Communications around React 19 support would be greatly appreciated

[julesblancphin]

Core Library

MSAL.js (@azure/msal-browser)

Wrapper Library

MSAL React (@azure/msal-react)

Public or Confidential Client?

Public

Description

@azure/msal-react is blocking any updates to React 19. This is a massive blocker for many teams, from a quick search I found these (#7577 #7481 #7455 #7467 #7520, and probably the main one: #7548)

As a general reminder, React 19 has been released almost a year ago and has been officially stable for 3 months.

Communication of any kind from the MSAL team regarding support would be greatly appreciated. Looking at the PRs listed above there has clearly been several attempts as well.

[TomTom-Labs]

Thanks @julesblancphin for looking up the issue IDs.

For us, as mentioned in the other issues as well, we can’t upgrade out dependencies to newest packages due to this old msal libs not supporting the current react version. We track the open CVE issues against the outdated libraries we need to use, because we can’t upgrade. We currently need to make the decision, to disable Microsoft SSO, upgrade the react 19 and current npm dependencies – until this library gets released.

Microsoft makes nice blog posts and press articles about (want to be) being the leader of Internet security. Look for “Microsoft Secure Future Initiative” and you know what I mean…

e.g. “Security above all else” https://www.microsoft.com/en-us/trust-center/security/secure-future-initiative or “Prioritizing security above all else” https://blogs.microsoft.com/blog/2024/05/03/prioritizing-security-above-all-else/

Too sad, we need to see an negative example here, how Microsoft fails on this promise.

[Ben-CA]

See this pull request: https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/7710