facebook/react

Why this matters

react is the canonical deeply-evolved JS monorepo with selective custom tooling — a Yarn classic v1 workspace of 39 packages (22 published, 17 private), 5 lint-class CI jobs, 8 hand-rolled validation scripts under scripts/, 5 in-tree custom eslint rules, and a PR-time Danger runner. Different shape from kubernetes (Go + 50 verify-script empire), microsoft/typescript (Hereby task runner, frozen-snapshot maintenance mode), and vercel/turbo (modern Rust+TS hybrid with zero hand-rolled validators).

react sits in the middle of the spectrum: 8 hand-rolled scripts and ~10 conventions enforced only by code-review etiquette. The existing tooling (eslint + prettier + flow + the 5 custom eslint rules + Danger) is mature, but the structural floor underneath them isn’t checked anywhere.

Headline catch

react relies on a ~600-entry, append-only JSON registry (scripts/error-codes/codes.json) plus a single source of truth (packages/shared/ReactVersion.js) that propagates across 3 per-package version fields — both extant patterns in production JS monorepos and both currently enforced by hand-rolled node scripts that alint replaces structurally today (codes.json shape) and that surface the recurring cross_file_value_equals (now v0.10 ship-target — saturated at 10 sources) and registry_append_only (v0.10 design candidate — react remains the sole source) rule kinds.

Real findings against the live tree, none of which surface from running eslint / prettier / flow:

• 1 wrong repository.directory: packages/react-refresh/package.json declares repository.directory: "packages/react" (instead of packages/react-refresh) — a copy-paste regression from a sibling react-* package that survives every existing check
• 19 non-canonical bugs URLs across published packages
• 111 .js source files under packages/*/src/ missing the canonical Meta copyright header
• 75 dev scripts under scripts/ missing the header
• 39 packages without per-package LICENSE files (rollup adds one at build time, but npm pack from the source tree without building would miss it)
• 164 third-party action invocations in .github/workflows/ not pinned to a SHA
• 24 workflows missing permissions: contents: read declaration

Where alint earns its keep here

The structural floor under react’s well-evolved tooling: alint declares the per-package layout, codes.json shape, version-source shape, in-tree-eslint-plugin loading invariants, workflow-naming conventions, and Yarn-classic pinning — exactly the conventions extant only as oral history and review etiquette today.

react is the second-language data point for cross_file_value_equals — the same shape surfaced by airflow, tokio, clap, and uv on the Rust side, now demand-validated for the JS workspace world. react is also the first-of-kind (and still only) data point for registry_append_only — the codes.json append-only invariant is a clean abstraction over i18n string registries, feature-flag registries, API endpoint maps, error-code maps that any production app accumulates.

Use as evidence on alint.org/examples that structural drift exists even at the most evolved end of the JS monorepo spectrum — and that the cross-file value-equality + registry-shape primitives are recurring patterns, not one-off concerns.

Future story angles

• registry_append_only rule kind when a second source of demand surfaces (i18n / feature-flag registries are obvious candidates)
• agent-hygiene@v1 overlay for the dangerfile.js + 5 in-tree custom eslint rules surface
• compliance/reuse@v1 overlay as a declarative replacement for the per-package LICENSE story across 22 published + 17 internal packages