Trending dev pain: TanStack npm supply-chain incident
Paste a package.json, package-lock.json, pnpm-lock.yaml, or yarn.lock. This single-purpose scanner flags exact affected TanStack versions from GHSA-g7cv-rxg3-hmpx plus the earlier unscoped tanstack typosquat versions. Nothing leaves your browser.
browser-onlyno install scriptsno upload84 malicious scoped versions4 unscoped typosquat versions
Paste manifest or lockfile
Tip: scan lockfiles first; manifests with ranges may not show the resolved installed version.
After each scan, copy a short report for an incident ticket, Slack update, or GitHub issue. It includes only the findings generated in your browser.
Scan a manifest or lockfile to generate a report.
Package-manager-aware rebuild commands
Scan text to detect npm, pnpm, yarn, or bun and generate safer clean-room commands.
Commands will appear after a scan.
Generate copy-paste package-manager policy snippets for the next incident: release-age cooldowns, script trust, and exotic dependency guardrails. These snippets stay local and are meant to be reviewed before committing.
Cooldown window
Prevention policy snippets will appear here.
Exact malicious scoped @tanstack/* versions from GitHub advisory GHSA-g7cv-rxg3-hmpx and unscoped tanstack@2.0.4-2.0.7.
After scanning, generate package-manager-specific hardening snippets: release-age gates, script trust controls, and pnpm exotic dependency blocking.
Copy a minimal triage report plus package-manager-aware clean-room commands after every scan, so teams can hand off findings without pasting the whole lockfile.
This page has no analytics, no network call, and no external JavaScript. Your pasted lockfile stays in local browser memory.
Embedded from GitHub Security Advisory GHSA-g7cv-rxg3-hmpx, queried 2026-05-12 UTC. Clean families called out by the postmortem, such as Query/Table/Form/Virtual/Store, are not listed unless an exact advisory entry exists.
| Package | Malicious versions | Patched |
|---|