@tanstack/react-query-persist-client

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

tannerlinsleytkdodoalemtuzlakkevinvandyschiller-manuel

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:build/umd/index.production.js	AI (source-diff): Standard minified UMD build output for TanStack Query; not obfuscation.	ai	2026/05/02
provenance	publisher-changed	AI (provenance): TanStack/query migrated to GitHub Actions CI publishing with SLSA attestation; stable pattern going forward.	ai	2026/05/02
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers are known TanStack contributors; legitimate team expansion.	ai	2026/05/02
dependencies	unvetted-dep:@tanstack/query-persist-client-core	AI (dependencies): Same-org monorepo sibling dependency; always published together at matching versions.	ai	2026/04/28

Versions (showing 14 of 114)

Version	Deps	Published
5.75.7	1 / 7	2025-05-09
5.75.6	1 / 7	2025-05-09
5.75.5	1 / 6	2025-05-07
5.75.4	1 / 6	2025-05-06
5.75.2	1 / 6	2025-05-04
5.75.1	1 / 6	2025-05-02
5.75.0	1 / 6	2025-05-01
5.74.11	1 / 6	2025-04-29
5.74.9	1 / 6	2025-04-29
5.74.8	1 / 6	2025-04-29
5.74.7	1 / 6	2025-04-27
4.44.0	1 / 9	2026-04-01
4.43.0	1 / 9	2026-01-28
4.42.1	1 / 9	2026-01-18

v5.75.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.75.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.75.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.75.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.75.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.75.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.75.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.74.11

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.74.9

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.74.8

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.74.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.44.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.43.0

3 findings

HIGH Publisher changed: tannerlinsley → GitHub Actions (on 2026-01-28) provenance

This version was published by a different npm account than previous versions on 2026-01-28. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: build/umd/index.production.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.42.1

3 findings

HIGH Publisher changed: tannerlinsley → GitHub Actions (on 2026-01-18) provenance

This version was published by a different npm account than previous versions on 2026-01-18. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: build/umd/index.production.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.