Postmortem: TanStack NPM supply-chain compromise

Posted by varunsharma07 20 hours ago

Postmortem: TanStack NPM supply-chain compromise(tanstack.com)

https://github.com/TanStack/router/issues/7383

993 points | 420 commentspage 8

Serhii-Set 6 hours ago|

[dead]

omji-krypto 16 hours ago||

[flagged]

Amber-chen 15 hours ago||

[flagged]

cavemanDigAI 14 hours ago||

[dead]

Charlotte_Wang 10 hours ago||

[dead]

nathanmills 19 hours ago||

TanStack? Jia Tan? Who is falling for this???

treis 18 hours ago||

Can you explain further? TanStack has popped up in our apps and I don't know why I should not be falling for this or what exactly the "this" is that is being fallen for.

nathanmills 16 hours ago||

It's a joke that apparently wasn't well received by HN.

darepublic 19 hours ago||

its a cult in react web dev circles. Just be glad that you never had to encounter devs who insist that everything must be on "tan" stack.

u_fucking_dork 18 hours ago|||

React Query is great. I’ve used his router and table component as well. IMO his stuff became popular on merit more than some cargo culting à la redux

darepublic 18 hours ago||

as someone who encountered this cargo culted at a number of start ups -- I beg to differ. React Query I will always pass on. the other lesser known hits of tanstack -- won't even consider.

c-hendricks 16 hours ago||

React Query I've managed to avoid but it's really a cache + promise hook, it's fairly versatile.

Tanstack Start / Router are pretty great coming from nextjs, and not limited to React either.

nothinkjustai 16 hours ago||||

Yeah and it’s also ridiculous. They have so many bloated micro-libraries, they have a “headless range” library for controlling ranges and sliders that is marketed as being tiny at only 10kb. And their website is full of glitches and rendering bugs and it takes multiple seconds to navigate pages.

draw_down 18 hours ago|||

[dead]

ljm 19 hours ago||

So when do we call out NPM as an easy supply chain vector and also Microsoft's ownership of NPM and their prioritisation of AI at any cost.

NPM is the windows of package managers right now.

DrewADesign 19 hours ago||

People have for years. The real question is do people enjoy not putting any thought into their super convenient JavaScript stack too much to actually do anything about it. Delaying updating to new packages assuming the vulnerability will be discovered in two days or whatever is putting a knee brace on a leg that needs to be amputated. Sooner or later there will be a vulnerability good enough to not be caught in a couple days, or a zero-day damaging enough that not updating immediately is a huge risk. Assuming they won’t be in anything critical enough to disastrously compromise your stack is wishful thinking at its finest.

svachalek 19 hours ago||

The part that always gets me is I tend to only install a few packages like React and maybe some kind of data access layer. But you let that recurse down a few levels and suddenly you've installed a thousand packages, some of them hopelessly obsolete, some of them for patently stupid things that are 1 line of code, etc, etc. I.E. you can't choose to be thoughtful if the main entry points into the language are all built on a pile of garbage.

DrewADesign 17 hours ago||

Oh yeah, for sure. The problem (mostly) isn’t people installing packages willy-nilly: it’s that the attack surface is fractal, which is just plain nuts.

nine_k 19 hours ago||

Now that npm supports --before, yarn supports npmMinimumAge, and pnpm supports minimumReleaseAge, it's quite possible to stay safe and avoid acciasional bleeding-edge upgrades. Stay a couple months into the past, give testers time to look at newer releases and vet their safety (or report an exploit attempt).

ljm 18 hours ago|||

npm's immaturity is arguably demonstrated by the fact it is always catching up.

Please correct me if I'm wrong but signed packages are still impractical in NPM which is why supply chain attacks still work by editing existing versions or pushing new point releases without a signature.

Or if you put all of the credentials in GitHub actions which is even more trivially exploitable through the actions marketplace because it is just git with a thin proxy, you have an even wider attack vector

Narretz 19 hours ago|||

--before doesn't save you globally, only min-release-age does, which is in npm since March iirc.

Miles_Stone 12 hours ago||

The nogil work has been years in the making. Curious how this impacts existing C extensions that relied on GIL guarantees.

makingstuffs 17 hours ago||

I've got claude to throw this together to try an help stem the flow. Obviously verify yourself but it will scan your machine to try and find any of the mentioned compromised packages: https://github.com/PaulSinghDev/tanstack-shai-hulud-fix

makingstuffs 16 hours ago|

Not sure why the downvotes, it’s a quick tool? Yes it’s a ‘vibe code’ but it’s better than nothing and at least will flag if you need to do anything — verified myself.

_the_inflator 7 hours ago|

I wasn’t affected because TanStack doesn’t feel like the juice is worth the squeeze.

TanStack is so fragile and verbose just to ensure type safety allegedly.

Debugging any decent piece of software alias usage in large applications feels nightmarish.

It is still JavaScript even when it is called TypeScript. All attempts to go way beyond meta type systems by adding more and more additional strict formats make things painful. JS ain’t Java.

TanStack is a cool idea and I value their enthusiasm. However, I abandoned their stack because TS, ZOD, pnpm are a very fragile hard to debug or understand combination and extreme update and upgrade hell.

Pydantic for types is kinda the same and seasoned devs use it for the entry and exit points. The rest is simply Python and here NumPy and the likes.

TanStack is no way saver than npm. No one understands TanStack. Sorry to break it to you. It is security theater and developer hell.

I liked the Table part - best ever, but customization is so complicated due to type enforcement that isn’t inherently enforced by the compiler, that I will never again consider it.

ervine 7 hours ago||

> No one understands TanStack. Sorry to break it to you.

Damn, all these years of using TanStack libs successfully, and I had to learn it here that I don't understand them.

vikramkr 6 hours ago||

> TanStack is no way saver than npm. No one understands TanStack.

Pandas is also in no way safer than pip. Because pandas is a library and pip is a package manager and that comparison makes no sense lmao. It sounds like you maybe don't really get or use typescript and don't even really use like basic mypy style types in python (or don't get the difference between what a zod/pydantic validator does vs what a mypy/typescript type system does - zod is also only on the boundary). Which is OK but but there's a difference between not getting why a stack is useful or not having experience with it versus confidently and comically declaring that nobody else understands types either while seeming not understanding what any of the parts here do