@tanstack/[email protected]+gfinternaltest.1lw2753 rejected Risk: 85 No license

@tanstack/react-router @1.169.8+gfinternaltest.1lw2753

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Repository Homepage

Risk Score

—

License

Install Scripts

Dependencies

Dev Dependencies

1247.1 KB

Package Size

—

Published

Keywords

reactlocationrouterroutingasyncasync routertypescript

Dependencies (4)

Package	Constraint	Registry Status
isbot	^5.1.22	auto_approved
@tanstack/history	1.161.6	auto_approved
@tanstack/react-store	^0.9.3	auto_approved
@tanstack/router-core	1.169.2	auto_approved

Dev Dependencies (10)

Package	Constraint	Registry Status
zod	^3.24.2	auto_approved
vite	*	auto_approved
react	^19.0.0	auto_approved
combinate	^1.1.11	Not imported
react-dom	^19.0.0	auto_approved
vibe-rules	^0.2.57	pending
@types/node	>=20	auto_approved
@vitejs/plugin-react	^4.3.4	auto_approved
@testing-library/react	^16.2.0	auto_approved
@testing-library/jest-dom	^6.6.3	auto_approved

Transitive Dependency Tree

9 transitive deps max depth 2

├─ @tanstack/history 1.161.6 → 1.161.6

├─ @tanstack/react-store ^0.9.3 → 0.9.3

├─ @tanstack/router-core 1.169.2 → 1.169.2

├─ isbot ^5.1.22 → 5.1.40

├─ @tanstack/history 1.161.6 → 1.161.6

├─ @tanstack/store 0.9.3

├─ cookie-es ^3.0.0 → 3.1.1

├─ seroval ^1.5.4 → 1.5.4

├─ seroval-plugins ^1.5.4 → 1.5.4

├─ use-sync-external-store ^1.6.0 → 1.6.0

Changes from v1.169.2

No metadata changes detected.

File Changes

1 added 0 removed 1 modified size delta: +2286.9 KB

Risk Dispositions (3 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule	Source	Disposition	Author	Reason
`regressed-provenance`	provenance	reject	AI	AI (provenance): Provenance regression on a high-profile package with unknown publisher is a strong compromise signal.
`obfuscated-file:router_init.js`	source-diff	reject	AI	AI (source-diff): 2.3MB obfuscated file with hex-mangled identifiers is not legitimate build output for this package.
`url-dep:@tanstack/setup`	npm-metadata	reject	AI	AI (npm-metadata): SHA-pinned GitHub optionalDep bypasses registry; matches known attack vector for this namespace.

SAST Findings (4)

HIGH SHA-pinned github dependency (optionalDependencies): @tanstack/setup npm-metadata

Dependency '@tanstack/setup' in `optionalDependencies` points to 'github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.

HIGH Provenance attestation missing — previous versions had it provenance

This version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.

HIGH New obfuscated file: router_init.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

MEDIUM Missing npm registry signatures provenance

Package tarball is not signed by the npm registry. This is unusual for packages published after 2023.

Review Summary

Risk score: 85. Findings: 3 high (+75), 1 medium (+10).