> A good example is a tool like `create-react-app` (especially if you add TypeScript support). It's super easy to use and creates the project scaffold and enormous JS build system for you, but good luck trying to fix it if something breaks!
It's also really really huge. Where I work, we mostly use ASP.NET with a few JavaScript libraries. A team made a new thing in React. The node_modules weight 276 Mb for a 2 Mb app. npm audit says that there are 11 vulnerabilities, but the package.json was updated 2 weeks ago (and this is with npm install, not npm ci). There are in total 1000 libraries. 165 of them are looking for funding, which means they could easily be the target of a malicious agent (take the repo, publish something new on npm obfuscated, extract credentials). I see the value of modern development tools, but this is just insanity, and going way too fast.
I used to be a huge fan of lots of small libraries updating often, but now that I'm in an enterprise context, it's hard to say the same. I wonder how people deal with this.
Wait till you have to support this system over the upgrade paths for those 1000 dependencies of varying pedigree and funding, and React has changed their one true way often which effects those libraries many of which jut deprecate and you have to find alternatives.
Is there even such a thing? I know that there was class components and then function components and then hooks, but outside of that, the insistance on React being a library means that the ecosystem is very fragmented. There's CRA, there's Next, there's Gatsby. There are lots of different ways to do CSS. TypeScript? No TypeScript?
I wish there was a frontend framework focused on stability over time.
It's also really really huge. Where I work, we mostly use ASP.NET with a few JavaScript libraries. A team made a new thing in React. The node_modules weight 276 Mb for a 2 Mb app. npm audit says that there are 11 vulnerabilities, but the package.json was updated 2 weeks ago (and this is with npm install, not npm ci). There are in total 1000 libraries. 165 of them are looking for funding, which means they could easily be the target of a malicious agent (take the repo, publish something new on npm obfuscated, extract credentials). I see the value of modern development tools, but this is just insanity, and going way too fast.
I used to be a huge fan of lots of small libraries updating often, but now that I'm in an enterprise context, it's hard to say the same. I wonder how people deal with this.