TanStack Lockfile Check
Paste a package.json, package-lock.json, pnpm-lock.yaml, or yarn.lock. This single-purpose scanner flags exact affected TanStack versions from GHSA-g7cv-rxg3-hmpx plus the earlier unscoped tanstack typosquat versions. Nothing leaves your browser.
Copy-paste response pack
After each scan, copy a short report for an incident ticket, Slack update, or GitHub issue. It includes only the findings generated in your browser.
Scan a manifest or lockfile to generate a report.
Scan text to detect npm, pnpm, yarn, or bun and generate safer clean-room commands.
Commands will appear after a scan.
Supply-chain prevention pack
Generate copy-paste package-manager policy snippets for the next incident: release-age cooldowns, script trust, and exotic dependency guardrails. These snippets stay local and are meant to be reviewed before committing.
Prevention policy snippets will appear here.
What it detects
Exact malicious scoped @tanstack/* versions from GitHub advisory GHSA-g7cv-rxg3-hmpx and unscoped tanstack@2.0.4-2.0.7.
What to do if red
- Delete lockfile + node_modules.
- Upgrade to patched versions.
- Rotate npm/GitHub/cloud/SSH/Vault/K8s credentials reachable by the install process.
- Review CI/cloud audit logs.
New: prevention pack
After scanning, generate package-manager-specific hardening snippets: release-age gates, script trust controls, and pnpm exotic dependency blocking.
New: response pack
Copy a minimal triage report plus package-manager-aware clean-room commands after every scan, so teams can hand off findings without pasting the whole lockfile.
Privacy
This page has no analytics, no network call, and no external JavaScript. Your pasted lockfile stays in local browser memory.
Affected scoped package table
Embedded from GitHub Security Advisory GHSA-g7cv-rxg3-hmpx, queried 2026-05-12 UTC. Clean families called out by the postmortem, such as Query/Table/Form/Virtual/Store, are not listed unless an exact advisory entry exists.
| Package | Malicious versions | Patched |
|---|