Sources

## The Ecosystem Fatigue Is Real React’s ecosystem is huge, and for years, that was its biggest strength. Need a router? React Router. State management? Redux, MobX, Zustand, or Context. Want server-side rendering? Hello, Next.js. But over time, this "choose your own adventure" style started to feel more like a maze. … ## React Isn’t Simple Anymore Remember when React was all about simplicity? Back in the day, you wrote class components, passed some props, and called it a day. Then hooks arrived—and they were awesome—but they also came with their own complexity. Suddenly, every blog post and tutorial was about managing `useEffect` dependencies or battling React’s rendering lifecycle. And don’t get me started on server components. They’re supposed to make things easier, but they add yet another layer to an already complicated stack. At some point, React started feeling less like a “library for building user interfaces” and more like a convoluted framework trying to be everything at once. … Thank you for your reply! That's the point of my comment - many frameworks don't offer standard packages for core functionality that is a core of many apps these days (name web app without form, router; just as an example 😄). And I guess there will be a delay in those libraries' updating when a new framework version is released? Migration from one library to another brings lots of headaches, and, again, as mentioned in your post... fragmentation - each project is unique and will have its own set of libraries. Choosing a framework these days is similar to choosing the country to live in if you're not happy with the current one 🤣 … I mean yeah it really depends on what the requirements are. I suspect form-heavy features with elaborate validation rules. There's definitely a need for that in the Svelte world, SuperForms aside. I do also think that while SvelteKit is fantastic, the philosophy of sticking to native HTML and browser APIs may be cumbersome if you want 1st party components like select fields with custom option components, date pickers, and data tables. … But mostly because, if you think about it, its the same "state management issue" rehashed into an import. WHY would you even want to explicitly sync the DOM state into an "explicit" object that is often spread out across a component tree that yet again mimics the DOM tree and every so often brings up conceptually unsolvable syncing issues? … Ilya Gorenburg • Jan 14 '25 ... I work with them almost every day. And our forms are complex, it's not about comment or contact us form - they have lots of logic (i'm not talking about validators). Talking about validation - validation attributes can't cover even big portion of the things we need. Building native validators with attributes (custom, not just by by pattern) are complex thing and it works with DOM anyway. When then re-invent a bicycle every time? Framework is made to ease the pain. Isn't it? … Agree that the community has become fragmented and that will get worse. Because most apps built with React do not need good performance, a large crowd of people have become stuck on a path that leads nowhere. This has led to the development of the React compiler in React 19. This will further facilitate this split in the community. Other frameworks like Svelte have embraced zero-performance-concern from the start. That might seem cool, but ultimately leads to terrible developers who no longer realize that they're writing JavaScript code with terrible performance, because the compiler will fix it for them. … As it happens with compiled languages, it then becomes a compiler issue. Being able to write complex logic relying on a compiler optimizing stuff for you is not a bad thing, it's something we should wish for. ... I used to be a backend developer. In 2020, I was working with a company and started with angular and what i hated most is NgModules declaration for a new frontend dev this is pure illogical import statement i have seen, first import the component provide it to `@NgModules` do the `declaration`, `imports`, `providers` etc. Also the file structure `dir/component.css`, `dir/component.html`, `dir/component.ts`. You can write three things in one when you write in basic `component.html`. … You can check svelte project that I have stared over the period: github.com/theetherGit?tab=stars

## 2. Re-Rendering and Performance Pitfalls One of React’s most glaring issues is its approach to state management. The problem here is that React’s model of reactivity is ‘inverted’ from how every other framework, library, and even JavaScript itself works. In every other case, the unit of reactivity is a callback function connected either via an event (e.g. vanilla `addEventHandler`) or a signal-based reactive primitive (e.g. Vue’s `watch`). Only in React the unit of reactivity is the full component function itself and this fundamental design decision is the root cause of a lot of the pain around memoization, double renders in `StrictMode`, and complexity in managing state and placement of code. `Signals` could fix this to a large extent by removing the need to re-run the entire component function on update. React’s new compiler is just fixing a self-inflicted wound and building on top of an inherently flawed paradigm that doesn’t actually reduce complexity or defects in building web front-ends. Not a big fan of Theo, but his struggles from this video can be helpful to illustrate the issue: ... Example: Here’s a snippet showing how React forces you into memoization hell: … ## 4. Signals and React’s Reluctance Meanwhile the rest of the JavaScript community moves toward more efficient reactive paradigms (check out the TC39 proposal for signals) and the React team stubbornly refuses to incorporate them. This refusal keeps React chained to an outdated reactivity model, forcing developers to continue fighting fires with excessive memoization and workarounds. … ## 5. Ecosystem Fragmentation and Departure from Web Standards Let’s face it: while React claims to be “just a library,” building a complete application requires dealing with bootstrapping, routing, state management, styling, fetching, etc. Areas where React forces you to reinvent the wheel. It's almost like the aim is to violate every traditional web development standard: - Templating is done via `HTML`, yet React demand you to write `JSX`. - `CSS` for styling, but React often pushes inline styles or `CSS-in-JS` (hello, `camelCase` properties!). Forget about the cascading part. - Native routing via `window.location`, `href` or history api? Nah, that's not how react routing works. - JS `fetch`? `JSON`? `HTTP`? Why, this is react: `"use server"`!! These deviations create a minefield of bad practices, hacks, and edge cases that only seasoned veterans can navigate without a headache. If you’ve ever tried to debug why a style isn’t applied or why a route misfires, you know the drill. It’s almost laughable—if it weren’t so infuriating. … ## 8. Enterprise-Grade Challenges: Performance, Memory, and Complexity For large-scale, enterprise applications, React’s shortcomings are more than academic: - Performance and Memory Issues: Constant re-renders, bloated code, and the necessity for hacks can lead to sluggish, memory-intensive apps. - Optimization Overload: Developers spend more time applying and maintaining workarounds than building features. - Developer Frustration: The rules and patterns of React—meant to enforce order—often result in a labyrinth of hacks and workarounds that bog down code reviews and maintenance. In the end, you get performance that’s, at best, mediocre compared to modern alternatives. … ## 10. Maintainability: A Growing Nightmare The React ecosystem is littered with abandoned libraries and components. Documentation, while abundant, often leaves much to be desired compared to rivals like Angular or Vue. And let’s not even start on the “Rules of React”—an endless litany of do’s and don’ts that makes even the simplest code review feel like navigating a bureaucratic maze. The result? Codebases that are hard to maintain, riddled with hacks, and ultimately deliver lackluster performance. Don’t trust me? Check out React Scan’s tweets for examples of many popular applications such as GitHub, Twitch, Twitter, Pinterest, etc full of performance issues and re-renders. At least you know, you are not alone. Even some of the biggest corporations with 100s of extremely talented engineers are struggling to deal with this insanity ## Conclusion If React were a car, it’d be a vintage model that once reigned supreme—now rusted, unreliable, and in desperate need of an overhaul. Its architecture, rife with performance pitfalls, convoluted paradigms, and a fragmented ecosystem, poses serious challenges for modern development, especially at an enterprise scale. With promising alternatives on the rise, clinging to React might soon become as outdated as using jQuery in 2025. The question isn’t whether you can continue with React — it’s whether you should.

**`useEffect`** remains the top complaint in the hooks category at 37%, followed by dependency array issues (21%). The reactivity model continues to frustrate developers, especially when dealing with stale closures and effect cleanup. … Server Components and Server Functions are more complicated. While they're slowly growing in popularity, they're also the third and fourth most disliked features respectively. For more context, see React Frameworks and Server-Side Features: Beyond Client-Side Rendering. … 1. **`<Profiler>`** - 57% 2. **`<ViewTransition>`** - 41% 3. **`<Activity>`** - 41% 4. **React cache** - 41% 5. **`useEffectEvent`** - 40% 6. **`useDeferredValue`** - 39% … ### Pain Points Worth Noting Beyond hooks, developers called out several recurring frustrations: - **`forwardRef`**: The bane of React developers for years. Thankfully, it's deprecated in React 19 with `ref` as a prop. - **`act`** testing issues: Wrapping updates in `act()` for tests remains confusing, especially with async operations. - **Memoization complexity**: Knowing when to reach for `useMemo`, `useCallback`, and `React.memo` adds mental overhead. - **`<StrictMode>`** double-rendering confusion: Developers still get tripped up by effects running twice in development. Memoization is a recurring pain point. Knowing when to use `useMemo`, `useCallback`, and `React.memo` adds mental overhead. React Compiler should hopefully solve this by handling memoization at build time. Learn more in React Compiler: No More useMemo and useCallback. … The top pain points are excessive complexity (20%) and boilerplate (15%). … - **Create React App**: Most developers have used it, but negative sentiment reflects its sunset in February. ... - **Next.js**: The dominant full-stack React framework, though some cite lock-in fears and complexity.

- React 19 hit 48.4% daily usage among respondents within months of release, with SPAs still dominating at 84.5%. - Server Components are polarizing: adopted in 45% of new projects but explicitly cited as a pain point by 6% of developers. - TanStack is emerging as a cohesive client-first alternative to Next.js, with TanStack Query, Router, Start, and Form all gaining ground. ... Despite being used by 98% of respondents, `useEffect` has the lowest satisfaction ratio of any hook (State of React features). It was the number one complaint at 37%, followed by dependency array issues at 21% (a 23.5% increase year-over-year). Developers are vocal about the finicky reactivity model, stale closures, and effect cleanup issues. This is a feature that practically everyone uses and practically everyone struggles with. … ### Server Components: Polarizing Reception Server Components and Server Functions are the **third and fourth-most-disliked features**, respectively. The survey authors called this "troubling for a set of new APIs that was supposed to pave the way towards React's next big evolution." The negative sentiment stems from multiple directions: complexity, debugging difficulties, Context API incompatibility (59 mentions, the most significant hurdle), testing gaps (24 mentions), and the growing list of directives sparking debate. The December 2025 CVE-2025-55182, a critical remote code execution vulnerability affecting React Server Components, reminded developers that even production-stable APIs carry real-world security risks as the ecosystem continues to evolve (see also Microsoft's analysis). … ... Overall happiness averaged 3.6 out of 5 with a slight downward trend, though the survey cautions it's "far too early to conclude whether it's something to worry about or just a blip." Beyond hooks, ecosystem complexity was cited by 11% of developers. One respondent captured the frustration well: navigating competing state management solutions, routing libraries, and rapidly evolving metaframeworks has become an increasingly common source of friction. A structured content backend can reduce some of that complexity by decoupling your content layer from frontend architecture decisions. The top pain points reinforce each other. `useEffect` frustrations at 37%, dependency array issues at 21%, Server Component headaches at 6% (though notably, 45% of new projects adopted RSC, suggesting the pain is concentrated among active users). The ecosystem is healthy, but the pace of change and the client-versus-server divide create genuine fatigue. … ### Remix's Pivot

The playbook is consistent: - Vulnerabilities allow untrusted code execution - Malicious workflows run without observability or control - Compromised dependencies spread across thousands of repositories - Over-permissioned credentials get exfiltrated via unrestricted network access Today, too many of these vulnerabilities are easy to introduce and hard to detect. We’re working to address this gap. … ... The current challenge Action dependencies are not deterministic and are resolved at runtime. Workflows can reference a dependency by various mutable references including tags and branches. … **2. Reducing attack surface with secure defaults** **The current challenge** GitHub Actions is flexible by design. Workflows can run: - In response to many events - Triggered by various actors - With varying permissions But as organizations scale, the relationship between repository access and workflow execution needs more granularity. Different workflows, teams, and enterprises need very different levels of exposure. Moreover, it leads to over-permissioned workflows, unclear trust boundaries, and configurations that are easy to get wrong. … - Who can trigger workflows - Which events are allowed This shifts the model from distributed, per-workflow configuration that’s difficult to audit and easy to misconfigure, to centralized policy that makes broad protections and restrictions visible and enforceable in one place. **Our core policy dimensions include:** - **Actor rules** specify*who* can trigger workflows such as individual users, roles like repository admins, or trusted automation like GitHub Apps, GitHub Copilot, or Dependabot. - **Event rules** define*which* GitHub Actions events are permitted like push, pull_request, workflow_dispatch, and others. … ## Scoped secrets and improved secret governance ### The current challenge Secrets in GitHub Actions are currently scoped at the repository or organization level. This makes secrets difficult to use safely, particularly with reusable workflows where credentials flow broadly by default. Teams need finer-grained controls to bind credentials to specific execution contexts.

GitHub Actions earned its market share by being baked into every repository, but convenience has a hidden cost. Below are the most common pain points reported by engineers who have lived through the “GitHub Actions nightmare.” - **Log viewer overload:** Large logs crash browsers, forcing developers to download raw artifacts and lose the interactive debugging experience. - **YAML‑centric complexity:** The hybrid `${{ }}` expression language creates a second‑level programming language that is easy to misquote and hard to test. - **Marketplace security risk:** Community actions are essentially third‑party scripts with access to `GITHUB_TOKEN` and secrets, turning the CI pipeline into a supply‑chain attack surface. - **Limited compute control:** Relying on Microsoft’s shared runners means you inherit their performance caps, pricing quirks, and occasional capacity throttling. - **Fragmented UI navigation:** Multiple clicks to reach a failing step, combined with a sluggish back‑button experience, wastes valuable engineering time. These issues compound into a feedback loop where a simple change can take 20‑plus minutes to surface, debug, and re‑run—an unacceptable latency for high‑velocity teams.

## The Descent into Chaos: Complexity and Hidden Costs ### Unexpected Costs and Performance GitHub Actions may seem affordable at first glance. However, many users report skyrocketing costs with increased usage, especially with expensive macOS runners and costly artifact storage. A startup that migrated to GitHub Actions saw its CI costs multiply fivefold, a stark example of the budgetary pitfalls awaiting unwary teams. ### Reliability: Where's the Uptime? Reliability issues are not uncommon. Jobs get stuck, runners start slowly, and queues grow longer. For a tool meant to accelerate development, it's a paradox. Projects like Zig even considered leaving GitHub due to these recurring malfunctions. ## Security: A Weak Link ### Over-Privileged and Secret Leaks The security of GitHub Actions workflows leaves much to be desired. A study revealed that 99.8% of workflows are over-privileged. This means repositories are vulnerable to attacks that could be avoided with more stringent permission management. ### Supply Chain Attacks The incident with tj-actions/changed-files in March 2025 is an example of risk where malicious code exposed secrets and sensitive tokens. With over 23,000 repositories affected, this event underscores the need for increased vigilance. ## A Significant Environmental Impact GitHub Actions' ecological impact is also concerning. In 2024, the workflows generated between 150.5 and 994.9 million tons of CO₂ equivalent. For companies mindful of their carbon footprint, this is a significant factor.

# I just don't like GitHub Actions. ... GitHub Actions was launched in 2018 as a means of automating repetitive tasks. In 2019 it was updated with first-class support for continuous integration (CI) and continuous delivery (CD). The premise sounds very "GitHub": ... My intent isn't to slate the feature, but to highlight some limitations of the current implementation and to put forward some ideas. ... … There's no means of easily triggering a re-run of a workflow against the tip of a branch. Not only is this a problem when dealing with transient failures (such as a network issue during an `npm install` or `docker pull`), it also makes development of new workflows or testing changes to existing workflows difficult. It's possible to work around this by adding additional triggers, but it feels like a strange omission. # No first-class support for running locally This limitation seems common to many CI platforms: there's no obvious way to run a workflow locally to verify that it works. Third party tools like Act have put in a great deal of work to approximate the environment, but it's not easy to do so accurately. Act works by executing your GitHub Action workflows in a container. The minimal Debian images it uses by default will be unable to run the majority of workflows, but it's possible to specify your own container image. Unfortunately, the images that try to replicate the Actions environment get very large. A 12GB Docker container isn't ideal. … Unfortunately, it also reduces predictability of builds, as developers have little control over what's installed in the environment. This has a couple of effects: - In CI workflows it becomes harder to troubleshoot test failures, as it's harder to replicate the environment locally. It also makes your builds more susceptible to packaging changes made to the images, as there are far more changes to review to determine the root cause of a failure. - In build and publish workflows it makes it difficult to trust that the environment is secure. Is GitHub reliably auditing all of the software that they're installing? … # Self-hosted runners Actions provides the ability to host your own runners, so that your jobs can run on your own infrastructure and be triggered from within GitHub. This would allow us to build our own minimal image! Unfortunately unlike services like Buildkite, which can run your integration jobs on your own AWS subscription, Actions provides no way to dynamically allocate agents as they're required. … - Support for running workflows in public cloud environments would make using custom images much more accessible, and provide a fairly elegant workaround for most of the issues here. - A more minimal base image should be available, at least as an option. I think it will be difficult to retroactively add in support for SDKs, as Actions would need to be updated to detail their dependencies or risk simply not working, harming the onboarding experience for the majority.

A popular GitHub Action used by thousands of repositories recently compromised those repositories, exposing a critical weakness in how open-source Actions are published and consumed. A new maintainer briefly hijacked the tj-actions/changed-files Action by publishing a version that contained obfuscated, malicious code. This triggered concern within the developer community about CI/CD security in the GitHub Actions ecosystem. The incident highlights an emerging attack surface: the supply chain of Actions themselves. While most guidance focuses on hardening the workflow environment, few teams scrutinize the security of the Actions they import. This breach has prompted renewed calls for best practices such as Action pinning, third-party audits, and hardened runners. Repositories widely used the tj-actions/changed-files Action to detect file changes in pull requests — a common step in conditional CI workflows. In March 2025, a new maintainer introduced a version (v44) that included obfuscated shell commands capable of remote code execution. While the malicious release was short lived, it bypassed detection long enough to expose a blind spot in how many developers trust and consume GitHub Actions. … The compromised Action is notable not just because of its popularity - over 20,000 repositories are estimated to have used it - but because it revealed a broader ecosystem weakness. Devs often treat GitHub Actions as trusted building blocks, yet unlike packages or containers, Actions lack strong controls around publishing, ownership changes, or signature verification. … GitHub Actions in particular run with high privileges, capable of signing releases, pushing images, or deploying to production. A compromised Action can subvert an entire delivery pipeline. While StepSecurity did not quantify how widespread the practice of using unpinned Actions was, they have often emphasized the risks of their use and recommended treating them with caution. The compromise echoes similar issues in adjacent ecosystems, such as malicious NPM packages or trojanized Docker Images. While the industry is making progress through initiatives like SLSA, Sigstore and SBOM tooling, GitHub Actions still lack first-class support for provenance, sandboxing, or trust enforcement on reusable Actions.

Yet, beneath this veneer of convenience, a growing chorus of dissatisfaction is emerging among developers who argue that Actions falls short in reliability, speed, and usability. This sentiment reached a boiling point in a recent blog post by developer Alexey “exlee” Sokolov, who didn’t mince words in his tirade titled “I Hate GitHub Actions with Passion,” published on his personal site xlii.space. Sokolov’s frustrations echo broader complaints that have been simmering in developer communities for years, amplified by recent pricing changes and performance issues. Sokolov’s critique centers on what he describes as GitHub Actions’ “slow feedback loop” and “insane complexity” in debugging. He recounts a personal ordeal with his project “tmplr,” where a CI build failed mysteriously on Linux ARM architecture while succeeding on others. The process of diagnosing the issue—pushing commits repeatedly to trigger workflows—felt archaic and inefficient, leading to hours of wasted time. This isn’t an isolated incident; developers on platforms like Reddit have long shared similar war stories. In a 2023 thread on Reddit’s r/devops, users lamented Actions’ unreliability, citing frequent outages and unpredictable behavior as reasons to seek alternatives. The backlash isn’t just anecdotal. Recent data from industry benchmarks highlights tangible shortcomings. For instance, a performance analysis by RunsOn, detailed in their GitHub Actions CPU performance benchmarks, reveals that Actions runners often lag in CPU speed and suffer from queuing delays compared to competitors. Developers report wait times that can stretch minutes or even hours during peak usage, disrupting the rapid iteration cycles essential to agile development. Moreover, GitHub’s own status updates, like a January 12, 2026, post from GitHub Status on X, admitted to “degraded performance” in Actions, underscoring systemic issues that affect thousands of users daily. **Unpacking the Core Flaws in GitHub Actions** At the heart of the criticism is GitHub Actions’ architecture, which relies on virtual machines spun up on demand. While this serverless model sounds efficient, it introduces latency that frustrates developers accustomed to instant feedback. Sokolov in his post compares it unfavorably to local testing environments, where errors can be caught immediately without the “push and pray” cycle. This sentiment is mirrored in a 2024 Reddit discussion on r/devops, where over 200 comments detailed gripes ranging from poor caching mechanisms to inconsistent runner environments. One user noted that Actions’ YAML syntax, while flexible, lacks robust local validation tools, leading to deployment-time surprises. Pricing has become another flashpoint. In December 2025, GitHub announced changes to its Actions pricing model, including charges for self-hosted runners—previously free—which sparked outrage. As reported by Techzine Global, the company delayed implementation until March 2026 after developer pushback, but the move highlighted a perceived shift toward monetization over user needs. … On social media, the discontent is palpable. Posts on X from developers like Theo Browne (@t3dotgg) in December 2025 criticized GitHub for charging users to integrate faster alternatives like Depot and Blacksmith, calling it “insanity.” Similarly, David Cramer (@zeeg) noted Actions’ lack of a “real moat,” suggesting easy migration paths to rivals. These real-time sentiments, gathered from recent X discussions, paint a picture of a tool that’s losing its grip as developers demand more from their CI/CD pipelines. … Personal stories from the trenches illustrate why these alternatives are resonating. In Sokolov’s case, switching to a local-first approach or tools like Act (a local runner for Actions) could mitigate some pains, but he advocates for complete alternatives to escape the ecosystem’s pitfalls. X posts from users like @draslan_eth in early January 2026 echo this, decrying Actions’ wait times compared to “beefy machine” local runs. Community forums reveal patterns: a 2021 X post by @GabriellaG439 criticized Actions’ YAML DSL for lacking local testing, a complaint that persists. Even GitHub’s announcements, such as the 2019 update on workflow editing improvements shared via their official X account, haven’t fully addressed these issues, as evidenced by ongoing developer feedback. … Pricing dynamics play a crucial role. GitHub’s recent concessions, detailed in a GIGAZINE report from December 2025 on gigazine.net, show responsiveness to criticism, but trust erosion persists. Alternatives often offer free tiers or predictable costs, attracting budget-sensitive indie developers. Looking ahead, the competition is fostering innovation. Posts on X, including a January 15, 2026, thread translated from Korean on @GeekNewsHada, share global frustrations with Actions’ debugging, suggesting a universal push toward more reliable tools.

## GitHub Actions limitations While GitHub Actions offers powerful automation features, there are some limitations and challenges to consider, as reported by users on the G2 platform: - **Complexity:** The platform can feel overwhelming for new users, especially given the range of features and options available. The complexity of setting up workflows, particularly for those new to version control, contributes to a steep learning curve. - **Limited free tier for private repositories:** While GitHub provides some free minutes and storage, these are often insufficient for teams working on large or complex projects. The cost for additional resources can become a concern, especially for smaller organizations or teams with limited budgets. The pricing for larger teams, particularly those requiring private repositories, can be prohibitive. - **Inconsistent performance:** Users have reported slow deployment times, even for small applications, and occasional issues with downtime and performance lags exist. These slowdowns impact productivity and consume the allotted minutes from the usage quota, frustrating users on limited plans. - **Troubleshooting:** Debugging issues within GitHub Actions can also be time-consuming, as there is no single comprehensive guide for troubleshooting. This leads to delays when errors occur in workflows. In addition, our experience shows many organizations use GitHub Actions and related tools to **implement full Continuous Delivery pipelines**, even though they were not intended for this purpose. This creates the problem of Shadow CD: - Shadow CD creates an illusion of automation, but it lacks crucial elements that people need to trust it. - To manage layers of automation not supported by the platform, developers create collections of scripts, sometimes with hundreds or thousands of lines. - The scrips are often created and maintained by a handful of engineers, often just a single person. Maintenance, security, and support become a significant challenge.

When using GitHub Actions, security concerns and maintaining environment consistency are crucial. Utilize GitHub Secrets to protect sensitive information and Docker to ensure consistent environments. Additionally, issues can be swiftly resolved through logging and error reporting functionalities. … ... One common challenge with GitHub Actions is managing secrets and environment variables securely, especially when workflows need access to sensitive data for deployment. A solution is to use GitHub's encrypted secrets feature to store these values, ensuring they're not exposed in logs or to unauthorized users. Additionally, fine-tuning permissions for GitHub Actions can help prevent misuse, allowing workflows to run with the minimum necessary privileges. This approach enhances security while ensuring workflows have the access they need to perform tasks effectively.