chore: pin @tanstack router deps to non-malicious versions#483
Merged
gabitoesmiapodo merged 2 commits intoMay 12, 2026
Conversation
Interim mitigation for GHSA-g7cv-rxg3-hmpx / CVE-2026-45321. The advisory's patched versions (react-router 1.169.9, react-router-devtools 1.166.20, router-cli 1.166.50, router-plugin 1.167.42) are not yet published to npm. Replace ^ ranges with exact pins on the current latest non-malicious builds to neutralise the caret-drift exposure on fresh resolutions until the patched releases land: - @tanstack/react-router: ^1.168.10 -> 1.169.2 - @tanstack/react-router-devtools: ^1.166.11 -> 1.166.13 - @tanstack/router-cli: ^1.166.25 -> 1.166.43 - @tanstack/router-plugin: ^1.167.12 -> 1.167.35 All transitive @tanstack/* lockfile entries verified to sit below the malicious windows after pnpm install. Lint, tests (213/213), and build all pass. Refs #482
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
There was a problem hiding this comment.
Pull request overview
Pins TanStack Router-related direct dependencies to exact currently-available non-malicious versions to prevent caret-range drift into the reported compromised version windows, and regenerates the pnpm lockfile accordingly.
Changes:
- Replace
^ranges with exact pins for@tanstack/react-router,@tanstack/react-router-devtools,@tanstack/router-cli, and@tanstack/router-plugin. - Regenerate
pnpm-lock.yamlso the resolved tree reflects the pinned router packages and updated safe transitive versions.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| package.json | Pins the four direct TanStack Router packages to exact safe versions to avoid future ^ drift. |
| pnpm-lock.yaml | Updates lockfile to match the pinned versions and refreshed transitive resolutions. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Refs #482
Important
Interim mitigation, not the final fix. The patched versions named in GHSA-g7cv-rxg3-hmpx (
@tanstack/react-router@1.169.9,react-router-devtools@1.166.20,router-cli@1.166.50,router-plugin@1.167.42) are not yet published to npm as of 2026-05-12 (npm viewreturns 404; the registry tops out below the malicious window). This PR therefore pins direct deps to exact current latest non-malicious builds to neutralise the^-drift exposure today. Issue #482 must remain open until the GHSA-listed patched versions land on npm; a follow-up PR will move the pins to those versions then.Replaces
^ranges on the four direct@tanstack/*router deps with exact pins so future fresh resolutions (deleted lockfile,pnpm update, Renovate/Dependabot) cannot land on the malicious 2026-05-11 supply-chain compromise window (CVE-2026-45321 / GHSA-g7cv-rxg3-hmpx).Changes
@tanstack/react-router:^1.168.10→1.169.2(exact)@tanstack/react-router-devtools:^1.166.11→1.166.13(exact)@tanstack/router-cli:^1.166.25→1.166.43(exact)@tanstack/router-plugin:^1.167.12→1.167.35(exact)pnpm-lock.yaml; all 10 affected@tanstack/*entries (direct + transitive) verified below their respective malicious windows.Acceptance criteria
Mirroring the issue. Items prefixed with [interim] are completed by this PR; items prefixed with [follow-up] are intentionally deferred until TanStack publishes the GHSA-listed patched versions and remain owned by #482.
package.jsonto the patched releases (or higher):@tanstack/react-router→^1.169.9@tanstack/react-router-devtools→^1.166.20@tanstack/router-cli→^1.166.50@tanstack/router-plugin→^1.167.42pnpm-lock.yamland confirm no transitive@tanstack/*version falls in a vulnerable range.pnpm wagmi-generate,pnpm routes:generate,pnpm lint,pnpm test, andpnpm buildto confirm the bump is non-breaking.^-drift while patched versions are unavailable on npm.Test plan
Automated tests
No automated tests added (dependency-only change). Existing suite re-run as regression coverage.
pnpm lint— cleanpnpm test— 213/213 passingpnpm build—tsc --noEmit+vite buildsucceededpnpm routes:generate—routeTree.gen.tsregenerates cleanly under newrouter-cli/router-plugin/router-generatorversionsManual verification
pnpm devand navigate between at least two routes to confirm TanStack Router still mounts at runtime.pnpm-lock.yamland confirm no@tanstack/*entry resolves into a malicious window:react-router/router-core: not1.169.5–1.169.8react-router-devtools: not1.166.16–1.166.19router-cli: not1.166.46–1.166.49router-generator: not1.166.45–1.166.48router-plugin: not1.167.38–1.167.41router-devtools-core: not1.167.6–1.167.9history: not1.161.9–1.161.12router-utils: not1.161.11–1.161.14virtual-file-routes: not1.161.10–1.161.13Breaking changes
None.
Checklist
Screenshots
None.