logoalt Hacker News

Postmortem: TanStack NPM supply-chain compromise

907 pointsby varunsharma07yesterday at 9:08 PM376 commentsview on HN

https://github.com/TanStack/router/issues/7383

Comments

slopinthebagyesterday at 9:45 PM

My decision to abandon the JS ecosystem and language entirely continues to pay off. What a mess...

I am, however, concerned that this will pwn my workplace. We don't use Tanstack but this seems self-propagating and I doubt all of our dependencies are doing enough to prevent it.

show 4 replies
shevy-javatoday at 10:21 AM

NPM is a never-ending joy of daily what-the-fudges.

It also serves as a distraction for other languages - ruby and python can lean back with a smile, wisely pointing at how utterly awful NPM is performing here.

anonymousabtoday at 5:34 AM

Yet another day where 'pull_request_target` is allowed to exist and cause tons of pain. They really ought to kill it off by now.

idoxeryesterday at 10:59 PM

Ah shit, here we go again

rvzyesterday at 10:02 PM

Once again, Shai-Hulud wrecking havock in the Javascript and Typescript ecosystems via NPM.

One of the worst ecosystems that has been brought into the software industry and it is almost always via NPM. Not even Cargo (Rust) or go mod (Golang) get as many attacks because at least with the latter, they encourage you to use the standard library.

Both Javascript and Typescript have none and want you to import hundreds of libraries, increasing the risk of a supply chain attack.

At this point, JS and TS are considered harmful.

show 8 replies
gajusyesterday at 10:00 PM

Reminder to secure your npm environments.

https://gajus.com/blog/3-pnpm-settings-to-protect-yourself-f...

Just a handful of settings to save a whole lot of trouble.

show 6 replies
openclawclubtoday at 11:19 AM

[flagged]

Serhii-Settoday at 11:39 AM

[dead]

tornikeotoday at 8:13 AM

[dead]

ramon156today at 8:00 AM

[dead]

omji-kryptotoday at 1:31 AM

[flagged]

Amber-chentoday at 1:54 AM

[flagged]

cavemanDigAItoday at 3:12 AM

[dead]

Charlotte_Wangtoday at 7:04 AM

[dead]

nathanmillsyesterday at 10:22 PM

TanStack? Jia Tan? Who is falling for this???

show 2 replies
ljmyesterday at 9:51 PM

[flagged]

show 2 replies
Miles_Stonetoday at 4:47 AM

The nogil work has been years in the making. Curious how this impacts existing C extensions that relied on GIL guarantees.

makingstuffstoday at 12:18 AM

I've got claude to throw this together to try an help stem the flow. Obviously verify yourself but it will scan your machine to try and find any of the mentioned compromised packages: https://github.com/PaulSinghDev/tanstack-shai-hulud-fix

show 1 reply
_the_inflatortoday at 10:30 AM

I wasn’t affected because TanStack doesn’t feel like the juice is worth the squeeze.

TanStack is so fragile and verbose just to ensure type safety allegedly.

Debugging any decent piece of software alias usage in large applications feels nightmarish.

It is still JavaScript even when it is called TypeScript. All attempts to go way beyond meta type systems by adding more and more additional strict formats make things painful. JS ain’t Java.

TanStack is a cool idea and I value their enthusiasm. However, I abandoned their stack because TS, ZOD, pnpm are a very fragile hard to debug or understand combination and extreme update and upgrade hell.

Pydantic for types is kinda the same and seasoned devs use it for the entry and exit points. The rest is simply Python and here NumPy and the likes.

TanStack is no way saver than npm. No one understands TanStack. Sorry to break it to you. It is security theater and developer hell.

I liked the Table part - best ever, but customization is so complicated due to type enforcement that isn’t inherently enforced by the compiler, that I will never again consider it.

show 2 replies