RepoPilot

reduxjs/redux-toolkit

The official, opinionated, batteries-included toolset for efficient Redux development

Healthy

Healthy across all four use cases

HealthyDependency

Permissive license, no critical CVEs, actively maintained — safe to depend on.

HealthyFork & modify

Has a license, tests, and CI — clean foundation to fork and modify.

HealthyLearn from

Documented and popular — useful reference codebase to read through.

HealthyDeploy as-is

No critical CVEs, sane security posture — runnable as-is.

  • Concentrated ownership — top contributor handles 50% of recent commits
  • Last commit 2w ago
  • 15 active contributors
  • MIT licensed
  • CI configured
  • Tests present

Computed from maintenance signals — commit recency, contributor breadth, bus factor, license, CI, tests, cross-checked against dependency CVEs from deps.dev and OpenSSF Scorecard

Informational only. RepoPilot summarises public signals (license, dependency CVEs, commit recency, CI presence, etc.) at the time of analysis. Signals can be incomplete or stale. Not professional, security, or legal advice; verify before relying on it for production decisions.

Want this for your own repo?

Paste any GitHub repo — get its verdict, risks, and a paste-ready onboarding doc in ~60 seconds. Free, no sign-up.

Embed the "Healthy" badge

Paste into your README — live-updates from the latest cached analysis.

Variant:
RepoPilot: Healthy
[![RepoPilot: Healthy](https://repopilot.app/api/badge/reduxjs/redux-toolkit)](https://repopilot.app/r/reduxjs/redux-toolkit)

Paste at the top of your README.md — renders inline like a shields.io badge.

Preview social card

This card auto-renders when someone shares https://repopilot.app/r/reduxjs/redux-toolkit on X, Slack, or LinkedIn.

Ask AI about reduxjs/redux-toolkit

Grounded in the actual source code. Pick a starter question or write your own.

Or write your own question

Onboarding doc

Onboarding: reduxjs/redux-toolkit

Generated by RepoPilot · 2026-07-05 · Source

Verdict

Healthy — Healthy across all four use cases

  • Last commit 2w ago
  • 15 active contributors
  • MIT licensed
  • CI configured
  • Tests present
  • ⚠ Concentrated ownership — top contributor handles 50% of recent commits

Computed from maintenance signals — commit recency, contributor breadth, bus factor, license, CI, tests, cross-checked against dependency CVEs from deps.dev and OpenSSF Scorecard

TL;DR

Redux Toolkit is the official, opinionated Redux library that provides a set of tools to simplify Redux development, including createSlice for reducer+action generation, createAsyncThunk for async operations, entity adapters for normalized state, and RTK Query for API data fetching. It wraps Redux core with Immer for immutable updates, serialization checks, and integrated middleware like listener middleware and action creator invariant checking. Monorepo structure: packages/toolkit contains core Redux utilities (slices, async thunks, middleware like listenerMiddleware), packages/rtk-query-* contain API query tools, and packages/rtk-query-codegen-openapi contains CLI code generation. Entity adapters live in packages/toolkit/src/entities/ with normalized state helpers. Examples and docs in separate workspaces.

LLM-derived; treat as a starting point, not verified fact.

Who it's for

TypeScript and JavaScript developers building React applications who need Redux state management but want to avoid Redux boilerplate; teams that use API-driven data fetching and need both state management and caching (via RTK Query in packages/rtk-query-codegen-openapi). Also used by developers generating RTK-Query hooks from OpenAPI specs.

LLM-derived; treat as a starting point, not verified fact.

Maturity & risk

Highly mature and production-ready. This is the official Redux library maintained by the Redux team, with 10k+ GitHub stars, comprehensive TypeScript coverage (2M+ lines), robust test infrastructure across packages, and continuous active development. The monorepo structure with multiple stable packages (toolkit, rtk-query-*) and real-world examples demonstrates battle-tested reliability.

Risk is minimal for the core library. Primary risk vectors: (1) monorepo complexity—changes to shared utilities in packages/toolkit/src/entities can affect multiple consumers; (2) peer dependency on Redux core and Immer versions must match, with version conflicts possible in legacy projects; (3) RTK Query's OpenAPI codegen (rtk-query-codegen-openapi) introduces tooling complexity for developers unfamiliar with spec-driven generation. No single-maintainer risk given official Redux team backing.

LLM-derived; treat as a starting point, not verified fact.

Active areas of work

Active development on dynamic middleware (packages/toolkit/src/dynamicMiddleware), listener middleware enhancements, entity adapters optimization, and RTK Query OpenAPI code generation tooling. The TypeScript-first approach is evident from 95%+ TS codebase. Recent work on combineSlices and draft-safe selectors suggests ongoing DX improvements.

LLM-derived; treat as a starting point, not verified fact.

Get running

git clone https://github.com/reduxjs/redux-toolkit.git
cd redux-toolkit
yarn install
yarn build
yarn test

Daily commands:

cd packages/toolkit
yarn test
# Or build the toolkit:
yarn build
# For RTK Query OpenAPI codegen:
cd packages/rtk-query-codegen-openapi
yarn cli --spec <openapi-spec-url> --output <out-dir>

Map of the codebase

  • packages/toolkit/src/index.ts — Main entry point exporting all public Redux Toolkit APIs; every contributor must understand the public surface.
  • packages/toolkit/src/createSlice.ts — Core abstraction combining reducer, actions, and immutable mutations; foundational to RTK design philosophy.
  • packages/toolkit/src/configureStore.ts — Store setup with default middleware and dev tools integration; critical for understanding RTK's opinionated defaults.
  • packages/toolkit/src/createAsyncThunk.ts — Async action pattern with promise lifecycle; heavily used API for data fetching in Redux applications.
  • packages/toolkit/src/query/createApi.ts — RTK Query API definition factory; entry point for server state management layer.
  • packages/toolkit/src/query/core/buildMiddleware/index.ts — Middleware orchestration for RTK Query lifecycle (polling, caching, invalidation); core to data synchronization.
  • packages/toolkit/src/immerImports.ts — Immer integration enabling direct mutation syntax in reducers; foundational to RTK's ergonomics.

Components & responsibilities

  • createSlice (Immer, Redux) — Generates a reducer, action creators, and optional async thunks from a single slice definition.
    • Failure mode: Invalid state mutations or name collisions between action types can cause reducer conflicts or hidden bugs.
  • configureStore (Redux, Redux middleware) — Factory that creates a Redux store with default middleware, DevTools, and serialization checks.
    • Failure mode: Missing or misconfigured middleware can break side-effect handling or allow non-serializable state.
  • RTK Query API instance (Redux, Fetch API, TypeScript) — Encapsulates endpoints, caching logic, and tag-based invalidation for server state.
    • Failure mode: Incorrect tag definitions or missing cache invalidation can cause stale data or memory leaks.
  • Listener middleware (Redux middleware) — Intercepts actions and state changes to run async side effects with task lifecycle management.
    • Failure mode: Uncontrolled async callbacks or missing task cancellation can cause race conditions or memory leaks.
  • Entity adapter (Immer, Redux selectors) — Provides CRUD reducers and memoized selectors for normalized collections of entities.
    • Failure mode: Incorrect adapter configuration or missing selector memoization can cause unnecessary re-renders or O(n) lookups.
  • createAsyncThunk (Redux, Promise, TypeScript) — Action creator that dispatches pending/fulfilled/rejected actions during async promise lifecycle.
    • Failure mode: Unhandled promise rejections or missing error types can cause silent failures or type safety gaps.

Data flow

  • React componentRTK Query hook — Component calls useQuery or useMutation hook with query parameters or mutation payload.
  • RTK Query hookRedux store — Hook dispatches query initiated action; checks cache and returns cached data if available.
  • Redux storeRTK Query middleware — Middleware intercepts query action, manages lifecycle (pending → fulfilled/rejected), and normalizes responses.
  • RTK Query middlewarefetchBaseQuery — Middleware executes the base query function, which makes HTTP request to API.
  • fetchBaseQueryRedux store — Response is normalized and dispatched as fulfilled action; tags are invalidated if mutation succeeds.
  • Redux storeReact component — Component re-renders with fresh data, loading state, or error from store selectors.

How to make changes

Add a new async Redux action

  1. Create a slice using createSlice or define a standalone thunk with createAsyncThunk (packages/toolkit/src/createSlice.ts)
  2. Add extraReducers to handle pending/fulfilled/rejected states from the async thunk (packages/toolkit/src/createSlice.ts)
  3. Export the thunk and reducer, then configure the store with configureStore (packages/toolkit/src/configureStore.ts)

Add a new RTK Query API endpoint

  1. Create an API instance using createApi with fetchBaseQuery or custom baseQuery (packages/toolkit/src/query/createApi.ts)
  2. Define query or mutation endpoints in the endpoints builder (packages/toolkit/src/query/endpointDefinitions.ts)
  3. Use generated useQuery or useMutation hooks in React components (packages/toolkit/src/query/react/buildHooks.ts)
  4. Optionally invalidate tags in mutations to trigger automatic refetches (packages/toolkit/src/query/core/buildMiddleware/invalidationByTags.ts)

Add a side-effect listener for state changes

  1. Create a listenerMiddleware instance and call addListener to watch specific actions (packages/toolkit/src/listenerMiddleware/index.ts)
  2. In the listener callback, use async/await to trigger thunks or queries (packages/toolkit/src/listenerMiddleware/index.ts)
  3. Add the middleware to the store via configureStore enhancers option (packages/toolkit/src/configureStore.ts)

Generate RTK Query endpoints from OpenAPI schema

  1. Run rtk-query-codegen-openapi CLI with OpenAPI spec URL or file path (packages/rtk-query-codegen-openapi/src/bin/cli.ts)
  2. Code generator parses operations and generates endpoints and React hooks (packages/rtk-query-codegen-openapi/src/codegen.ts)
  3. Output files include apiSlice with endpoints ready to use in components (packages/rtk-query-codegen-openapi/src/generators/react-hooks.ts)

Why these technologies

  • Immer.js — Enables direct mutation syntax in Redux reducers while maintaining immutability guarantees; dramatically improves ergonomics.
  • TypeScript — First-class support provides strong type inference for slices, thunks, and API endpoints; reduces runtime errors.
  • Redux Middleware — Pluggable architecture for side effects, normalization, caching, and invariant checking without requiring external libraries.
  • Normalized state adapters — Encapsulates common CRUD operations on collections; reduces boilerplate for sorted and unsorted entity management.
  • RTK Query (built-in) — Server state management without external data fetching libraries; handles caching, invalidation, and synchronization out-of-box.

Trade-offs already made

  • Opinionated defaults (Redux DevTools, Thunk, Immer enabled by default)

    • Why: Reduces configuration burden for new users and ensures best practices are available immediately.
    • Consequence: Less flexibility for users who need custom middleware stacks, but can be overridden via configureStore options.
  • Tag-based cache invalidation in RTK Query instead of time-based TTL only

    • Why: Allows mutation results to deterministically invalidate related queries by semantic tags.
    • Consequence: Requires developers to think about cache relationships upfront; more powerful but steeper learning curve.
  • Normalized entity adapters as optional feature, not mandatory

    • Why: Accommodates both normalized and denormalized state patterns depending on complexity.
    • Consequence: Developers must choose when to use adapters; no single prescribed state shape.
  • Listener middleware as alternative to thunk middleware for side effects

    • Why: Provides imperative control over async logic without nested promise chains.
    • Consequence: Two competing patterns (thunks vs listeners) can cause confusion about which to use.

Non-goals (don't propose these)

  • Does not mandate Redux DevTools usage; integrations are optional.
  • Not a real-time data synchronization framework; WebSocket setup is left to users.
  • Does not provide form state management; use external libraries like React Hook Form.
  • Not a GraphQL-first framework; GraphQL support requires graphql-request base query adapter.

Anti-patterns to avoid

  • Mutating draft in multiple reducers (Medium)packages/toolkit/src/createSlice.ts: Using the same draft object across multiple extraReducers or nested immer produce calls can lead to unexpected state mutations.
  • Missing cache invalidation: undefined

Traps & gotchas

(1) Immer draft mutations only in reducers: Writing to state outside a reducer (e.g., in middleware) will not work as expected; createDraftSafeSelector.ts exists to work around this. (2) Serialization checks enabled by default: Non-serializable values (Dates, Functions, Maps) in state trigger console warnings in dev; disable via getDefaultMiddleware({ serializableCheck: false }) if needed. (3) Entity adapter selector factories: calling selectAll() or selectById() creates new selectors each time unless memoized; should use result selectors. (4) RTK Query OpenAPI codegen requires valid spec URL: no local file path support in current implementation; spec must be HTTP(S) accessible. (5) TypeScript generics: createAsyncThunk<ReturnType, ArgType, ThunkConfig> parameter order is easy to mess up; check type carefully.

Architecture

Concepts to learn

  • Immer Draft Mutation — Redux Toolkit uses Immer to allow 'mutating' state in reducers while maintaining immutability guarantees; misunderstanding when mutations work (only in reducers) causes silent bugs
  • Normalized State Shape — Entity adapters (in packages/toolkit/src/entities/) flatten nested data into { ids: [], entities: {} } format to enable O(1) lookups and bulk operations; critical for performance with large collections
  • Thunk MiddlewarecreateAsyncThunk relies on thunk middleware to dispatch action-returning functions; understanding thunk dispatch vs sync dispatch is essential for async flows
  • Listener Middleware Task Cancellationpackages/toolkit/src/listenerMiddleware/task.ts implements fork/join semantics for side effects; allows cancellation of in-flight async work—critical for avoiding race conditions and memory leaks
  • Selector Memoization — Entity adapters return selector factories; without proper memoization, re-renders trigger on unchanged data; createDraftSafeSelector addresses this for Immer-drafted state
  • Code Generation from OpenAPI Specsrtk-query-codegen-openapi parses OpenAPI 3.0 specs to auto-generate typed RTK Query hooks; eliminates manual endpoint definition for API-first architectures
  • Draft-Safe Selectors — Immer proxies in reducers break standard selectors; createDraftSafeSelector.ts provides selectors that work inside reducer context, enabling composition of reducer logic
  • reduxjs/redux — Core Redux library that Redux Toolkit wraps; foundational dependency
  • reduxjs/react-redux — React bindings for Redux (Provider, useSelector, useDispatch); required for using Redux Toolkit in React apps
  • immerjs/immer — Immutable update library that Redux Toolkit uses internally for safe state mutations in reducers
  • reduxjs/reselect — Selector memoization library; used by entity adapters and recommended for RTK Query derived selectors
  • poimandres/zustand — Alternative lightweight state management library for React; competitive solution if RTK feels heavyweight

PR ideas

Click to expand

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add comprehensive unit tests for rtk-query-codegen-openapi utilities

The packages/rtk-query-codegen-openapi/src/utils directory contains critical helper functions (getOperationDefinitions.ts, isQuery.ts, isValidUrl.ts, getV3Doc.ts, capitalize.ts) that lack dedicated test files. These utilities are foundational for OpenAPI spec parsing and code generation. Adding tests would improve code quality, prevent regressions, and provide examples for contributors.

  • [ ] Create packages/rtk-query-codegen-openapi/src/utils/tests directory
  • [ ] Add unit tests for getOperationDefinitions.ts covering various OpenAPI v3 schema structures
  • [ ] Add unit tests for isQuery.ts with GET, POST, PUT, DELETE, PATCH operations
  • [ ] Add unit tests for isValidUrl.ts with valid URLs, invalid URLs, and edge cases
  • [ ] Add unit tests for capitalize.ts with camelCase, PascalCase, and special characters
  • [ ] Verify tests run in CI and maintain >80% coverage for utils

Add missing error handling and validation tests for createAsyncThunk.ts

The createAsyncThunk.ts is one of Redux Toolkit's most complex APIs and appears to have limited edge-case test coverage. Given its critical role in async action handling and the recent additions to createSlice, createAsyncThunk needs comprehensive tests for error scenarios, rejection handling, lifecycle hooks, and interaction with middleware.

  • [ ] Review existing tests in packages/toolkit/src/tests/createAsyncThunk.test.ts
  • [ ] Add tests for abort scenarios and AbortSignal handling edge cases
  • [ ] Add tests for rejectWithValue() with complex payload structures
  • [ ] Add tests for conditional execution with builder.addCase() combinations
  • [ ] Add tests for race conditions when multiple instances of the same thunk fire concurrently
  • [ ] Add tests for memory leaks when thunks are repeatedly created/destroyed

Add integration tests for listenerMiddleware with other core RTK features

The listenerMiddleware (packages/toolkit/src/listenerMiddleware) is a sophisticated feature that coordinates with createAsyncThunk, createSlice, and entity adapters, but currently lacks comprehensive integration tests. These tests would validate real-world usage patterns and ensure the middleware works correctly with other Redux Toolkit APIs.

  • [ ] Create packages/toolkit/src/listenerMiddleware/tests/integration.test.ts
  • [ ] Add tests for listenerMiddleware coordinating multiple asyncThunk actions across slices
  • [ ] Add tests for task.cancel() working with createEntityAdapter cache invalidation
  • [ ] Add tests for listener conditions with selector-based patterns on createSlice state
  • [ ] Add tests for effect cleanup and error handling in complex scenarios
  • [ ] Add tests demonstrating common patterns (debouncing, polling, saga-like flows)

Good first issues

  • Add test coverage for packages/toolkit/src/combineSlices.ts: file exists but test patterns are sparse; write integration tests showing combined slice reducer composition: Feature is recently added and test file structure is unclear
  • Enhance error messages in packages/toolkit/src/createAsyncThunk.ts for common mistakes like forgetting rejectWithValue() return; inspect formatProdErrorMessage.ts pattern and extend it: Developer experience gap: generic Redux errors don't help users understand createAsyncThunk gotchas
  • Add documentation examples for packages/toolkit/src/dynamicMiddleware/ showing how to add/remove middleware at runtime; currently minimal examples in code: Feature is powerful but underdocumented; real-world plugin systems could use this pattern

Top contributors

Click to expand

Recent commits

Click to expand
  • 62d21b0 — Merge pull request #5319 from JSap0914/fix/combineSlices-per-instance-stateProxyMap (EskiMojo14)
  • d5b5136 — fix(combineSlices): scope stateProxyMap per instance to prevent cross-instance proxy collisions (JSap0914)
  • fd30d99 — Merge pull request #5228 from Suto-Michimasa/feat/codegen-oazapfts-v7-enum-style (aryaemami59)
  • 713bf3e — Merge branch 'master' of https://github.com/reduxjs/redux-toolkit into pr/5228/feat/codegen-oazapfts-v7-enum-style (aryaemami59)
  • d974a4d — Merge pull request #5256 from aryaemami59/ci/add-pkg-new (aryaemami59)
  • 1afad56 — ci: update publish command and add pkg-pr-new dependency (aryaemami59)
  • 40b7ca1 — ci: publish preview packages via pkg.pr.new (aryaemami59)
  • 8d525e5 — add docusaurus-plugin-copy-page-button (#5299) (portdeveloper)
  • 7c49510 — chore: add test-results folder to .gitignore (#5311) (aryaemami59)
  • b15d995 — chore: update @arethetypeswrong/cli to 0.18.3 to fix CI failure (#5309) (aryaemami59)

Security observations

Click to expand
  • High · Outdated ESLint Dependency — package.json - devDependencies.eslint. ESLint version ^7.25.0 is significantly outdated (major version 7, released 2020). Current stable versions are v8.x and v9.x. This may include known security vulnerabilities and lack modern security rules. Fix: Update ESLint to the latest stable version (^9.0.0 or ^8.56.0) to benefit from security patches and modern vulnerability detection rules.
  • Medium · Potential XSS Risk in Code Generation — packages/rtk-query-codegen-openapi/src/codegen.ts, packages/rtk-query-codegen-openapi/src/generate.ts. The RTK Query OpenAPI code generator (packages/rtk-query-codegen-openapi/src) processes external OpenAPI specifications and generates code. Without proper sanitization of spec content, malicious OpenAPI specifications could inject harmful code into generated files. Fix: Implement strict validation and sanitization of OpenAPI specification inputs before code generation. Use allowlists for generated identifiers and validate all external specification content.
  • Medium · URL Validation May Be Insufficient — packages/rtk-query-codegen-openapi/src/utils/isValidUrl.ts. The file 'packages/rtk-query-codegen-openapi/src/utils/isValidUrl.ts' validates URLs for OpenAPI spec sources. If validation is incomplete, it could allow SSRF (Server-Side Request Forgery) attacks where malicious URLs point to internal services. Fix: Ensure URL validation includes: protocol whitelist (https only recommended), IP range blocklist (block private/loopback ranges), and domain blocklist for known internal services. Consider using URL parsing libraries with security in mind.
  • Medium · GraphQL Query Injection Risk — packages/rtk-query-graphql-request-base-query/src/index.ts. The GraphQL base query implementation (packages/rtk-query-graphql-request-base-query/src) constructs and executes GraphQL queries. Without proper variable binding and query parameterization, user-supplied inputs could be injected into GraphQL queries. Fix: Ensure all dynamic query content is parameterized using GraphQL variables. Never concatenate user input directly into query strings. Validate and sanitize all query arguments.
  • Medium · Missing Input Validation in Slice Generators — packages/toolkit/src/createSlice.ts, packages/toolkit/src/createReducer.ts, packages/toolkit/src/createAction.ts. createSlice, createReducer, and createAction functions process user-provided inputs without visible explicit validation. Malicious reducer logic or action payloads could lead to state corruption or RCE if combined with other vulnerabilities. Fix: Add explicit validation for function names, reducer logic, and action payloads. Document security expectations for developers using these APIs.
  • Low · No Security Headers Configuration — examples/ directories (not fully visible). No explicit security headers configuration visible in the codebase. While this is a framework/toolkit library, example applications should demonstrate security best practices. Fix: Add documentation and examples showing proper security headers (CSP, X-Frame-Options, X-Content-Type-Options) when using RTK in web applications.
  • Low · Potential Dependency Confusion Risk — package.json - workspaces configuration. The monorepo uses workspaces across multiple package directories. If private package names are not carefully managed, dependency confusion attacks could substitute internal packages with malicious public ones. Fix: Ensure all internal packages have distinct scoped names (e.g., @reduxjs/...). Use npm/yarn access controls to prevent accidental publication of private packages. Audit package.json for all dependencies.
  • Low · Immer Integration Security — packages/toolkit/src/immerImports.ts, packages/toolkit/src/createReducer.ts. The codebase integrates with Immer for immutable state updates (packages/toolkit/src/immerImports.ts). Immer uses Proxies which could have security implications if user-supplied reducers can access or manipulate the draft state improperly. Fix:

LLM-derived; treat as a starting point, not a security audit.

The exported doc (Copy CLAUDE.md / Download / .cursor/rules) also includes an agent protocol and a verification script written for AI coding agents — omitted here to keep this view scannable.

Embed this chat in your README

Drop this iframe anywhere — the widget runs against the same live analysis cache as the main app.

<iframe
  src="https://repopilot.app/embed/reduxjs/redux-toolkit"
  width="100%" height="500"
  style="border:1px solid #d0d7de; border-radius:8px;"
  allow="microphone"
  loading="lazy"
></iframe>