@tanstack/solid-query MIT 6 versions

@tanstack/solid-query

npm Repository Homepage

Primitives for managing, caching and syncing asynchronous and remote data in Solid

6

Versions

MIT

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

tannerlinsleytkdodoalemtuzlakkevinvandyschiller-manuel

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): TanStack/query uses GitHub Actions for automated releases; CI publisher is expected and backed by SLSA attestation.	ai	2026/05/02
source-diff	obfuscated-file:build/umd/index.production.js	AI (source-diff): Standard minified UMD bundle; consistent with TanStack/query build output across all versions.	ai	2026/04/28
publish-pattern	dormant-publish	AI (publish-pattern): v4 maintenance release alongside active v5; long gap expected for older major version.	ai	2026/04/28
semgrep	semgrep:api-obfuscation-reflect	AI (semgrep): Reflect.get() used in a Proxy handler for transparent property forwarding — idiomatic JS, not obfuscation.	ai	2026/04/28

Versions (showing 6 of 106)

Version	Deps	Published
5.74.10	1 / 5	2025-04-29
5.74.9	1 / 5	2025-04-29
5.74.7	1 / 5	2025-04-27
4.44.0	1 / 1	2026-04-01
4.43.0	1 / 1	2026-01-28
4.41.1	1 / 1	2026-01-18

v5.74.10

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.74.9

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.74.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.44.0

2 findings

HIGH New obfuscated file: build/umd/index.production.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.43.0

2 findings

HIGH Publisher changed: tannerlinsley → GitHub Actions (on 2026-01-28) provenance

This version was published by a different npm account than previous versions on 2026-01-28. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.41.1

2 findings

HIGH Publisher changed: tannerlinsley → GitHub Actions (on 2026-01-18) provenance

This version was published by a different npm account than previous versions on 2026-01-18. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.