React's end-of-life story is confusing because Meta doesn't publish explicit EOL dates the way Node.js or Python do. There's no official "React 18 EOL: December 31, 2025" announcement. Instead, Meta's policy is simple and quietly enforced: only the latest major version receives active development and security fixes. Everything else is on borrowed time.
React 19 shipped in December 2024. That means React 18, 17, and 16 are all effectively past active support.
React EOL Schedule — All Major Versions
| Version | Released | Succeeded by | Status | EOL Risk Score™ |
|---|---|---|---|---|
| React 15 | Apr 2016 | React 16 (Sep 2017) | EOL | 94 Critical |
| React 16 | Sep 2017 | React 17 (Oct 2020) | EOL | 88 Critical |
| React 17 | Oct 2020 | React 18 (Mar 2022) | EOL | 82 Critical |
| React 18 | Mar 2022 | React 19 (Dec 2024) | Security Only | 61 High |
| React 19 | Dec 2024 | Current | ✅ Supported | 14 Low |
Why no hard EOL dates? Meta doesn't publish formal end-of-life dates for React versions. Unlike Node.js (which has an explicit LTS schedule) or Python (which publishes exact EOL dates years in advance), React's support policy is implicit: the latest major version is supported, previous versions receive critical security patches at Meta's discretion, with no defined end date. This ambiguity is itself a risk — you can't plan a migration against a deadline you don't know.
React 18 — Active Support Ended December 2024
EOL Risk Score™: 61 High
React 18 was the current version for nearly three years — March 2022 to December 2024. It introduced concurrent rendering, automatic batching, Suspense improvements, and the useTransition and useDeferredValue hooks. It became the most widely deployed React version in the ecosystem.
React 19 shipped in December 2024, which moved React 18 from active development to security-patch-only status. Meta has not published a date when those security patches will stop.
What to do: Upgrade to React 19. The migration path is well-documented and most React 18 codebases can upgrade with minimal breaking changes.
React 17 — Effectively Unsupported
EOL Risk Score™: 82 Critical
React 17 is now two major versions behind. Meta is not actively patching it. Last known patch: 17.0.2 in March 2021 — over five years ago. If you're running React 17, you are effectively running unsupported software with no security coverage whatsoever.
What to do: Upgrade to React 19. A direct jump from 17 to 19 is feasible but requires reviewing breaking changes across two major versions.
React 16 — Long Past EOL
EOL Risk Score™: 88 Critical
React 16 receives no patches of any kind from Meta. Last known patch: 16.14.0 in October 2020. Any CVE discovered in React 16 will not be fixed. React 16 also depends on older build tooling that may itself be EOL — Create React App (archived), older Webpack configurations, Babel configurations that haven't been touched in years.
What to do: This is a full modernization project, not just a version bump. Plan for dependency audits, build tool updates, and code changes.
Why React EOL Is Harder to Track Than Node or Python
No hard dates. Node.js tells you "Node 18 EOL: April 30, 2025." Python tells you "Python 3.8 EOL: October 7, 2024." Meta publishes no equivalent for React. The practical EOL date is inferred from when the next major version ships.
React is client-side. Vulnerability scanners and SCA tools typically scan your server-side dependencies more thoroughly than your frontend bundle. React 16 running in a browser bundle often goes undetected by security tooling.
React 18 is everywhere. Many teams are still on 18 not because they haven't noticed, but because their dependency tree hasn't forced the move yet.
The compliance angle: If your application is going through SOC 2, PCI DSS, or HIPAA audit, your auditor will look at your frontend dependencies. React 16 or 17 in a production bundle handling user authentication or payment flows is a finding.
How to Upgrade to React 19
From React 18 — Straightforward
01 — Update dependencies
Run npm install react@19 react-dom@19. Also update @types/react and @types/react-dom if you're using TypeScript.
02 — Run the React 19 codemod
Meta provides an official codemod: npx codemod@latest react/19/migration-recipe. This handles the most common breaking changes automatically.
03 — Check third-party libraries
The most common blocker is third-party component libraries that haven't updated their peer dependency declarations. Run npm install --legacy-peer-deps as a temporary measure.
04 — Review removed APIs
React 19 removed propTypes, string refs, legacy context, and ReactDOM.render. The codemod handles most of these.
From React 16 or 17 — Plan a Full Migration
01 — Audit your full dependency tree first
Run npm outdated and npx depcheck. Identify every dependency that has a peer dependency on React 16 or 17.
02 — Upgrade your build tooling
If you're on Create React App (archived), migrate to Vite or Next.js before upgrading React.
03 — Upgrade to 18 first, then 19
Upgrading to 18 first, stabilizing, then upgrading to 19 is lower risk and easier to scope as two separate sprints.
04 — Use StrictMode to surface issues early
<React.StrictMode> activates additional checks that surface deprecated patterns before they become breaking changes.
Check your full stack for EOL exposure at endoflife.ai — free EOL checker, stack scanner, and EOL Risk Score™ for 455+ products. No signup required.
Top comments (0)