@tanstack/react-start
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@tanstack/react-start-plugin | AI (dependencies): First-party sibling package from TanStack monorepo; pinned to same release version. | ai | |
| dependencies | unvetted-dep:@tanstack/start-server-functions-handler | AI (dependencies): First-party TanStack monorepo sub-package; stable pattern across releases. | ai | |
| dependencies | unvetted-dep:@tanstack/react-start-router-manifest | AI (dependencies): First-party TanStack monorepo sub-package; stable pattern across releases. | ai | |
| dependencies | unvetted-dep:@tanstack/start-server-functions-client | AI (dependencies): First-party TanStack monorepo sub-package; stable pattern across releases. | ai | |
| dependencies | unvetted-dep:@tanstack/start-server-functions-server | AI (dependencies): First-party TanStack monorepo sub-package; stable pattern across releases. | ai | |
| dependencies | unvetted-dep:@tanstack/start-api-routes | AI (dependencies): First-party TanStack monorepo sub-package; stable pattern across releases. | ai | |
| dependencies | unvetted-dep:@tanstack/react-start-config | AI (dependencies): First-party TanStack monorepo sub-package; stable pattern across releases. | ai | |
| dependencies | unvetted-dep:@tanstack/start-server-functions-ssr | AI (dependencies): First-party TanStack monorepo sub-package; stable pattern across releases. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): lachlancollins is a known TanStack collaborator; adding maintainers to a mature project is expected. | ai | |
| provenance | publisher-changed | AI (provenance): Transition from manual (tannerlinsley) to CI/CD (GitHub Actions) publishing with SLSA provenance. This is a security improvement, not a risk. | ai | |
| phantom-deps | phantom-dep:@tanstack/router-utils | AI (phantom-deps): Same-org sibling package from TanStack monorepo; phantom dep status is a packaging detail, not a security concern for this well-attested package. | ai |
Versions (showing 36 of 438)
| Version | Deps | Published |
|---|---|---|
| 1.132.2 | 7 / 0 | |
| 1.132.1 | 7 / 0 | |
| 1.132.0 | 7 / 0 | |
| 1.131.48 | 5 / 1 | |
| 1.131.34 | 5 / 1 | |
| 1.131.27 | 5 / 1 | |
| 1.131.24 | 5 / 1 | |
| 1.131.19 | 5 / 1 | |
| 1.131.17 | 5 / 1 | |
| 1.131.12 | 5 / 1 | |
| 1.130.14 | 5 / 1 | |
| 1.130.11 | 5 / 1 | |
| 1.130.10 | 5 / 1 | |
| 1.130.1 | 5 / 1 | |
| 1.129.8 | 5 / 1 | |
| 1.129.4 | 5 / 1 | |
| 1.128.5 | 5 / 1 | |
| 1.127.2 | 5 / 1 | |
| 1.126.2 | 5 / 1 | |
| 1.126.0 | 5 / 1 | |
| 1.125.4 | 5 / 1 | |
| 1.124.0 | 5 / 1 | |
| 1.123.1 | 5 / 1 | |
| 1.123.0 | 5 / 1 | |
| 1.121.35 | 5 / 1 | |
| 1.121.33 | 5 / 1 | |
| 1.121.27 | 5 / 1 | |
| 1.121.26 | 5 / 1 | |
| 1.121.19 | 5 / 1 | |
| 1.120.19 | 9 / 1 | |
| 1.120.14 | 9 / 1 | |
| 1.120.7 | 9 / 1 | |
| 1.120.0 | 9 / 1 | |
| 1.119.0 | 9 / 1 | |
| 1.117.2 | 9 / 1 | |
| 1.117.1 | 9 / 1 |
v1.132.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.126.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.120.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.119.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.117.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.117.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.