← Home

@tanstack/react-start

npm Repository Homepage
100
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

tannerlinsleytkdodoalemtuzlakkevinvandyschiller-manuel

Keywords

reactlocationrouterroutingasyncasync routertypescript

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
dependencies unvetted-dep:@tanstack/react-start-plugin AI (dependencies): First-party sibling package from TanStack monorepo; pinned to same release version. ai
dependencies unvetted-dep:@tanstack/start-server-functions-handler AI (dependencies): First-party TanStack monorepo sub-package; stable pattern across releases. ai
dependencies unvetted-dep:@tanstack/react-start-router-manifest AI (dependencies): First-party TanStack monorepo sub-package; stable pattern across releases. ai
dependencies unvetted-dep:@tanstack/start-server-functions-client AI (dependencies): First-party TanStack monorepo sub-package; stable pattern across releases. ai
dependencies unvetted-dep:@tanstack/start-server-functions-server AI (dependencies): First-party TanStack monorepo sub-package; stable pattern across releases. ai
dependencies unvetted-dep:@tanstack/start-api-routes AI (dependencies): First-party TanStack monorepo sub-package; stable pattern across releases. ai
dependencies unvetted-dep:@tanstack/react-start-config AI (dependencies): First-party TanStack monorepo sub-package; stable pattern across releases. ai
dependencies unvetted-dep:@tanstack/start-server-functions-ssr AI (dependencies): First-party TanStack monorepo sub-package; stable pattern across releases. ai
maintainer-change maintainer-added AI (maintainer-change): lachlancollins is a known TanStack collaborator; adding maintainers to a mature project is expected. ai
provenance publisher-changed AI (provenance): Transition from manual (tannerlinsley) to CI/CD (GitHub Actions) publishing with SLSA provenance. This is a security improvement, not a risk. ai
phantom-deps phantom-dep:@tanstack/router-utils AI (phantom-deps): Same-org sibling package from TanStack monorepo; phantom dep status is a packaging detail, not a security concern for this well-attested package. ai

Versions (showing 100 of 438)

Version Deps Published
1.151.0 8 / 0
1.150.0 8 / 0
1.149.4 8 / 0
1.149.3 8 / 0
1.149.2 8 / 0
1.149.1 8 / 0
1.149.0 8 / 0
1.148.0 8 / 0
1.147.3 8 / 0
1.147.2 8 / 0
1.147.1 8 / 0
1.147.0 8 / 0
1.146.3 8 / 0
1.146.2 8 / 0
1.146.1 8 / 0
1.146.0 8 / 0
1.145.11 8 / 0
1.145.10 8 / 0
1.145.9 8 / 0
1.145.8 8 / 0
1.145.7 8 / 0
1.145.6 8 / 0
1.145.5 8 / 0
1.145.4 8 / 0
1.145.3 8 / 0
1.145.2 8 / 0
1.145.1 8 / 0
1.145.0 8 / 0
1.144.0 8 / 0
1.143.12 8 / 0
1.143.11 8 / 0
1.143.10 8 / 0
1.143.9 8 / 0
1.143.8 8 / 0
1.143.7 8 / 0
1.143.6 8 / 0
1.143.5 8 / 0
1.143.4 8 / 0
1.143.3 8 / 0
1.143.2 8 / 0
1.143.1 8 / 0
1.143.0 8 / 0
1.142.13 8 / 0
1.142.12 8 / 0
1.142.11 8 / 0
1.142.10 8 / 0
1.142.8 8 / 0
1.142.7 8 / 0
1.142.6 8 / 0
1.142.5 8 / 0
1.142.4 8 / 0
1.142.3 8 / 0
1.142.2 8 / 0
1.142.1 8 / 0
1.142.0 8 / 0
1.141.9 8 / 0
1.141.8 8 / 0
1.141.7 8 / 0
1.141.6 8 / 0
1.141.5 8 / 0
1.141.4 8 / 0
1.141.3 8 / 0
1.141.2 8 / 0
1.141.1 8 / 0
1.141.0 8 / 0
1.140.5 8 / 0
1.140.4 8 / 0
1.140.3 8 / 0
1.140.2 8 / 0
1.140.1 8 / 0
1.140.0 8 / 0
1.139.14 8 / 0
1.139.13 8 / 0
1.139.12 8 / 0
1.139.11 8 / 0
1.139.10 8 / 0
1.139.9 8 / 0
1.139.8 8 / 0
1.139.7 8 / 0
1.139.6 8 / 0
1.139.5 8 / 0
1.139.4 8 / 0
1.139.3 8 / 0
1.139.2 8 / 0
1.139.1 8 / 0
1.139.0 8 / 0
1.138.0 8 / 0
1.137.0 8 / 0
1.136.18 8 / 0
1.136.17 8 / 0
1.136.16 8 / 0
1.136.15 8 / 0
1.136.14 8 / 0
1.136.13 8 / 0
1.136.11 8 / 0
1.136.10 8 / 0
1.136.9 8 / 0
1.136.8 8 / 0
1.136.7 8 / 0
1.136.6 8 / 0
Showing 100 of 438 Next page →

v1.147.2

2 findings
HIGH Publisher changed: tannerlinsley → GitHub Actions (on 2026-01-10) provenance

This version was published by a different npm account than previous versions on 2026-01-10. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.145.1

2 findings
HIGH Publisher changed: tannerlinsley → GitHub Actions (on 2025-12-30) provenance

This version was published by a different npm account than previous versions on 2025-12-30. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.142.6

2 findings
HIGH Publisher changed: tannerlinsley → GitHub Actions (on 2025-12-21) provenance

This version was published by a different npm account than previous versions on 2025-12-21. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.141.5

2 findings
HIGH Publisher changed: tannerlinsley → GitHub Actions (on 2025-12-17) provenance

This version was published by a different npm account than previous versions on 2025-12-17. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.139.8

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.139.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.136.11

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.