react-securitylisted

# React Security Audit Audit React application code for vulnerabilities specific to React's rendering model, hooks system, and component boundaries. Defensive find-and-fix. ## When this skill applies - Reviewing React components (functional or class) for XSS sinks - Auditing React Router or TanStack Router authorization patterns - Reviewing React 18 / 19 features: Server Components, Server Actions, Suspense, transitions - Auditing hooks for state-leak / closure-trap patterns - Reviewing form handling, file uploads, third-party React integrations - Checking hydration mismatches that could expose server-only data Use other skills for: Next.js-specific concerns (`nextjs-security`), Vite build/config (`vite-security`), backend code (Node, Python, Go skills), auth providers (`clerk-security`, `nextauth-security`). ## Workflow Follow `../_shared/audit-workflow.md`. React-specific notes below. ### Phase 1: Stack detection Confirm: - React version (16 vs 17 vs 18 vs 19 — behavior differs significantly) - Routing library (React Router v6/v7, TanStack Router, custom) - Build tool (Vite, Create React App, Next.js, Remix, custom Webpack) - State management (Redux, Zustand, Jotai, Context API, TanStack Query) - Form library (React Hook Form, Formik, native) Different versions and tools have different security surfaces — note them in the report. ### Phase 2: Inventory ```bash # Find React entry points grep -rln 'from .react.' src/ | head grep -rln 'ReactDOM.render\|createRoot' s