Safeguard
Open Source

Is react-device-detect Safe? A Security Review of the npm Package

A look at react-device-detect, what the library does with user-agent parsing, and the supply-chain and privacy considerations before you add it to a React app.

Karan Patel
Platform Engineer
5 min read

react-device-detect is a client-side React library that reads the browser user-agent string to tell you what device, browser, and OS a visitor is on, and for most apps it is safe to use as long as you treat its output as a hint rather than a security control. The library is popular precisely because device branching is a common need, but "popular and useful" and "risk-free" are not the same thing, so this review walks through what it does and what to verify.

What react-device-detect provides

The package exposes a set of boolean flags and helper components derived from parsing navigator.userAgent. You import the value you need and branch on it:

import { isMobile, isTablet, browserName, osName } from 'react-device-detect';

function Banner() {
  if (isMobile) {
    return <p>Tap to install our mobile app</p>;
  }
  return <p>Download for {osName}</p>;
}

It also ships components like BrowserView and MobileView that render children only on matching devices, plus a deviceDetect() function that returns a full object of parsed attributes. Under the hood it leans on user-agent parsing logic rather than feature detection.

The core limitation: it trusts the user-agent

Everything the library reports comes from a string the client fully controls. A user-agent can be spoofed with a browser extension, a custom HTTP client, or devtools device emulation. That is fine for cosmetic branching, and it is a real problem if you ever use the result to gate access, enforce licensing, or make a trust decision.

The rule is simple. Use react-device-detect to change what a UI looks like. Never use it to decide what a user is allowed to do. Authorization belongs on the server, tied to identity, not to a self-reported device flag. If a mobile-only feature must be enforced, enforce it with a server-side check, not with isMobile.

There is also a correctness caveat that matters for planning. User-agent based detection ages badly. New devices, new browser versions, and the industry's slow move to freeze and reduce the user-agent string all mean the parser will misclassify some traffic. For layout decisions, prefer CSS media queries and the matchMedia API where you can, and reserve the library for cases where you genuinely need to know the device family in JavaScript.

Supply-chain review before you install

The most important security questions about any npm dependency are not about the code you can see, they are about the code you inherit. Before adding react-device-detect, check a few things.

First, look at the dependency footprint:

npm view react-device-detect dependencies
npm ls react-device-detect

A device-detection library will pull in a user-agent parsing dependency. That transitive package is where regex-based parsers have historically had denial-of-service issues, because a maliciously crafted user-agent string can trigger catastrophic backtracking in a poorly written regular expression. This is the "ReDoS" pattern. You are not likely to hit it in a purely client-side render, since each browser only parses its own user-agent, but if you run the same detection server-side on attacker-supplied headers, a slow-regex input becomes a real availability concern.

Second, check maintenance signals. Look at the last publish date, open issue count, and whether the maintainers respond to security reports. A device library that has not shipped in years will steadily misclassify newer devices even if it has no exploitable flaw.

Third, pin and audit. Commit your lockfile and run:

npm audit

For continuous coverage, a software composition analysis pass will track the transitive user-agent parser and alert you when an advisory lands against it. This is where an SCA tool earns its place, because the risk in react-device-detect is almost never in react-device-detect itself, it is one level down.

Privacy considerations

Device, browser, and OS attributes are low-entropy on their own, but combined with other signals they contribute to browser fingerprinting. If your app is subject to GDPR, CCPA, or similar regimes, be honest in your privacy notice about what you collect and why. Reading the user-agent to pick a layout is ordinary; harvesting the full deviceDetect() object and shipping it to an analytics endpoint alongside other identifiers moves you toward fingerprinting territory that may require consent.

Keep the data on the client unless you have a reason to send it. If you only use isMobile to swap a component, that value never needs to leave the browser.

A safe integration pattern

Here is a pattern that keeps the library in its lane:

import { isMobile } from 'react-device-detect';

// UI hint only — never an authorization decision
export function useLayoutMode() {
  return isMobile ? 'compact' : 'full';
}

Pair that with server-side enforcement for anything that matters, and prefer CSS for pure layout. Treat the parsed output as advisory data, keep the dependency updated, and audit the transitive parser. For a wider view of vetting npm packages before adoption, see our dependency scanning walkthrough.

FAQ

Is react-device-detect safe to use?

For client-side UI branching, yes. The main risks are relying on it for security decisions (it trusts a spoofable user-agent) and inheriting a vulnerable transitive user-agent parser. Audit the dependency tree and never use its flags for authorization.

Can react-device-detect be spoofed?

Yes. It reads navigator.userAgent, which the client fully controls and can trivially fake. Use it to shape the interface, not to gate access or enforce rules.

Does react-device-detect work server-side?

Its detection functions can run on a supplied user-agent string, but running regex-based parsing on attacker-controlled headers introduces a denial-of-service risk from pathological inputs. Validate and bound any server-side use.

What is a safer alternative for responsive layout?

Use CSS media queries and the matchMedia API for layout decisions. They respond to actual viewport and capability signals rather than a self-reported string, and they age far better than user-agent parsing.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.