React Lifecycle Intelligence

React End-of-Life Dates —
What's Actually Supported in 2026

Updated May 19, 2026 · endoflife.ai · 7 min read

React's end-of-life story is confusing because Meta doesn't publish explicit EOL dates the way Node.js or Python do. There's no official "React 18 EOL: December 31, 2025" announcement. Instead, Meta's policy is simple and quietly enforced: only the latest major version receives active development and security fixes. Everything else is on borrowed time.

React 19 shipped in December 2024. That means React 18, 17, and 16 are all effectively past active support. If you're still running them in production, you're running software that Meta is no longer actively patching — and that creates a real CVE exposure window your scanner probably isn't flagging.

React EOL Schedule — All Major Versions

React follows semantic versioning. Meta actively develops only the latest major version. Previous major versions receive critical security patches for a period — but there's no published timeline for how long, and no formal EOL announcement. The practical EOL date for any React major version is when the next major version ships.

Version Released Succeeded by Status EOL Risk Score™
React 15 Apr 2016 React 16 (Sep 2017) EOL 94
React 16 Sep 2017 React 17 (Oct 2020) EOL 88
React 17 Oct 2020 React 18 (Mar 2022) EOL 82
React 18 Mar 2022 React 19 (Dec 2024) Security Only 61
React 19 Dec 2024 Current Supported 14
Why no hard EOL dates? Meta doesn't publish formal end-of-life dates for React versions. Unlike Node.js (which has an explicit LTS schedule) or Python (which publishes exact EOL dates years in advance), React's support policy is implicit: the latest major version is supported, previous versions receive critical security patches at Meta's discretion, with no defined end date. This ambiguity is itself a risk — you can't plan a migration against a deadline you don't know.

React 18 — Active Support Ended December 2024

React 18
Released Mar 29, 2022 · Superseded Dec 2024 · Security patches only
61
EOL Risk Score™

React 18 was the current version for nearly three years — March 2022 to December 2024. It introduced concurrent rendering, automatic batching, Suspense improvements, and the useTransition and useDeferredValue hooks. It became the most widely deployed React version in the ecosystem.

React 19 shipped in December 2024, which moved React 18 from active development to security-patch-only status. Meta has not published a date when those security patches will stop. In practice, React 18 is receiving only critical fixes, and the window for those will close as 19 matures.

The EOL Risk Score™ for React 18 is 61 (High) — lower than Node.js or PHP equivalents because React runs in the browser and has a different attack surface profile, but still a meaningful exposure given how widely deployed it is.

What to do: Upgrade to React 19. The migration path is well-documented and most React 18 codebases can upgrade with minimal breaking changes. See the migration section below.

React 17 — Effectively Unsupported

React 17
Released Oct 20, 2020 · Superseded Mar 2022 · No active support
82
EOL Risk Score™

React 17 was notable for being the first major React release with no new developer-facing features — it was purely an infrastructure release that changed event delegation from document to the React root. This made it easier to embed React trees inside apps built with other technologies, and easier to upgrade React itself incrementally.

React 17 is now two major versions behind. Meta is not actively patching it. Last known patch: 17.0.2 in March 2021 — over five years ago. If you're running React 17, you are effectively running unsupported software with no security coverage whatsoever.

What to do: Upgrade to React 19. If your codebase is on 17, a direct jump to 19 is feasible but requires reviewing breaking changes across two major versions. The React 19 upgrade guide covers the full list.

React 16 — Long Past EOL

React 16
Released Sep 26, 2017 · Superseded Oct 2020 · No support
88
EOL Risk Score™

React 16 was a landmark release — it introduced the Fiber reconciler (a complete rewrite of React's core), error boundaries, portals, fragments, and the context API. It powered the ecosystem for three years. It is now three major versions behind.

React 16 receives no patches of any kind from Meta. Last known patch: 16.14.0 in October 2020. Any CVE discovered in React 16 will not be fixed. If you're running 16 in a production application in 2026, you have a significant unmanaged security exposure — particularly if your application handles user input, authentication, or sensitive data.

React 16 also depends on older build tooling that may itself be EOL — Create React App (archived), older Webpack configurations, and Babel configurations that haven't been touched in years.

What to do: This is a full modernization project, not just a version bump. Plan for dependency audits, build tool updates, and code changes. Prioritize this if your application handles user data.

React 19 — Current Supported Version

React 19
Released Dec 5, 2024 · Latest: 19.0.1 (Dec 2025) · Actively supported
14
EOL Risk Score™

React 19 is the current actively supported version. Key additions include Actions (async functions for state transitions), the use hook for reading resources including Promises, improved Server Components support, and new document metadata APIs that eliminate the need for libraries like React Helmet.

React 19 also removed several long-deprecated APIs — propTypes, defaultProps on function components, legacy string refs, and legacy Context API patterns. These removals are the primary source of breaking changes when upgrading from 16 or 17.

This is your target version. If you're on 18, the upgrade is straightforward. If you're on 16 or 17, plan for a fuller migration.

Why React EOL Is Harder to Track Than Node or Python

Most developers think of React as a dependency, not as infrastructure with a lifecycle — and that's exactly why React EOL risk gets missed.

No hard dates. Node.js tells you "Node 18 EOL: April 30, 2025." Python tells you "Python 3.8 EOL: October 7, 2024." Meta publishes no equivalent for React. The practical EOL date is inferred from when the next major version ships — which you only know after the fact.

React is client-side. Vulnerability scanners and SCA tools typically scan your server-side dependencies more thoroughly than your frontend bundle. React 16 running in a browser bundle often goes undetected by security tooling that's scanning your package.json server dependencies.

React 18 is everywhere. The npm download numbers for React 18 are enormous. It's the version that most of the ecosystem built against — component libraries, testing utilities, meta-frameworks. Many teams are still on 18 not because they haven't noticed, but because their dependency tree hasn't forced the move yet.

The compliance angle If your application is going through SOC 2, PCI DSS, or HIPAA audit, your auditor will look at your frontend dependencies as part of their software inventory review. React 16 or 17 in a production bundle — particularly one handling user authentication or payment flows — is a finding. React 18 in security-only mode is a documented risk that needs compensating controls or a migration timeline. See our full compliance guide.

How to Upgrade to React 19

From React 18 — Straightforward

From React 16 or 17 — Plan a Full Migration

Check your full stack for EOL exposure

React is one component. Check your runtime, OS base images, and backend dependencies too — free, no signup required.

Scan your stack Check a version Risk Score methodology

The Monthly EOL Digest™

Once a month — critical end-of-life dates, CVE blind spots, and lifecycle changes worth knowing about.

✓ You're on the list.