TanStack React Start
npm@tanstack/react-startTanStack React Start is the full-stack React meta-framework built on TanStack Router and Nitro, providing server-side rendering, server functions, and API routes. It is the JavaScript counterpart to frameworks like Next.js and Remix, targeted at React applications that require collocated server and client code.
Checking TanStack React Start
@tanstack/react-start 1.56.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.
curl "https://api.attestd.io/v1/check?product=%40tanstack%2Freact-start&version=1.56.0" \
-H "Authorization: Bearer YOUR_API_KEY"{
"product": "@tanstack/react-start",
"version": "1.56.0",
"supported": true,
"risk_state": "none",
"supply_chain": {
"compromised": false,
"sources": [],
"malware_type": null,
"description": null,
"advisory_url": null,
"compromised_at": null,
"removed_at": null
},
"last_updated": "2026-05-01T00:00:00Z"
}Why this package is monitored
Full-stack meta-frameworks run on the server and have access to environment variables, database connections, and filesystem resources. A backdoored version can intercept server function arguments, which often include user authentication data and database query parameters.
Attestd monitors @tanstack/react-start using the following detection sources:
registryManually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.
osvOSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.
npm_deprecationnpm package versions with deprecation messages containing targeted attack language such as malicious, backdoor, or compromised. Confidence 0.80.