Safeguard
Open Source

react-sortable-hoc: Security and Maintenance Status Review

react-sortable-hoc is no longer actively maintained and leans on the soon-to-be-removed findDOMNode API. Here's what that means for your risk and what to migrate to.

Yukti Singhal
Platform Engineer
5 min read

react-sortable-hoc is a popular set of higher-order components for building sortable drag-and-drop lists in React, but it is no longer actively maintained and its maintainer now points new projects to dnd-kit instead. That maintenance status is the single most important thing to know before you add it to a codebase in 2025, because the security question for a component like this is less about a specific CVE and more about whether anyone will fix the next problem that appears.

What react-sortable-hoc is

The library, published by Clauderic Demoustier, wraps any list in higher-order components that make its items draggable, touch-friendly, and animated. For years it was a default choice for reorderable lists in React apps because the API was small and the results looked polished. It still has a large install base and a stable feature set.

The problem is not that it stopped working. It is that the project has entered maintenance-only mode with no new features planned, and its README now recommends that new consumers adopt dnd-kit, a newer library from the same author with a modern architecture and built-in accessibility.

The findDOMNode dependency is the real risk

The technically interesting concern is architectural. react-sortable-hoc relies on React's findDOMNode method to locate the DOM elements it manipulates during a drag. findDOMNode is a legacy escape hatch that the React team has long discouraged. It is deprecated in React's Strict Mode and is slated for removal from react-dom in a future major version.

When findDOMNode is removed, code that depends on it stops working, not with a security exploit, but with a hard runtime break. For a maintained library that would be a routine migration. For a library in maintenance-only mode, it is an open question who ships the fix and when. If you are on the latest React and running Strict Mode, you will already see deprecation warnings from this path.

This is the pattern worth internalizing: an unmaintained dependency does not have to contain a vulnerability to become a liability. It becomes a liability the moment the ecosystem moves and nobody is left to move with it.

Known vulnerabilities

As of this review, public advisory databases do not list a direct high-severity vulnerability in react-sortable-hoc itself. That is genuinely good news and worth stating plainly rather than manufacturing alarm. But two caveats apply.

First, "no known direct vulnerability today" is a snapshot, not a guarantee. The value of an actively maintained package is that when a vulnerability is disclosed, a patch follows. A maintenance-only package offers weaker assurances there.

Second, the risk in any dependency includes its own transitive dependencies. A drag-and-drop library pulls in helpers, and those helpers have their own advisory histories. This is exactly where automated scanning earns its keep, an SCA tool resolves the full transitive tree and tells you if anything below react-sortable-hoc carries a known CVE, which manual inspection of your direct dependencies would never surface.

Should you keep using it?

For an existing, stable application that already ships react-sortable-hoc and pins its React version, there is no emergency. It works, and there is no active exploit to run from. Add it to your dependency inventory, keep an eye on advisory feeds, and plan the migration on your own timeline rather than in a panic.

For a new project, choose something maintained. The author's own recommendation, dnd-kit, gives you feature parity, a modern hook-based API, no findDOMNode dependency, and accessibility support that react-sortable-hoc never had. Starting new work on a library the maintainer has effectively sunset is choosing technical debt on day one.

How to check where it sits in your tree

You may be shipping it without a direct dependency on it. Check with npm:

npm ls react-sortable-hoc

If it shows up only as a transitive dependency of something else, the fix is to update or replace the parent package rather than the component itself. Audit the whole tree for advisories while you are there:

npm audit

Treat any unmaintained package in the output as a planning item even when npm audit reports zero vulnerabilities, because the audit only knows about problems that have already been disclosed.

FAQ

Is react-sortable-hoc safe to use in 2025?

There is no known direct high-severity vulnerability in it, so an existing app using a pinned React version is not in immediate danger. The concern is that it is maintenance-only and depends on the deprecated findDOMNode, so it is a poor choice for new work.

Why does the findDOMNode dependency matter?

findDOMNode is deprecated and scheduled for removal from react-dom. When it goes, code relying on it breaks at runtime. A maintained library would ship a migration; a maintenance-only one may not, on any predictable schedule.

What should I use instead of react-sortable-hoc?

dnd-kit, recommended by react-sortable-hoc's own maintainer. It offers feature parity, a modern architecture, no findDOMNode dependency, and built-in accessibility.

Does npm audit catch the risk in react-sortable-hoc?

Only partially. npm audit reports disclosed vulnerabilities, so it will not flag a package purely for being unmaintained. Use it alongside a review of maintenance status and a full transitive-dependency scan.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.