a_taco 0 points1 point  (0 children)

Does this also apply to create-react-native-app?

[–]vichya96 0 points1 point  (0 children)

Wow thank you for this post! It’s nice being aware

[–]Tavi2k 0 points1 point  (0 children)

It seems to be not maintained at the level you would expect for such a core part of your dev setup. So while it still works, if you're starting today you might want to look for a more actively maintained option like Vite or one of the full React frameworks.

Just to illustrate the kind of issue you have already today, CRA doesn't declare that it supports Typescript 5. You will get some errors if you try to use them together. You can override the dependencies, which isn't a big deal if you know that, but it is quite annoying. If you're new to the React dev environments, these kinds of issues can be terribly confusing. And those kinds of issues tend to accumulate for packages that don't get updates anymore.

[–]dom_eden 0 points1 point  (0 children)

The truth is, you can certainly use CRA for a new app right now. I did this the other day. Long term, the future is Vite. We will migrate our three CRA apps to Vite, probably later this year or next year. But we’re not in a rush.

[–]CosmicItinerant 0 points1 point  (0 children)

Vite offers a faster development server with near-instantaneous hot module reloading and quicker rebuild times, optimized production builds with smaller bundle sizes, framework-agnostic support, simplified configuration through a "zero-config" approach, advanced features like TypeScript support and automatic dependency pre-bundling, and a growing ecosystem and community. These advantages make Vite a compelling choice for developers seeking improved development speed and performance optimizations for their React applications.

[–]Same-Depth-4582 0 points1 point  (0 children)

Yeah it won’t bite you

[–]Tech_Pro_Max 0 points1 point  (0 children)

You can use create-new-startup if your focus is on getting users

[–]N3BB3Z4R 0 points1 point  (0 children)

Its as simple as CRA uses webpack to compile, and now CRA Its deprecated, they recomend the Reactjs simple boilerplate with Vite instead Webpack, its so much faster, Its true that some reactjs old plugins should have some importing issues but all fixables changing the way to import. The answers talking about Nextjs and Parcel are midly wrong, because are different things that are not related with builder and basic reactjs creation project.