Olivia
Online
Flo
@ChaponFlo
France
Joined August 2017
130 Following
165 Followers
16 Posts
New in TanStack Router: more control over dynamic route params.
Use params.parse to accept or skip a candidate, with priority for overlapping dynamic params.
After a very thorough 3 day full security sweep and hardening process, we'd like to issue an official all clear ✅ on TanStack repo and package security. Full details have been updated in our post-mortem and security followup blog (linked below).
TL;DR:
- Only the Router/Start repo was affected. 42 monorepo packages, 2 versions per package. These were promptly deprecated within the hour and removed by NPM shortly after
- All other repos and packages were unaffected and remain secure including: Query, DB, Store, AI, Table, Form, HotKeys, Virtual, Pacer, Config, Devtools, CLI, Intent, etc.
- All available and published versions of every TanStack package are safe to download, including TanStack Router/Start.
https://t.co/KQSXhUM4XM
https://t.co/mtN9hF5Ioy
"Hardening TanStack After the npm Compromise", a followup to yesterday's post-mortem.
https://t.co/KDZQCrgfOe
SECURITY ADVISORY — TanStack npm packages
A supply-chain compromise affecting 42 @tanstack/* packages (84 versions total) was published to npm earlier today at approximately 19:20 and 19:26 UTC. Two malicious versions per package.
Status: ACTIVE — packages are deprecated, npm security engaged, publish path being shut down.
Severity: HIGH — payload exfiltrates AWS, GCP, Kubernetes, and Vault credentials, GitHub tokens, .npmrc contents, and SSH keys.
If you installed any @tanstack/* package between 19:20 and 19:30 UTC today, treat the host as potentially compromised:
• Rotate cloud, GitHub, and SSH credentials immediately
• Audit cloud audit logs for the last several hours
• Pin to a prior known-good version and reinstall from a clean lockfile
Detection — the malicious manifest contains:
"optionalDependencies": {
"@tanstack/setup": "github:tanstack/router#79ac49ee..."
}
Any version with this entry is compromised. The payload is delivered via a git-resolved optionalDependency whose prepare script runs router_init.js (~2.3 MB, smuggled into each tarball at the package root).
Unpublish is blocked by npm policy for most affected packages due to existing third-party dependents. All 84 versions are being deprecated with a SECURITY warning, and npm security has been engaged to pull tarballs at the registry level.
Full technical breakdown, complete package and version list, and rolling status updates:
https://t.co/Zy8qG7PA9f
Credit to the security researcher for responsible disclosure.
Who to follow
Philippe Schlenker 🇫🇷 🇪🇺 🇺🇦 👨🏫
@phschlenker_ac
Senior Researcher, Institut Jean-Nicod, CNRS, Paris
Views expressed are my own. Retweet ≠ endorsement.
Eugen Fischer
@eugen_fischer
Professor of Experimental Philosophy @uniofeastanglia. Psycholinguistic methods. How stereotypes, metaphors, and belief conflicts shape philosophical thought.
De Oliveira Philippe
@phil_de_oli
Élève-ingénieur à l’École Centrale Marseille | Ex-Membre du BDE promo 2014 | Responsable Organisation Gala, 7ème édition
.@ChaponFlo is one of our most valuable maintainers on TanStack, easily. Tanner's assessment of being in top 1% of talent is an understatement.
He not only ships incredible code, but is a fantastic communicator and knows how to self-motivate to get the job DONE. Highly rec.
@tannerlinsley And check out some of the stuff I've been working on, we have some good blog posts https://t.co/7CoLiCTh7C
@tannerlinsley Thank you for the endorsement, I'm so hyped 🙌
One of our core TanStack Start/Router team, @ChaponFlo, is looking for his next full-time remote position.
Easily top 1% talent, highly skilled in perf, dev-facing tools, TS, full-stack, etc (including TanStack, obviously 😉)
If hiring, DM him. If not, spread the word.
@antfu7 @nuxtlabs @voidzerodev Can I help? I love devtools and vite, I'm a good TS dev. `sheraff` on github if you want to check me out.
Autoprefixer 10.2.1 was released. @ChaponFlo fixed transition-property warning.
https://t.co/qBddDY0Mpa
Release’s knight by Michael MacRae.
https://t.co/Mwgkz5C2CA
Damn it. I'm screaming into the void of Internet again...
@mattsurely Hey welcome to the world of online funny chart makers :-)
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers