Our frontend is mostly class-based react components compiled with webpack 4 and babel 6 (for context: those are old versions). and guess what? it all just works. new 3rd party components also just work. adding modern hooks-based functional components just works. and everything that worked 5 years ago still just works. I think the JS our tooling emits is backward compatible with IE9 and up, which is ridiculous and wasteful and also no problem at all.
just don't upgrade random tooling all the time and you're good. most widely used JS stuff has an excellent backward compat story. (react itself is amazing in this regard IMO)
a corollary to this is that if you feel fatigued by having to constantly learn and upgrade your tooling, maybe you're just having regular old analysis paralysis and you're blaming the tooling for no good reason. just use the tools you already know and get going! you can build fantastic, modern-feeling software using only tools and knowledge from a decade ago.
That's fine, but what do you do when your applicants back out of the hiring process when you tell them you use React 15? I guess all we can do is upgrade, specifically for this reason.
We tell them that they're free to do something about it. It's not uncommon for our newest hires to find some itch that was better in a previous job and make our setup better accordingly. They'll soon find that there's much more exciting stuff to work on but it's a good first or second task.
Note that we're on React 17 now - 15 to 16 was hard but 17 was largely backward compatible. I expect 18 will be worth it too, the breakage is tiny. Like I said, React's backward compat story is real nice IMO :-) (and so is the tooling to help you address breaking changes)
Note, it was different ~5 years ago. When we wanted to upgrade from react 15 to 16 for better runtime speed, we had to upgrade babel first and that required a webpack upgrade iirc. It was a mess. But the ecosystem has matured a lot since then and we haven't done major setup changes since. It just works.
If you care a little bit about those critical / major security vulnerability alerts, and are working with NPM professionally, I shouldn't need to answer the question. If you are not, it's because NPM moves very fast, you can lock in your dependencies but soon enough they'll start signaling vulnerabilities.
We check out all these reports but in 99% of the cases it's something like "if you pipe user data into to this command line tool, then it's hackable!!" and said tool only gets used by our build toolchain and not by runtime code, so no user code ever gets piped there. We've not yet run into a must-upgrade dependabot vuln that was also non-trivial to upgrade to because of the infamous (but, to our experience, untrue) NPM dependency hell story.
just don't upgrade random tooling all the time and you're good. most widely used JS stuff has an excellent backward compat story. (react itself is amazing in this regard IMO)
a corollary to this is that if you feel fatigued by having to constantly learn and upgrade your tooling, maybe you're just having regular old analysis paralysis and you're blaming the tooling for no good reason. just use the tools you already know and get going! you can build fantastic, modern-feeling software using only tools and knowledge from a decade ago.