TanStack Devtools version
v0.11.2
Framework/Library version
react v19.2.5
Describe the bug and the steps to reproduce it
We use some tanstack components but believe that our versions were locked to versions prior the compromised versions.
Having said that, while doing some research I noticed that our ci tests had been failing since 2026-05-06 07:30:00 UTC because of a missing @tanstack/devtools-vite package.
The successful run immediately prior to that was at 2026-05-06 07:04:00 UTC.
I assumed that our test failures we caused by a response to attack reported on 2026-05-11 but the fact that they predated by 5 days may be relevant to your compromise analysis iff the missing package is a side-effect of the malicious actors prior actions. If the malicious actor was responsible for the missing package, then these two timestamps might be useful to review.
static | 127.0.0.1 - - [06/May/2026:07:30:38 +0000] "GET /atlas/ HTTP/1.1" 200 1898 "-" "curl/8.14.1" "-"
cx | ╭─[ vite.config.ts:2:26 ]
static | 127.0.0.1 - - [06/May/2026:07:30:43 +0000] "GET /atlas/ HTTP/1.1" 200 1898 "-" "curl/8.14.1" "-"
cx | │
cx | 2 │ import *** devtools *** from "@tanstack/devtools-vite";
cx | │ ────────────┬────────────
cx | │ ╰────────────── Module not found, treating it as an external dependency
cx | ───╯
cx |
cx | vite.config.ts (4:31) [UNRESOLVED_IMPORT] Warning: Could not resolve '@tanstack/router-plugin/vite' in vite.config.ts
cx | ╭─[ vite.config.ts:4:32 ]
cx | │
mail | time="2026/05/06 17:29:47" level=debug msg="[db] applied schema: 1.23.0.sql"
Your Minimal, Reproducible Example - (Sandbox Highly Recommended)
The issue is not reproducible - the packages are now being resolved. What I am reporting is that the packages were previously missing from the npm repo in the days preceding the supply chain attack. This might be relevant if you cannot otherwise explain why the packages were missing from the npm repo in that time frame.
The module not found error no longer occurs presumably because all the packages were rebuilt and republished from a clean source.
Screenshots or Videos (Optional)
No response
Do you intend to try to help solve this bug with your own PR?
None
Terms & Code of Conduct
TanStack Devtools version
v0.11.2
Framework/Library version
react v19.2.5
Describe the bug and the steps to reproduce it
We use some tanstack components but believe that our versions were locked to versions prior the compromised versions.
Having said that, while doing some research I noticed that our ci tests had been failing since 2026-05-06 07:30:00 UTC because of a missing @tanstack/devtools-vite package.
The successful run immediately prior to that was at 2026-05-06 07:04:00 UTC.
I assumed that our test failures we caused by a response to attack reported on 2026-05-11 but the fact that they predated by 5 days may be relevant to your compromise analysis iff the missing package is a side-effect of the malicious actors prior actions. If the malicious actor was responsible for the missing package, then these two timestamps might be useful to review.
Your Minimal, Reproducible Example - (Sandbox Highly Recommended)
The issue is not reproducible - the packages are now being resolved. What I am reporting is that the packages were previously missing from the npm repo in the days preceding the supply chain attack. This might be relevant if you cannot otherwise explain why the packages were missing from the npm repo in that time frame.
The module not found error no longer occurs presumably because all the packages were rebuilt and republished from a clean source.
Screenshots or Videos (Optional)
No response
Do you intend to try to help solve this bug with your own PR?
None
Terms & Code of Conduct