Safeguard
Open Source

Is Formik on npm Safe? A Security Review

Formik is a widely used React form library. Here is an honest look at its security history, dependency risk, and how to use it safely.

Aisha Rahman
Security Analyst
5 min read

The formik npm package has a clean direct-vulnerability record in current versions, but its real risk lives in its transitive dependencies and its slowing maintenance cadence — so treat it as safe to use while monitoring what it pulls in. Formik is one of the most popular form-state libraries for React, and popularity is not the same as security, so it is worth understanding where the actual risk sits before you npm install formik.

The good news up front: scans of the main formik package do not report direct vulnerabilities in recent releases, and malware/tampering scans have come back clean. The nuance is in the history and in the dependency tree.

The one historical CVE worth knowing

Formik itself has not been the source of a headline vulnerability, but older versions inherited one transitively. Versions in the formik@1.5.x line depended on node-fetch in a way that exposed CVE-2020-15168, an issue in node-fetch where the size limit for response bodies was not enforced, enabling a denial-of-service via oversized payloads. That exposure was resolved once Formik moved to the 2.x line, which dropped the vulnerable dependency path.

The lesson is not "Formik was dangerous." It is that a form library with zero flaws in its own code can still ship you a CVE through something it depends on. If you are still on a 1.x version of npm formik for legacy reasons, that alone is a reason to plan an upgrade to 2.x.

Where the risk actually lives: the dependency tree

Formik's own source is small and well-exercised. The packages it pulls in — and the packages those pull in — are the surface you cannot see at a glance. A single npm install formik adds a subtree, and any one node in that subtree could carry a known CVE tomorrow that is clean today.

You can see the direct picture quickly:

npm ls formik
npm audit

But npm audit only tells you about advisories known at the moment you run it. The more durable practice is continuous monitoring of the full resolved tree. A software composition analysis tool such as Safeguard can watch Formik's transitive dependencies and alert you when a new advisory lands on something several levels deep — the exact scenario that produced the node-fetch issue in the first place.

Maintenance status: use with awareness

Formik has a large contributor base and remains one of the default choices for React forms, but its release cadence has slowed noticeably compared to its peak. That is not a reason to rip it out — plenty of mature, stable libraries release infrequently — but it does change your risk calculus:

  • If a vulnerability were discovered in Formik's own code, a fast upstream fix is less certain than it would be for an actively-shipping project.
  • New React features (concurrent rendering, newer hooks patterns) may land support more slowly.

Weigh this against alternatives like React Hook Form if you are starting a greenfield project. For an existing app already using Formik, staying is reasonable — just make the maintenance reality a conscious decision rather than an assumption.

Safe-usage practices

Beyond dependency hygiene, how you use Formik affects your application's security posture:

Validate on the server, always. Formik's client-side validation (whether hand-rolled or via a schema library like Yup) is a UX feature, not a security control. An attacker bypasses the form entirely and posts to your endpoint directly. Mirror every validation rule server-side.

Never trust field values as safe HTML. Formik just manages state; it does not sanitize. If you render submitted content back to the page, escape or sanitize it to avoid cross-site scripting. React escapes by default in JSX, but dangerouslySetInnerHTML on form-derived content is a classic XSS foothold.

Pin and lock. Commit your package-lock.json so every install resolves the same tree, and gate upgrades through review:

npm ci   # installs exactly what the lockfile specifies

Watch schema dependencies too. Most Formik setups pair it with a validation library. That library is part of your attack surface and deserves the same scanning as Formik itself.

A practical checklist

Before shipping a Formik-based form to production:

  1. Confirm you are on a 2.x version, not the legacy 1.x line.
  2. Run npm audit and resolve high-severity findings in the full tree, not just direct deps.
  3. Enable continuous SCA monitoring so new transitive advisories surface automatically.
  4. Verify server-side validation exists for every field, independent of Formik.
  5. Audit any place submitted values get rendered as HTML.

FAQ

Is the formik npm package safe to use?

Yes, current 2.x versions have no reported direct vulnerabilities and pass malware scans. The caveats are transitive dependency risk (monitor it continuously) and a slower maintenance cadence, which affects how quickly a future issue would be patched upstream.

Did Formik ever have a security vulnerability?

Not in its own code directly, but formik@1.5.x transitively exposed CVE-2020-15168 through node-fetch. Moving to the 2.x line removed that dependency path, so upgrading resolves it.

Should I use Formik or React Hook Form?

Both are viable. Formik is mature and widely adopted; React Hook Form is more actively developed and often lighter on re-renders. For new projects, evaluate React Hook Form; for existing Formik apps, staying is fine if you monitor dependencies and keep to the 2.x line.

Does client-side form validation in Formik protect me?

No. Client-side validation is a usability feature that an attacker can bypass by posting directly to your API. Always enforce the same rules on the server, where they cannot be skipped.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.