# Stability-Signal Probe - facebook/create-react-app

Generated by `stability_signal_probe_v0_1`
Static public sample. Read-only diagnostic.

## Trust Boundary

Controlled public example only. No private application access, no repository code execution, and no claim beyond the listed evidence.

## At A Glance

- Repository: `facebook/create-react-app`
- Case: `cra_stale_stability_signal_probe_v1`
- Artifact: `stability_signal_probe`

## Target Surface

- Repo/project: `facebook/create-react-app`
- Product/surface focus: Create React App as a React app-starting toolchain choice
- Purpose: help teams decide whether CRA remains a sound starting point or maintenance choice
- Decision question: can a highly familiar public repo still carry stale stability signals after its ecosystem moves on?
- Included evidence surface: React deprecation guidance, public repo state, compatibility/documentation drift issues, popularity signals
- Excluded surfaces: private CRA applications, maintainer intent, full migration plan, code execution
- Invariant/claim tested: popularity and tutorial memory do not equal current support reality

## Decision Question

Can a highly familiar public repo still carry stale stability signals after its ecosystem moves on — and should a team still adopt or keep it?

## How This Report Works

FoldEngine frames a technical claim or repository question, checks only the approved evidence surface, preserves what was and was not checked, and recommends one stabilizing next move. A Stability-Signal Probe separates what looked stable from what is actually stable.

## Evidence Checked

- React's public post: https://react.dev/blog/2025/02/14/sunsetting-create-react-app
- Public GitHub repository: https://github.com/facebook/create-react-app
- React 19 compatibility discussion: https://github.com/facebook/create-react-app/issues/17004
- Documentation drift discussion: https://github.com/facebook/create-react-app/issues/13072
- GitHub star count, fork count, and recent commit activity
- npm download trends for `create-react-app`

## What Looked Stable

CRA presents a surface of extreme familiarity and apparent trustworthiness:

| Signal | Surface impression | Source |
|--------|-------------------|--------|
| GitHub stars | ~102k — among the most-starred repos in the ecosystem | GitHub |
| Tutorial references | Hundreds of blog posts, courses, and docs still reference `npx create-react-app` | Web |
| npm downloads | Still high weekly download counts from CI pipelines and tutorials | npm |
| Name recognition | "Create React App" is synonymous with "start a React project" for many developers | Community |
| Repository status | Repository exists, is public, has code | GitHub |

A team checking only these surface signals would conclude CRA is an active, well-supported starting point.

## What Is Actually Stable

| Signal | Actual state | Evidence |
|--------|-------------|----------|
| Maintainer direction | **Deprecated** | React team's February 2025 blog post explicitly sunsets CRA for new apps |
| Active development | **Maintenance mode** | No new feature commits; repository is in maintenance-only posture |
| React 19 compatibility | **Uncertain** | Issue #17004 reports compatibility problems with no clear resolution path |
| Documentation alignment | **Drifted** | Issue #13072 shows documentation still implies CRA is a recommended starting point |
| Production coverage | **Incomplete** | React's own guidance names routing, data fetching, code splitting, error handling, caching, navigation, and optimistic updates as production needs CRA does not address |
| Ecosystem guidance | **Moved** | React docs now point to Next.js, Remix, Gatsby, or Vite-based setups for new projects |

## The Gap

The gap between "what looked stable" and "what is actually stable" is the core finding. CRA's popularity signals remain high while its support reality has shifted. This is the stale trust pattern: historical adoption metrics persist after the maintainer's current guidance changes.

This is not a failure or a scandal. CRA served its purpose. The risk is for teams that rely on popularity signals without checking current maintainer direction.

## What Is Still Uncertain

- Whether CRA will receive security patches for critical vulnerabilities.
- Whether existing CRA-based apps will break on future React releases.
- How long the npm package will remain installable without deprecation warnings.
- Whether internal platforms and CI templates that reference CRA have been updated.

## Risk Classification

| Risk | Severity | Who is affected |
|------|----------|----------------|
| New project adopts CRA based on tutorial memory | **High** | Teams starting new React projects |
| Existing CRA app hits React 19 incompatibility | **Medium** | Teams upgrading React in existing CRA apps |
| Internal docs/templates still reference CRA as default | **Medium** | Platform/DevEx teams maintaining internal tooling |
| Security patch gap in maintenance-mode CRA | **Low (for now)** | All CRA users, but no evidence of active unpatched vulnerability |

## Recommended Next Move

Create a migration decision receipt: classify each CRA-based app as learning project, static SPA, or production application. For each category, recommend a framework or build-tool path (Next.js, Remix, Vite), identify specific blockers to migration, and add a README-level deprecation note where the old CRA path still appears. Preserve CRA only as maintenance-mode compatibility for apps that cannot migrate yet.

## What This Report Does NOT Do

- Does not claim CRA is bad, broken, or a mistake.
- Does not blame maintainers or the React team.
- Does not claim CRA cannot work for existing apps.
- Does not compare specific alternative frameworks.
- Not a full code review.
- Not a security audit.
- No private app access.
- No repository code execution.

## Delivery / Retention Receipt

- Generated at: `2026-05-17T00:00:00Z`
- Artifact version: `stability_signal_probe_v0_1`
- Intended vault: `FoldEngine Operations / 03_Client_Reports / Public_Samples`

---

## Legal Disclaimer

This report is provided for informational purposes only. It is not legal advice, a security audit, a penetration test, a production certification, or a guarantee of any kind. FoldEngine reports are bounded diagnostics based on visible public evidence at the time of the probe. They do not replace professional legal, security, or engineering review. Use of this report is subject to the FoldEngine Terms of Service and Privacy Policy.

(c) 2026 FoldEngine. All rights reserved.
