Research
2025 Report: Destructive Malware in Open Source Packages
Destructive malware is rising across open source registries, using delays and kill switches to wipe code, break builds, and disrupt CI/CD.
By Kush Pandya - Dec 24, 2025
eslint-config-react-app
Advanced tools
eslint-config-react-app
This package includes the shareable ESLint configuration used by Create React App.
Please refer to its documentation:
- Getting Started – How to create a new app.
- User Guide – How to develop apps bootstrapped with Create React App.
Usage in Create React App Projects
The easiest way to use this configuration is with Create React App, which includes it by default.
You don’t need to install it separately in Create React App projects.
Usage Outside of Create React App
If you want to use this ESLint configuration in a project not built with Create React App, you can install it with the following steps.
First, install this package and ESLint.
npm install --save-dev eslint-config-react-app eslint@^8.0.0
Then create a file named .eslintrc.json with following contents in the root folder of your project:
{
"extends": "react-app"
}
That's it! You can override the settings from eslint-config-react-app by editing the .eslintrc.json file. Learn more about configuring ESLint on the ESLint website.
Jest rules
This config also ships with optional Jest rules for ESLint (based on eslint-plugin-jest).
You can enable these rules by adding the Jest config to the extends array in your ESLint config.
{
"extends": ["react-app", "react-app/jest"]
}
Accessibility Checks
The following rules from the eslint-plugin-jsx-a11y plugin are activated:
- alt-text
- anchor-has-content
- aria-activedescendant-has-tabindex
- aria-props
- aria-proptypes
- aria-role
- aria-unsupported-elements
- heading-has-content
- href-no-hash
- iframe-has-title
- img-redundant-alt
- no-access-key
- no-distracting-elements
- no-redundant-roles
- role-has-required-aria-props
- role-supports-aria-props
- scope
If you want to enable even more accessibility rules, you can create an .eslintrc.json file in the root of your project with this content:
{
"extends": ["react-app", "plugin:jsx-a11y/recommended"],
"plugins": ["jsx-a11y"]
}
However, if you are using Create React App and have not ejected, any additional rules will only be displayed in the IDE integrations, but not in the browser or the terminal.
Other packages similar to eslint-config-react-app
eslint-config-airbnb
This package provides Airbnb's ESLint configuration, which is a popular style guide in the JavaScript community. It includes React-specific linting rules and differs from eslint-config-react-app by enforcing stricter code conventions and patterns.
eslint-config-standard-react
This is an ESLint configuration package that extends the StandardJS ruleset with React-specific rules. It offers a different set of opinions on code style and best practices compared to eslint-config-react-app.
eslint-config-prettier
eslint-config-prettier disables all ESLint rules that might conflict with Prettier formatting. While it doesn't provide React-specific rules, it's often used in conjunction with other ESLint configs, like eslint-config-react-app, to ensure code style consistency.
FAQs
ESLint configuration used by Create React App
The npm package eslint-config-react-app receives a total of 1,821,142 weekly downloads. As such, eslint-config-react-app popularity was classified as popular.
We found that eslint-config-react-app demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 5 open source maintainers collaborating on the project.
Package last updated on 12 Apr 2022
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Engineering with AI Podcast: The Promise of AI-First Development
Socket CTO Ahmad Nassri shares practical AI coding techniques, tools, and team workflows, plus what still feels noisy and why shipping remains human-led.
By Sarah Gooding - Dec 24, 2025
Research
/Security News
Spearphishing Campaign Abuses npm Registry to Target U.S. and Allied Manufacturing and Healthcare Organizations
A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, targeting 25 organizations across manufacturing, industrial automation, plastics, and healthcare for credential theft.
By Nicholas Anderson, Kirill Boychenko - Dec 23, 2025