supply chain / tanstack-react-router

TanStack React Router

registrynpm

package name@tanstack/react-router

maintainerTanStack

TanStack React Router is a type-safe, file-based routing library for React applications, providing nested routes, search parameter management, and route-level data loading. It is the primary router for TanStack Start (the full-stack React framework). Applications using this package expose user-supplied URL paths and search parameters to route matching logic.

api usage

Checking TanStack React Router

@tanstack/react-router 1.56.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=%40tanstack%2Freact-router&version=1.56.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "@tanstack/react-router",
  "version": "1.56.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

Client-side routing libraries parse user-controlled URL input and match it against route definitions. The CVE-2026-45321 family affecting TanStack Router packages involves path traversal via encoded URL segments that bypass route guards.

Attestd monitors @tanstack/react-router using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

npm_deprecation

npm package versions with deprecation messages containing targeted attack language such as malicious, backdoor, or compromised. Confidence 0.80.

Supply chain overview All npm packages TanStack Router Core TanStack React Start Next.js Response fields