{"id":25368265,"url":"https://github.com/xh/hoist-react","last_synced_at":"2026-03-02T17:12:45.581Z","repository":{"id":37266377,"uuid":"117733567","full_name":"xh/hoist-react","owner":"xh","description":"🏗️ ⚛️ The XH Hoist toolkit for React","archived":false,"fork":false,"pushed_at":"2026-01-22T00:37:52.000Z","size":24754,"stargazers_count":29,"open_issues_count":165,"forks_count":10,"subscribers_count":6,"default_branch":"develop","last_synced_at":"2026-01-22T01:13:01.564Z","etag":null,"topics":["fintech","javascript","mobx","react"],"latest_commit_sha":null,"homepage":"https://xh.io","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/xh.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2018-01-16T19:50:49.000Z","updated_at":"2026-01-22T00:37:56.000Z","dependencies_parsed_at":"2023-10-10T22:13:39.363Z","dependency_job_id":"f1e6003f-1354-41f8-90a3-bd235c9319cf","html_url":"https://github.com/xh/hoist-react","commit_stats":null,"previous_names":["exhi/hoist-react"],"tags_count":291,"template":false,"template_full_name":null,"purl":"pkg:github/xh/hoist-react","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xh%2Fhoist-react","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xh%2Fhoist-react/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xh%2Fhoist-react/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xh%2Fhoist-react/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/xh","download_url":"https://codeload.github.com/xh/hoist-react/tar.gz/refs/heads/develop","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xh%2Fhoist-react/sbom","scorecard":{"id":113432,"data":{"date":"2025-07-07","repo":{"name":"github.com/xh/hoist-react","commit":"cf3d5ac65039835b899ff66d7344692a0d3c5b6e"},"scorecard":{"version":"v5.2.1-18-gbb9c347d","commit":"bb9c347dff6349d986baab6578a46d68a5524c62"},"score":7.3,"checks":[{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/bb9c347dff6349d986baab6578a46d68a5524c62/docs/checks.md#packaging"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 17 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/bb9c347dff6349d986baab6578a46d68a5524c62/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/bb9c347dff6349d986baab6578a46d68a5524c62/docs/checks.md#dangerous-workflow"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/bb9c347dff6349d986baab6578a46d68a5524c62/docs/checks.md#security-policy"}},{"name":"Token-Permissions","score":9,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:28","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:29","Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/bb9c347dff6349d986baab6578a46d68a5524c62/docs/checks.md#token-permissions"}},{"name":"Code-Review","score":3,"reason":"Found 10/30 approved changesets -- score normalized to 3","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/bb9c347dff6349d986baab6578a46d68a5524c62/docs/checks.md#code-review"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/bb9c347dff6349d986baab6578a46d68a5524c62/docs/checks.md#cii-best-practices"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/bb9c347dff6349d986baab6578a46d68a5524c62/docs/checks.md#binary-artifacts"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE.md:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE.md:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/bb9c347dff6349d986baab6578a46d68a5524c62/docs/checks.md#license"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/xh/hoist-react/codeql-analysis.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/xh/hoist-react/codeql-analysis.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:56: update your workflow using https://app.stepsecurity.io/secureworkflow/xh/hoist-react/codeql-analysis.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:70: update your workflow using https://app.stepsecurity.io/secureworkflow/xh/hoist-react/codeql-analysis.yml/develop?enable=pin","Info:   0 out of   4 GitHub-owned GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/bb9c347dff6349d986baab6578a46d68a5524c62/docs/checks.md#pinned-dependencies"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/bb9c347dff6349d986baab6578a46d68a5524c62/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/bb9c347dff6349d986baab6578a46d68a5524c62/docs/checks.md#branch-protection"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/bb9c347dff6349d986baab6578a46d68a5524c62/docs/checks.md#fuzzing"}},{"name":"SAST","score":9,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 12 commits out of 13 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/bb9c347dff6349d986baab6578a46d68a5524c62/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":9,"reason":"1 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/bb9c347dff6349d986baab6578a46d68a5524c62/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-15T18:34:52.666Z","repository_id":37266377,"created_at":"2025-08-15T18:34:52.666Z","updated_at":"2025-08-15T18:34:52.666Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28831234,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-27T23:29:49.665Z","status":"ssl_error","status_checked_at":"2026-01-27T23:25:58.379Z","response_time":168,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["fintech","javascript","mobx","react"],"created_at":"2025-02-15T00:36:53.171Z","updated_at":"2026-02-28T04:52:13.269Z","avatar_url":"https://github.com/xh.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Hoist React\n\nA full-stack UI development framework for enterprise web applications, built on React and MobX.\nDeveloped by [Extremely Heavy](https://xh.io/) as the client-side complement to\n[Hoist Core](https://github.com/xh/hoist-core).\n\n## Overview\n\nHoist is designed as a \"full stack\" UI development framework, meaning that it has both server and\nclient components that work together to provide an integrated set of tools and utilities for quickly\nconstructing sophisticated front-end interfaces — or entire applications — with a strong focus on\nbuilding for the enterprise.\n\nPlease refer to the [Hoist Core](https://github.com/xh/hoist-core) repository readme for an\noverview of Hoist as a whole: its reason for existing, server-side tech stack, general features and\ncapabilities.\n\nThis repository is *hoist-react*, the current reference client-side implementation of Hoist. While\nReact itself is a remarkably powerful platform on which to build modern web apps, it represents only\na part (however core) of the larger toolset required to create fully functional user interfaces.\nHoist React brings together a curated collection of third-party and custom components, supporting\nlibraries, utilities, and tooling. This enables truly rapid and ready-to-go development, tightly\nintegrated Hoist functionality, and a minimal number of upfront per-app decisions — while maintaining\na high degree of flexibility and extensibility for demanding custom use cases.\n\n### AI-Assisted Development\n\nHoist is designed and documented for AI-assisted development. The framework's strong conventions —\nits consistent Model/Component/Service architecture, element factory patterns, and opinionated\napproach to state management — constrain the solution space in ways that help AI coding assistants\nproduce consistent, idiomatic, and maintainable code.\n\nThe project maintains extensive, structured documentation optimized for both human developers and AI\nagents: a task-oriented [documentation index](docs/README.md), package-level READMEs covering\narchitecture and usage patterns, and cross-cutting concept docs. AI coding assistants (Claude Code,\nCopilot, and similar tools) can consult [AGENTS.md](AGENTS.md) for coding conventions and\n[docs/README.md](docs/README.md) for the full documentation catalog.\n\n## Getting Started\n\nInstall hoist-react as a dependency:\n\n```bash\nnpm install @xh/hoist\n# or\nyarn add @xh/hoist\n```\n\nHoist React requires **React ~18.2** and **React DOM ~18.2** as peer dependencies.\n\n[Toolbox](https://github.com/xh/toolbox) is XH's reference application — it showcases hoist-react\npatterns and components and is the best starting point for new developers. See\n[docs/development-environment.md](docs/development-environment.md) for full local development setup,\nand the [Hoist Core README](https://github.com/xh/hoist-core) for server-side configuration.\n\n## Documentation\n\nHoist React maintains thorough documentation across package-level READMEs and cross-cutting concept\ndocs. The primary entry points are:\n\n- [docs/README.md](docs/README.md) — documentation index with a task-oriented quick reference\n- [AGENTS.md](AGENTS.md) — AI coding assistant guidance and coding conventions\n- [CHANGELOG.md](CHANGELOG.md) — version history and release notes\n- [docs/build-and-publish.md](docs/build-and-publish.md) — GitHub Actions CI/CD for hoist-react\n- [docs/build-app-deployment.md](docs/build-app-deployment.md) — building and deploying Hoist applications\n- [docs/development-environment.md](docs/development-environment.md) — local development setup\n\n## Architecture at a Glance\n\nHoist applications are built around three core artifact types — **Models**, **Components**, and\n**Services** — coordinated by the [`XH`](core/XH.ts) singleton, which provides the top-level\nframework API, service access, and common operations.\n\n**Models** (`HoistModel`) are class-based objects that manage state and business logic. Properties\nare marked with MobX decorators to make them observable by components and other models. Models form\nhierarchies that reflect the structure and concerns of the application, encouraging a clean\nseparation of logic from presentation. See [/core/README.md](core/README.md).\n\n**Components** are React functional components wrapped via `hoistCmp` with Hoist support for MobX\nreactivity and model lookup. Components reference model properties in their render methods and call\nmodel methods in response to user actions, keeping rendering logic thin and declarative. See\n[/cmp/README.md](cmp/README.md).\n\n**Services** (`HoistService`) are singletons that encapsulate data access and app-wide business\nlogic, persisting for the life of the application. They are installed via\n`XH.installServicesAsync()` and accessed as e.g. `XH.myCustomService`. See\n[/svc/README.md](svc/README.md).\n\nHoist includes a wide variety of carefully selected and integrated UI components, ready for\nimmediate use. A central goal of the toolkit is to provide a **managed, normalized, and integrated**\nset of patterns, APIs, and behaviors on top of the underlying library components — enabling them to\nwork together, integrate with core Hoist services, and appear to end-users as a cohesive and highly\npolished system.\n\n**Element factories** are Hoist's preferred way to compose component trees using pure\nTypeScript/JavaScript, without JSX markup. All Hoist components export a factory alongside the\ncomponent itself. JSX is also fully supported and can be used interchangeably — both approaches\ncompile to `React.createElement()` calls. See [/core/README.md](core/README.md) for full details\non element factories.\n\n**Desktop and mobile** platforms are supported via separate component packages (`/desktop/` and\n`/mobile/`), while models, services, and utilities are shared across both. See\n[/mobile/README.md](mobile/README.md) for mobile-specific guidance.\n\n## Key Libraries and Dependencies\n\nHoist React is built on a collection of remarkable third-party libraries that have been selected,\ncombined, and integrated by XH.\n\n| Library      | Notes                                                                           | Link                                                |\n|--------------|---------------------------------------------------------------------------------|-----------------------------------------------------|\n| React        | Core technology for efficient componentization and rendering of modern web apps | [reactjs.org](https://react.dev/)                   |\n| MobX         | Flexible, well-balanced state management and smart reactivity                   | [mobx.js.org](https://mobx.js.org/)                 |\n| Webpack      | Endlessly extensible (if occasionally baffling) bundle and build tool           | [webpack.js.org](https://webpack.js.org/)           |\n| ag-Grid      | High performance, feature-rich data grid                                        | [ag-grid.com](https://www.ag-grid.com/)             |\n| Blueprint    | General purpose UI toolkit for data-dense desktop webapps                       | [blueprintjs.com](https://blueprintjs.com/)         |\n| Highcharts   | Proven, robust, well-rounded charting and visualization library                 | [highcharts.com](https://www.highcharts.com/)       |\n| RGL          | Drag-and-drop grid layout for DashCanvas dashboards                             | [react-grid-layout](https://github.com/react-grid-layout/react-grid-layout) |\n| Router5      | Flexible and powerful routing solution                                          | [router5.js.org](https://router5.js.org/)           |\n| Font Awesome | Icons, icons, icons                                                             | [fontawesome.com](https://fontawesome.com/)         |\n\n### Library Licensing Considerations\n\nThe majority of the libraries listed above and included within Hoist React as dependencies are\nopen-source and fully free to use. Wherever possible, we have aimed to minimize exposure to\nthird-party license costs and restrictions. The exceptions to this rule are listed below. For these\nlibraries, client application(s) using Hoist React must acquire and register appropriate licenses.\n\n**ag-Grid** is released under a dual licensing model, with the community edition available under a\npermissive MIT license and the enterprise edition requiring a\n[paid license](https://www.ag-grid.com/license-pricing). Applications wishing to use grids in Hoist\nReact will need to provide a licensed version of ag-Grid. A free community version is available,\nhowever many applications will want to license the enterprise version for important extra\nfunctionality including row grouping and tree grids.\n\n**Font Awesome** provides a greatly extended set of icons via its\n[Pro license](https://fontawesome.com/pro), and Hoist React references several of these icons. A\nPro license includes access to a private npm repository to download the extended library, accessed\nvia a unique URL. XH can configure appropriate access via npm configuration files or an enterprise\nnpm repository proxy.\n\n**Highcharts HighStock** is the primary charting library in Hoist, and offers several\n[licensing and support options](https://shop.highsoft.com/highstock) for commercial use.\nApplications wishing to use charts in Hoist will need to provide a licensed version of Highcharts.\n\n## TypeScript and Modern JavaScript\n\nHoist React and Hoist applications are written in TypeScript. The codebase makes use of experimental\n(TC39 Stage 2) decorators via Babel — a notable difference from standard TypeScript decorator\nsupport — as coordinated within a standardized Webpack build process provided by\n[hoist-dev-utils](https://github.com/xh/hoist-dev-utils).\n\nKey language features used throughout Hoist React include:\n\n- **Decorators** — a core part of MobX integration and used within Hoist to define observable state,\n  managed resources, and other key behaviors. See [/core/README.md](core/README.md) for reference.\n- **Classes** — including class fields and carefully considered uses of inheritance.\n- **Async/await** — for asynchronous operations, with custom Promise extensions for error handling,\n  tracking, and timeouts. See [/promise/README.md](promise/README.md).\n- **ES Modules** — all dependencies imported via ES modules and resolved by Webpack.\n\n## Licensing and Support\n\nHoist is currently developed exclusively by Extremely Heavy and intended for use by XH and our\nclient partners to develop enterprise web applications with XH's guidance and direction. That said,\nwe have released the toolkit under the permissive and open Apache 2.0 license. This allows other\ndevelopers, regardless of whether they are current XH clients or not, to checkout, use, modify, and\notherwise explore Hoist and its source code. See [LICENSE.md](LICENSE.md) for the full license.\n\nWe have selected an open source license as part of our ongoing commitment to openness, transparency,\nand ease-of-use, and to clarify and emphasize the suitability of Hoist for use within a wide variety\nof enterprise software projects. Note, however, that we cannot at this time commit to any particular\nsupport or contribution model outside of our consulting work. But if you are interested in Hoist\nand/or think it might be helpful for a project, please don't hesitate to\n[contact us](https://xh.io)!\n\n---\n\ninfo@xh.io | https://xh.io\nCopyright 2026 Extremely Heavy Industries Inc.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxh%2Fhoist-react","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fxh%2Fhoist-react","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxh%2Fhoist-react/lists"}