react-scripts is the build toolchain behind Create React App, and now that CRA has been formally deprecated, projects still leaning on react-scripts are running on software in maintenance mode with no active feature development. That is not an emergency, but it is a real supply chain consideration, because a build tool with a deep dependency tree and few maintainers is exactly where unpatched vulnerabilities accumulate.
This guide explains what react-scripts is, what the deprecation actually changed, and how to reason about the security of an app that still depends on it.
What react-scripts Is
react-scripts is the single package that bundles everything Create React App needed to build, run, and test a React application: webpack for bundling, Babel for transpilation, ESLint for linting, Jest for testing, and a development server. The whole point was to hide that configuration behind one dependency so you could run react-scripts start and react-scripts build without touching webpack yourself.
{
"scripts": {
"start": "react-scripts start",
"build": "react-scripts build",
"test": "react-scripts test"
}
}
That convenience came at a cost that is now the headline: react-scripts pins a large, opinionated dependency tree, and you do not control the versions of the tools inside it.
The Deprecation and What Changed
On February 14, 2025, the React team formally deprecated Create React App. New installs print a deprecation warning, and the official guidance is to migrate existing apps to a framework like Next.js or a build tool like Vite. The trigger was compatibility: CRA's pinned dependency tree conflicted with React 19's peer requirements, and with no active maintainers to reconcile it, the project could not keep pace.
Two facts matter for planning. First, the last significant update to react-scripts predates the deprecation by years, so the tool has been effectively frozen for a while. Second, CRA continues to work in maintenance mode rather than disappearing, so nothing breaks overnight. The latest version of react-scripts remains 5.0.1, and you should not expect meaningful new releases beyond compatibility touch-ups.
Note that this is separate from React itself. React and react-dom are actively developed and on the 19.x line; the react-dom latest version tracks current React releases and is not affected by CRA's status. It is only the build tooling wrapper that is frozen.
The Security Implications
A frozen build tool creates a specific kind of risk, and it is worth being precise about it.
Transitive vulnerabilities go unpatched. react-scripts 5.0.1 pins particular versions of webpack, PostCSS, and dozens of other packages. When one of those has a CVE, you cannot simply wait for react-scripts to release a fix, because it will not. You are left choosing between npm audit fix --force (which can break the pinned tree), manual overrides, or living with the finding.
npm audit noise is high and often benign. Many advisories in a CRA tree affect build-time-only dependencies that never reach the browser. A ReDoS in a dev-server dependency is not the same risk as a vulnerability in code you ship. Reading the advisory to see whether it affects runtime or only the build is the difference between a real issue and noise.
You inherit the maintenance gap. With no upstream steward, the responsibility for evaluating each finding shifts entirely to you.
A practical way to cut through the noise is to scan with a tool that distinguishes runtime from build-time exposure and resolves the real transitive graph. An SCA scanner such as Safeguard can tell you which of the dozens of npm audit entries actually ship to users, which is where your attention belongs. The SCA product page covers that reachability distinction.
Using npm overrides as a Stopgap
If you are not ready to migrate, overrides lets you force a patched version of a transitive dependency without waiting on react-scripts.
{
"overrides": {
"nth-check": "^2.1.1",
"postcss": "^8.4.31"
}
}
This works, but treat it as a bridge, not a destination. Overrides can introduce their own incompatibilities because you are pushing a version the tool was never tested against, so build and test after each one.
The Real Fix: Migrate
The durable answer is to move off react-scripts. Vite is the most common direct replacement and gets you a maintained toolchain, faster builds, and modern defaults. The migration is usually mechanical: swap the scripts, move index.html to the project root, update environment-variable prefixes, and adjust a handful of imports.
npm create vite@latest my-app -- --template react-ts
For apps that would benefit from routing and server rendering, migrating to a framework like Next.js or React Router with Vite is the officially recommended path. Either way, you exit maintenance mode and rejoin a supported toolchain, which is the only lasting way to keep build-time dependencies patched.
FAQ
Is react-scripts deprecated?
Create React App, which react-scripts powers, was formally deprecated on February 14, 2025. react-scripts still works in maintenance mode, but it receives no meaningful new development, so migration is recommended.
What is the latest version of react-scripts?
The latest version of react-scripts is 5.0.1, and it has been the current release for a long time. Do not expect substantial new versions given CRA's deprecated status.
Does the CRA deprecation affect react-dom?
No. React and react-dom are actively maintained on the 19.x line, and the react-dom latest version tracks current React releases. Only the Create React App build tooling is frozen.
How do I handle npm audit findings in a react-scripts project?
Read each advisory to see whether it affects code that ships to the browser or only the build. Use overrides to force patched transitive versions as a stopgap, and plan a migration to Vite or a framework for a lasting fix.