React End-of-Life Dates —
What's Actually Supported in 2026
React's end-of-life story is confusing because Meta doesn't publish explicit EOL dates the way Node.js or Python do. There's no official "React 18 EOL: December 31, 2025" announcement. Instead, Meta's policy is simple and quietly enforced: only the latest major version receives active development and security fixes. Everything else is on borrowed time.
React 19 shipped in December 2024. That means React 18, 17, and 16 are all effectively past active support. If you're still running them in production, you're running software that Meta is no longer actively patching — and that creates a real CVE exposure window your scanner probably isn't flagging.
React EOL Schedule — All Major Versions
React follows semantic versioning. Meta actively develops only the latest major version. Previous major versions receive critical security patches for a period — but there's no published timeline for how long, and no formal EOL announcement. The practical EOL date for any React major version is when the next major version ships.
| Version | Released | Succeeded by | Status | EOL Risk Score™ |
|---|---|---|---|---|
| React 15 | Apr 2016 | React 16 (Sep 2017) | EOL | 94 |
| React 16 | Sep 2017 | React 17 (Oct 2020) | EOL | 88 |
| React 17 | Oct 2020 | React 18 (Mar 2022) | EOL | 82 |
| React 18 | Mar 2022 | React 19 (Dec 2024) | Security Only | 61 |
| React 19 | Dec 2024 | Current | Supported | 14 |
React 18 — Active Support Ended December 2024
React 18 was the current version for nearly three years — March 2022 to December 2024. It introduced concurrent rendering, automatic batching, Suspense improvements, and the useTransition and useDeferredValue hooks. It became the most widely deployed React version in the ecosystem.
React 19 shipped in December 2024, which moved React 18 from active development to security-patch-only status. Meta has not published a date when those security patches will stop. In practice, React 18 is receiving only critical fixes, and the window for those will close as 19 matures.
The EOL Risk Score™ for React 18 is 61 (High) — lower than Node.js or PHP equivalents because React runs in the browser and has a different attack surface profile, but still a meaningful exposure given how widely deployed it is.
What to do: Upgrade to React 19. The migration path is well-documented and most React 18 codebases can upgrade with minimal breaking changes. See the migration section below.
React 17 — Effectively Unsupported
React 17 was notable for being the first major React release with no new developer-facing features — it was purely an infrastructure release that changed event delegation from document to the React root. This made it easier to embed React trees inside apps built with other technologies, and easier to upgrade React itself incrementally.
React 17 is now two major versions behind. Meta is not actively patching it. Last known patch: 17.0.2 in March 2021 — over five years ago. If you're running React 17, you are effectively running unsupported software with no security coverage whatsoever.
What to do: Upgrade to React 19. If your codebase is on 17, a direct jump to 19 is feasible but requires reviewing breaking changes across two major versions. The React 19 upgrade guide covers the full list.
React 16 — Long Past EOL
React 16 was a landmark release — it introduced the Fiber reconciler (a complete rewrite of React's core), error boundaries, portals, fragments, and the context API. It powered the ecosystem for three years. It is now three major versions behind.
React 16 receives no patches of any kind from Meta. Last known patch: 16.14.0 in October 2020. Any CVE discovered in React 16 will not be fixed. If you're running 16 in a production application in 2026, you have a significant unmanaged security exposure — particularly if your application handles user input, authentication, or sensitive data.
React 16 also depends on older build tooling that may itself be EOL — Create React App (archived), older Webpack configurations, and Babel configurations that haven't been touched in years.
What to do: This is a full modernization project, not just a version bump. Plan for dependency audits, build tool updates, and code changes. Prioritize this if your application handles user data.
React 19 — Current Supported Version
React 19 is the current actively supported version. Key additions include Actions (async functions for state transitions), the use hook for reading resources including Promises, improved Server Components support, and new document metadata APIs that eliminate the need for libraries like React Helmet.
React 19 also removed several long-deprecated APIs — propTypes, defaultProps on function components, legacy string refs, and legacy Context API patterns. These removals are the primary source of breaking changes when upgrading from 16 or 17.
This is your target version. If you're on 18, the upgrade is straightforward. If you're on 16 or 17, plan for a fuller migration.
Why React EOL Is Harder to Track Than Node or Python
Most developers think of React as a dependency, not as infrastructure with a lifecycle — and that's exactly why React EOL risk gets missed.
No hard dates. Node.js tells you "Node 18 EOL: April 30, 2025." Python tells you "Python 3.8 EOL: October 7, 2024." Meta publishes no equivalent for React. The practical EOL date is inferred from when the next major version ships — which you only know after the fact.
React is client-side. Vulnerability scanners and SCA tools typically scan your server-side dependencies more thoroughly than your frontend bundle. React 16 running in a browser bundle often goes undetected by security tooling that's scanning your package.json server dependencies.
React 18 is everywhere. The npm download numbers for React 18 are enormous. It's the version that most of the ecosystem built against — component libraries, testing utilities, meta-frameworks. Many teams are still on 18 not because they haven't noticed, but because their dependency tree hasn't forced the move yet.
How to Upgrade to React 19
From React 18 — Straightforward
-
01Update dependencies Run
npm install react@19 react-dom@19. Also update@types/reactand@types/react-domif you're using TypeScript. React 19 ships its own types — the DefinitelyTyped packages are now secondary. -
02Run the React 19 codemod Meta provides an official codemod:
npx codemod@latest react/19/migration-recipe. This handles the most common breaking changes automatically — updating ref handling, removing deprecated APIs, and updating context usage patterns. -
03Check third-party libraries The most common blocker for React 19 upgrades is third-party component libraries that haven't updated their peer dependency declarations. Run
npm install --legacy-peer-depsas a temporary measure while you wait for libraries to update — but flag these as technical debt to resolve. -
04Review removed APIs React 19 removed
propTypes, string refs, legacy context (contextTypes/childContextTypes), andReactDOM.render(deprecated in 18, removed in 19). The codemod handles most of these — manually review any it flags but doesn't auto-fix.
From React 16 or 17 — Plan a Full Migration
-
01Audit your full dependency tree first Run
npm outdatedandnpx depcheck. Identify every dependency that has a peer dependency on React 16 or 17 — these need to be updated or replaced before or alongside the React upgrade. -
02Upgrade your build tooling If you're on Create React App (archived), migrate to Vite or Next.js before upgrading React. CRA is unmaintained and won't support React 19. This is often the larger project inside the React upgrade.
-
03Upgrade to 18 first, then 19 Jumping two major versions directly is possible but creates a larger blast radius for debugging. Upgrading to 18 first, stabilizing, then upgrading to 19 is lower risk and easier to scope as two separate sprints.
-
04Use StrictMode to surface issues early
<React.StrictMode>activates additional checks that surface deprecated patterns before they become breaking changes. If you're on 16 or 17 and not using StrictMode, enable it in development now — it will expose issues you'll need to fix for 19 anyway.
Check your full stack for EOL exposure
React is one component. Check your runtime, OS base images, and backend dependencies too — free, no signup required.
Scan your stack Check a version Risk Score methodology