Gathering detailed insights and metrics for xstate
Gathering detailed insights and metrics for xstate
Actor-based state management & orchestration for complex app logic.
Installations
npm install xstateDeveloper Guide
BETA
Typescript
Yes
Module System
CommonJS, ESM
Node Version
22.16.0
NPM Version
10.9.2
Score
99.8
Supply Chain
100
Quality
92.6
Maintenance
100
Vulnerability
100
License
Releases
433
@xstate/store@3.8.0
@xstate/store@3.8.0
Updated on Jun 29, 2025
@xstate/store@3.7.1
@xstate/store@3.7.1
Updated on Jun 26, 2025
@xstate/store@3.7.0
@xstate/store@3.7.0
Updated on Jun 21, 2025
@xstate/react@6.0.0
@xstate/react@6.0.0
Updated on Jun 19, 2025
@xstate/vue@5.0.0
@xstate/vue@5.0.0
Updated on Jun 19, 2025
@xstate/svelte@5.0.0
@xstate/svelte@5.0.0
Updated on Jun 19, 2025
Languages
6
TypeScript
Vue
JavaScript
Svelte
CSS
HTML
TypeScript (97.98%)
Vue (0.78%)
JavaScript (0.48%)
Svelte (0.42%)
CSS (0.26%)
HTML (0.08%)
Developer
Download Statistics
Total Downloads
355,864,252
Last Day
90,521
Last Week
1,945,459
Last Month
8,414,407
Last Year
86,965,588
GitHub Statistics
MIT License
28,419 Stars
6,806 Commits
1,315 Forks
191 Watchers
296 Branches
346 Contributors
Updated on Jul 03, 2025
Bundle Size
44.94 kB
Minified
13.56 kB
Minified + Gzipped
Sponsor this package
Maintainers
3
Package Meta Information
Latest Version
5.20.0
Package Id
xstate@5.20.0
Unpacked Size
2.08 MB
Size
450.03 kB
File Count
131
NPM Version
10.9.2
Node Version
22.16.0
Published on
Jun 19, 2025
Total Downloads
Cumulative downloads
Total Downloads
355,864,252
Last Day
-3.7%
90,521
Compared to previous day
Last Week
-8.3%
1,945,459
Compared to previous week
Last Month
2%
8,414,407
Compared to previous month
Last Year
17.3%
86,965,588
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dev Dependencies
5
Actor-based state management & orchestration for complex app logic. → Documentation
XState is a state management and orchestration solution for JavaScript and TypeScript apps. It has zero dependencies, and is useful for frontend and backend application logic.
It uses event-driven programming, state machines, statecharts, and the actor model to handle complex logic in predictable, robust, and visual ways. XState provides a powerful and flexible way to manage application and workflow state by allowing developers to model logic as actors and state machines.
✨ Create state machines visually in Stately Studio → state.new
➡️ Create state machines with the Stately Editor
🖥 Download our VS Code extension
📑 Inspired by the SCXML specification
💬 Chat on the Stately Discord Community
✍️ Browse through the many XState examples
Templates
Get started by forking one of these templates on CodeSandbox:
| Template | |
|---|---|
|
🤖 XState Template (CodeSandbox)
|
|
|
⚛️ XState + React Template (CodeSandbox)
|
|
|
💚 XState + Vue Template (CodeSandbox)
|
|
|
🧡 XState + Svelte Template (CodeSandbox)
|
|
Super quick start
1npm install xstate
1import { createMachine, createActor, assign } from 'xstate'; 2 3// State machine 4const toggleMachine = createMachine({ 5 id: 'toggle', 6 initial: 'inactive', 7 context: { 8 count: 0 9 }, 10 states: { 11 inactive: { 12 on: { 13 TOGGLE: { target: 'active' } 14 } 15 }, 16 active: { 17 entry: assign({ count: ({ context }) => context.count + 1 }), 18 on: { 19 TOGGLE: { target: 'inactive' } 20 } 21 } 22 } 23}); 24 25// Actor (instance of the machine logic, like a store) 26const toggleActor = createActor(toggleMachine); 27toggleActor.subscribe((state) => console.log(state.value, state.context)); 28toggleActor.start(); 29// => logs 'inactive', { count: 0 } 30 31toggleActor.send({ type: 'TOGGLE' }); 32// => logs 'active', { count: 1 } 33 34toggleActor.send({ type: 'TOGGLE' }); 35// => logs 'inactive', { count: 1 }
Stately Studio
- Visually create, edit, and collaborate on state machines
- Export to many formats, including XState v5
- Test path & documentation autogeneration
- Deploy to Stately Sky
- Generate & modify machines with Stately AI
Why?
Statecharts are a formalism for modeling stateful, reactive systems. This is useful for declaratively describing the behavior of your application, from the individual components to the overall application logic.
Read 📽 the slides (🎥 video) or check out these resources for learning about the importance of finite state machines and statecharts in user interfaces:
- Statecharts - A Visual Formalism for Complex Systems by David Harel
- The World of Statecharts by Erik Mogensen
Packages
| Package | Description |
|---|---|
🤖 xstate | Core finite state machine and statecharts library + interpreter |
⚛️ @xstate/react | React hooks and utilities for using XState in React applications |
💚 @xstate/vue | Vue composition functions and utilities for using XState in Vue applications |
🎷 @xstate/svelte | Svelte utilities for using XState in Svelte applications |
🥏 @xstate/solid | Solid hooks and utilities for using XState in Solid applications |
🔍 @xstate/inspect | Inspection utilities for XState |
Finite State Machines
| Code | Statechart | ||||
|---|---|---|---|---|---|
|
Open in Stately Studio |
Hierarchical (Nested) State Machines
| Code | Statechart |
|---|---|
|
Open in Stately Studio |
Parallel State Machines
| Code | Statechart |
|---|---|
|
Open in Stately Studio |
History States
| Code | Statechart |
|---|---|
|
Open in Stately Studio |
Sponsors
Special thanks to the sponsors who support this open-source project:
SemVer Policy
We understand the importance of the public contract and do not intend to release any breaking changes to the runtime API in a minor or patch release. We consider this with any changes we make to the XState libraries and aim to minimize their effects on existing users.
Breaking changes
XState executes much of the user logic itself. Therefore, almost any change to its behavior might be considered a breaking change. We recognize this as a potential problem but believe that treating every change as a breaking change is not practical. We do our best to implement new features thoughtfully to enable our users to implement their logic in a better, safer way.
Any change could affect how existing XState machines behave if those machines are using particular configurations. We do not introduce behavior changes on a whim and aim to avoid making changes that affect most existing machines. But we reserve the right to make some behavior changes in minor releases. Our best judgment of the situation will always dictate such changes. Please always read our release notes before deciding to upgrade.
TypeScript changes
We also reserve a similar right to adjust declared TypeScript definitions or drop support for older versions of TypeScript in a minor release. The TypeScript language itself evolves quickly and often introduces breaking changes in its minor releases. Our team is also continuously learning how to leverage TypeScript more effectively - and the types improve as a result.
For these reasons, it is impractical for our team to be bound by decisions taken when an older version of TypeScript was its latest version or when we didn’t know how to declare our types in a better way. We won’t introduce declaration changes often - but we are more likely to do so than with runtime changes.
Packages
Most of the packages in the XState family declare a peer dependency on XState itself. We’ll be cautious about maintaining compatibility with already-released packages when releasing a new version of XState, but each release of packages depending on XState will always adjust the declared peer dependency range to include the latest version of XState. For example, you should always be able to update xstate without @xstate/react. But when you update @xstate/react, we highly recommend updating xstate too.
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
30 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10
Reason
GitHub workflow tokens follow principle of least privilege
Details
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:16
- Info: topLevel 'contents' permission set to 'read': .github/workflows/nodejs.yml:13
- Info: found token with 'none' permissions: .github/workflows/release.yml:1
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
Found 17/20 approved changesets -- score normalized to 8
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nodejs.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/statelyai/xstate/nodejs.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/statelyai/xstate/release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/statelyai/xstate/release.yml/main?enable=pin
- Info: 0 out of 2 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 1 third-party GitHubAction dependencies pinned
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 27 are checked with a SAST tool
Reason
101 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99
- Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55
- Warn: Project is vulnerable to: GHSA-gcx4-mw62-g8wm
- Warn: Project is vulnerable to: GHSA-64vr-g452-qvp3
- Warn: Project is vulnerable to: GHSA-9cwx-2883-4wfx
- Warn: Project is vulnerable to: GHSA-vg6x-rcgg-rjx6
- Warn: Project is vulnerable to: GHSA-x574-m823-4x7w
- Warn: Project is vulnerable to: GHSA-4r4m-qw57-chr8
- Warn: Project is vulnerable to: GHSA-xcj6-pq6g-qj4x
- Warn: Project is vulnerable to: GHSA-356w-63v5-8wf4
- Warn: Project is vulnerable to: GHSA-859w-5945-r5v3
- Warn: Project is vulnerable to: GHSA-g3ch-rx76-35fx
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7
- Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
- Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx
- Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
- Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w
- Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg
- Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p
- Warn: Project is vulnerable to: GHSA-fc9h-whq2-v747
- Warn: Project is vulnerable to: GHSA-vjh7-7g9h-fjfh
- Warn: Project is vulnerable to: GHSA-5rrq-pxf6-6jx5
- Warn: Project is vulnerable to: GHSA-8fr3-hfg3-gpgp
- Warn: Project is vulnerable to: GHSA-gf8q-jrpm-jvxq
- Warn: Project is vulnerable to: GHSA-2r2c-g63r-vccr
- Warn: Project is vulnerable to: GHSA-cfm4-qjh2-4765
- Warn: Project is vulnerable to: GHSA-x4jg-mjrx-434g
- Warn: Project is vulnerable to: GHSA-rp65-9cf3-cjxr
- Warn: Project is vulnerable to: GHSA-h7cp-r72f-jxh6
- Warn: Project is vulnerable to: GHSA-v62p-rq8g-8h59
- Warn: Project is vulnerable to: GHSA-566m-qj78-rww5
- Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
- Warn: Project is vulnerable to: GHSA-hwj9-h5mp-3pm3
- Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
- Warn: Project is vulnerable to: GHSA-4wf5-vphf-c2xc
- Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
- Warn: Project is vulnerable to: GHSA-qxrj-hx23-xp82
- Warn: Project is vulnerable to: GHSA-593f-38f6-jp5m
- Warn: Project is vulnerable to: GHSA-x2rg-q646-7m2v
- Warn: Project is vulnerable to: GHSA-mv48-hcvh-8jj8
- Warn: Project is vulnerable to: GHSA-353f-5xf4-qw67
- Warn: Project is vulnerable to: GHSA-jr5f-v2jv-69x6
- Warn: Project is vulnerable to: GHSA-vc8w-jr9v-vj7f
- Warn: Project is vulnerable to: GHSA-hqq7-2q2v-82xq
- Warn: Project is vulnerable to: GHSA-q8gg-vj6m-hgmj
- Warn: Project is vulnerable to: GHSA-h452-7996-h45h
- Warn: Project is vulnerable to: GHSA-36jr-mh4h-2g58
- Warn: Project is vulnerable to: GHSA-p3vf-v8qc-cwcr
- Warn: Project is vulnerable to: GHSA-gx9m-whjm-85jf
- Warn: Project is vulnerable to: GHSA-mmhx-hmjr-r674
- Warn: Project is vulnerable to: GHSA-vhxf-7vqr-mrjg
- Warn: Project is vulnerable to: GHSA-qrmc-fj45-qfc2
- Warn: Project is vulnerable to: GHSA-74fj-2j2h-c42q
- Warn: Project is vulnerable to: GHSA-pw2r-vq6v-hr8c
- Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc
- Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp
- Warn: Project is vulnerable to: GHSA-8mmm-9v2q-x3f9
- Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97
- Warn: Project is vulnerable to: GHSA-7wwv-vh3v-89cq
- Warn: Project is vulnerable to: GHSA-pfq8-rq6v-vf5m
- Warn: Project is vulnerable to: GHSA-c7qv-q95q-8v27
- Warn: Project is vulnerable to: GHSA-4www-5p9h-95mh
- Warn: Project is vulnerable to: GHSA-9gqv-wp59-fq42
- Warn: Project is vulnerable to: GHSA-8g7p-74h8-hg48
- Warn: Project is vulnerable to: GHSA-pc5p-h8pf-mvwp
- Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
- Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
- Warn: Project is vulnerable to: GHSA-76p3-8jx3-jpfq
- Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm
- Warn: Project is vulnerable to: GHSA-6vfc-qv3f-vr6c
- Warn: Project is vulnerable to: GHSA-x3vm-38hw-55wf
- Warn: Project is vulnerable to: GHSA-m4gq-x24j-jpmf
- Warn: Project is vulnerable to: GHSA-wrvr-8mpx-r7pp
- Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m
- Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h
- Warn: Project is vulnerable to: GHSA-5g97-whc9-8g7j
- Warn: Project is vulnerable to: GHSA-8r4g-cg4m-x23c
- Warn: Project is vulnerable to: GHSA-6fw4-hr69-g3rv
- Warn: Project is vulnerable to: GHSA-gqgv-6jq5-jjj9
- Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-4rq4-32rv-6wp6
- Warn: Project is vulnerable to: GHSA-64g7-mvw6-v9qj
- Warn: Project is vulnerable to: GHSA-3f95-r44v-8mrg
- Warn: Project is vulnerable to: GHSA-28xr-mwxg-3qc8
- Warn: Project is vulnerable to: GHSA-9p95-fxvg-qgq2
- Warn: Project is vulnerable to: GHSA-9w5j-4mwv-2wj8
- Warn: Project is vulnerable to: GHSA-8225-6cvr-8pqp
- Warn: Project is vulnerable to: GHSA-8266-84wp-wv5c
- Warn: Project is vulnerable to: GHSA-5j4c-8p2g-v4jx
- Warn: Project is vulnerable to: GHSA-wr3j-pwj9-hqq6
- Warn: Project is vulnerable to: GHSA-4v9v-hfq4-rm2v
- Warn: Project is vulnerable to: GHSA-9jgg-88mc-972h
- Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
- Warn: Project is vulnerable to: GHSA-c24v-8rfc-w8vw
- Warn: Project is vulnerable to: GHSA-8jhw-289h-jh2g
Score
5.7
/10
Last Scanned on 2025-06-23
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More