React Framework Faces Mounting Criticism Over Security, Performance and Vendor Lock-in

A post on Hacker News titled "Does Anybody Actually Like React?" has aggregated extensive criticism of the React JavaScript library, arguing that the framework is increasingly a poor technical fit for modern development. The article, originally published on JSX.lol, contends that React has become a "proverbial hammer that makes everything look like a nail," often resulting in performance degradation, complex maintenance and a bloated ecosystem that hinders rather than helps development.

The critique is bolstered by specific security and governance concerns. On November 29th, Lachlan Davidson reported a critical security vulnerability in React, designated CVE-2025-55182, which allows unauthenticated remote code execution and carries a CVSS score of 10.0. Additionally, the author criticises Vercel for its handling of a separate critical security vulnerability disclosed in Next.js, describing the governance as poor and reckless. The article further alleges that Next.js has evolved into a vendor lock-in mechanism disguised as an open-source framework.

Beyond security, the piece highlights a growing scarcity of truly skilled React developers. Several chief technology officers reportedly noted that while entry-level developers are plentiful, experienced engineers who understand deeper patterns are becoming increasingly rare and expensive. Anecdotal evidence from development teams suggests that many experienced engineers are leaving React roles due to growing complexity, with some shifting to modern DOM APIs or alternative frameworks like Liveview to achieve immediate improvements in speed and interaction.

The author advocates for abandoning React in favour of web fundamentals, such as HTML-first architectures and Web Components. This approach, described as progressively enhancing baseline HTML, is argued to provide more usable experiences earlier, ensure functionality on slow connections and maintain site usability even if JavaScript fails. The article suggests that the "fat client" era of JavaScript-heavy frontends is on its way out, with network effects rather than technical fit currently driving architectural decisions.

React has not released a major update in 18 months, a period the author notes has done nothing to improve the client-side story. The piece concludes that for the vast majority of organisations, React is objectively worse than many alternatives, urging engineering leaders to consider eschewing the framework in favour of technologies that map better to customer domains and offer better long-term maintainability.