GHSA-g7cv-rxg3-hmpx

Source

https://github.com/advisories/GHSA-g7cv-rxg3-hmpx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-g7cv-rxg3-hmpx

Aliases

CVE-2026-45321

Published

2026-05-12T00:12:49Z

Modified

2026-05-12T17:07:47.880920Z

Severity

9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys

Details

Summary

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity.

Each affected package received exactly two malicious versions, published a few minutes apart.

Impact

A user installing any affected version executes a payload (~2.3 MB obfuscated router_init.js) at install time that:

Harvests credentials from common locations:
- AWS instance metadata (IMDS) and Secrets Manager
- GCP metadata service
- Kubernetes service-account tokens
- HashiCorp Vault tokens
- ~/.npmrc (npm tokens)
- GitHub tokens (env vars, gh CLI config, .git-credentials)
- SSH private keys (~/.ssh/)
Exfiltrates harvested data over the Session/Oxen messenger file-upload network (filev2.getsession.org, seed{1,2,3}.getsession.org). This is end-to-end encrypted with no attacker-controlled C2, so blocking by IP or domain is the only network mitigation.
Enumerates packages that the victim maintains via registry.npmjs.org/-/v1/search?text=maintainer:<user> and republishes them with the same injection, propagating the compromise across npm.

Any developer or CI environment that ran npm install, pnpm install, or yarn install against an affected version on 2026-05-11 should be considered compromised. All credentials accessible to the install process should be rotated immediately. Cloud audit logs should be reviewed for activity originating from the affected hosts during and after the install window.

Detection

Inspect the published manifest of any pinned @tanstack/* version. Malicious manifests contain this exact optionalDependencies entry:

"optionalDependencies": {
  "@tanstack/setup": "github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c"
}

To check a version without running install scripts:

npm pack @tanstack/<name>@<version>   # downloads tarball; does NOT execute lifecycle scripts
tar -xzf *.tgz
grep -A3 optionalDependencies package/package.json
ls -la package/router_init.js   # malicious payload, ~2.3 MB, present at package root

The payload file router_init.js is approximately 2.3 MB of obfuscated JavaScript. It is placed at the tarball root and is intentionally not declared in the package's "files" array, so it does not appear in the package's documented contents.

Mechanism

@tanstack/setup is not a real package on the npm registry. The github:tanstack/router#79ac49ee... specifier resolves to an orphan commit pushed to a fork in the tanstack/router GitHub fork network. GitHub serves commits across the entire fork network for git-URL dependencies, so the attacker did not require write access to TanStack/router itself — only the ability to fork and push to their own fork.

When npm processes the optional dependency, it:

Fetches the orphan commit from the fork network.
Installs the commit's declared dependencies (which include a real bun binary).
Runs the commit's prepare lifecycle script: bun run tanstack_runner.js && exit 1. The trailing exit 1 causes the optional install to fail, after which npm silently discards it — leaving no node_modules trace.
The tanstack_runner.js script in turn executes router_init.js from the host package's tarball.

Patches

Affected versions are being deprecated on npm with a SECURITY: notice. Where npm policy allows (no existing third-party dependents), affected versions are also being unpublished. The npm security team has been engaged to pull tarballs server-side for versions that cannot be unpublished.

Clean follow-up releases are being prepared. Update to the patched version listed in the affected-products table for each package, then reinstall from a clean lockfile.

Workarounds

Until clean follow-up releases are available:

Pin every @tanstack/* dependency to a known-good version published before 2026-05-11 19:00 UTC. The last known-good version for most affected packages was published on 2026-03-15.
Delete node_modules and the lockfile, then reinstall to ensure no transitive dependency resolves to a malicious version.
Configure npm to skip lifecycle scripts on install (npm config set ignore-scripts true) as a temporary defense-in-depth measure.
For CI, audit any pipeline that ran install against @tanstack/* between 19:20 and 19:30 UTC on 2026-05-11. Treat the runner as compromised and rotate any secrets it had access to.

Indicators of compromise

| Indicator | Value | |---|---| | Malicious git ref | github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c | | Fictitious package name | @tanstack/setup | | Payload filename | router_init.js (~2.3 MB, package root, undeclared in files) | | Helper filename in orphan commit | tanstack_runner.js | | Exfiltration network | filev2.getsession.org, seed1.getsession.org, seed2.getsession.org, seed3.getsession.org | | Second-stage payload URLs | https://litter.catbox.moe/h8nc9u.js, https://litter.catbox.moe/7rrc6l.mjs | | Poisoned cache key | Linux-pnpm-store-6f9233a50def742c09fde54f56553d6b449a535adf87d4083690539f49ae4da11 | | Publish window (UTC) | 2026-05-11 19:20 — 19:26 | | Publish mechanism | GitHub Actions OIDC trusted publisher (oidc:db7d6f54-05d5-412b-8a10-e7a8398b303e) | | Workflow runs | https://github.com/TanStack/router/actions/runs/25613093674 (attempt 4), https://github.com/TanStack/router/actions/runs/25691781302 | | Attacker GitHub accounts | zblgg (id 127806521), voicproducoes (id 269549300) | | Attacker fork (renamed to evade detection) | https://github.com/zblgg/configuration |

Credits

The security researcher who initially disclosed the vulnerability publicly with detailed analysis at https://github.com/TanStack/router/issues/7383

References

Public incident tracking issue: https://github.com/TanStack/router/issues/7383
Related research:
- Adnan Khan, "The Monsters in Your Build Cache: GitHub Actions Cache Poisoning" (May 2024)
- GitHub Security Lab, "Keeping your GitHub Actions and workflows secure: Preventing Pwn Requests"
- StepSecurity, "tj-actions/changed-files action is compromised" (March 2025) — the malicious payload reuses this incident's runner-memory extraction technique verbatim

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-12T00:12:49Z",
    "cwe_ids": [
        "CWE-506"
    ],
    "severity": "CRITICAL",
    "nvd_published_at": "2026-05-12T01:16:46Z"
}

References

Affected packages

npm

@tanstack/arktype-adapter

Package

Name: @tanstack/arktype-adapter; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/arktype-adapter

Affected ranges

Type: SEMVER
Events: Introduced

1.166.12

Fixed

1.166.16

Affected versions

1.*

1.166.12

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/eslint-plugin-router

Package

Name: @tanstack/eslint-plugin-router; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/eslint-plugin-router

Affected ranges

Type: SEMVER
Events: Introduced

1.161.9

Fixed

1.161.13

Affected versions

1.*

1.161.9

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/eslint-plugin-start

Package

Name: @tanstack/eslint-plugin-start; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/eslint-plugin-start

Affected ranges

Type: SEMVER
Events: Introduced

0.0.4

Fixed

0.0.8

Affected versions

0.*

0.0.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/history

Package

Name: @tanstack/history; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/history

Affected ranges

Type: SEMVER
Events: Introduced

1.161.9

Fixed

1.161.13

Affected versions

1.*

1.161.9

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/nitro-v2-vite-plugin

Package

Name: @tanstack/nitro-v2-vite-plugin; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/nitro-v2-vite-plugin

Affected ranges

Type: SEMVER
Events: Introduced

1.154.12

Fixed

1.154.16

Affected versions

1.*

1.154.12

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/react-router

Package

Name: @tanstack/react-router; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/react-router

Affected ranges

Type: SEMVER
Events: Introduced

1.169.5

Fixed

1.169.9

Affected versions

1.*

1.169.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/react-router-devtools

Package

Name: @tanstack/react-router-devtools; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/react-router-devtools

Affected ranges

Type: SEMVER
Events: Introduced

1.166.16

Fixed

1.166.20

Affected versions

1.*

1.166.16

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/react-router-ssr-query

Package

Name: @tanstack/react-router-ssr-query; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/react-router-ssr-query

Affected ranges

Type: SEMVER
Events: Introduced

1.166.15

Fixed

1.166.19

Affected versions

1.*

1.166.15

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/react-start

Package

Name: @tanstack/react-start; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/react-start

Affected ranges

Type: SEMVER
Events: Introduced

1.167.68

Fixed

1.167.72

Affected versions

1.*

1.167.68

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/react-start-client

Package

Name: @tanstack/react-start-client; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/react-start-client

Affected ranges

Type: SEMVER
Events: Introduced

1.166.51

Fixed

1.166.55

Affected versions

1.*

1.166.51

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/react-start-rsc

Package

Name: @tanstack/react-start-rsc; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/react-start-rsc

Affected ranges

Type: SEMVER
Events: Introduced

0.0.47

Fixed

0.0.51

Affected versions

0.*

0.0.47

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/react-start-server

Package

Name: @tanstack/react-start-server; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/react-start-server

Affected ranges

Type: SEMVER
Events: Introduced

1.166.55

Fixed

1.166.59

Affected versions

1.*

1.166.55

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/router-cli

Package

Name: @tanstack/router-cli; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/router-cli

Affected ranges

Type: SEMVER
Events: Introduced

1.166.46

Fixed

1.166.50

Affected versions

1.*

1.166.46

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/router-core

Package

Name: @tanstack/router-core; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/router-core

Affected ranges

Type: SEMVER
Events: Introduced

1.169.5

Fixed

1.169.9

Affected versions

1.*

1.169.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/router-devtools

Package

Name: @tanstack/router-devtools; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/router-devtools

Affected ranges

Type: SEMVER
Events: Introduced

1.166.16

Fixed

1.166.20

Affected versions

1.*

1.166.16

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/router-devtools-core

Package

Name: @tanstack/router-devtools-core; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/router-devtools-core

Affected ranges

Type: SEMVER
Events: Introduced

1.167.6

Fixed

1.167.10

Affected versions

1.*

1.167.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/router-generator

Package

Name: @tanstack/router-generator; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/router-generator

Affected ranges

Type: SEMVER
Events: Introduced

1.166.45

Fixed

1.166.49

Affected versions

1.*

1.166.45

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/router-plugin

Package

Name: @tanstack/router-plugin; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/router-plugin

Affected ranges

Type: SEMVER
Events: Introduced

1.167.38

Fixed

1.167.42

Affected versions

1.*

1.167.38

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/router-ssr-query-core

Package

Name: @tanstack/router-ssr-query-core; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/router-ssr-query-core

Affected ranges

Type: SEMVER
Events: Introduced

1.168.3

Fixed

1.168.7

Affected versions

1.*

1.168.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/router-utils

Package

Name: @tanstack/router-utils; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/router-utils

Affected ranges

Type: SEMVER
Events: Introduced

1.161.11

Fixed

1.161.15

Affected versions

1.*

1.161.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/router-vite-plugin

Package

Name: @tanstack/router-vite-plugin; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/router-vite-plugin

Affected ranges

Type: SEMVER
Events: Introduced

1.166.53

Fixed

1.166.57

Affected versions

1.*

1.166.53

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/solid-router

Package

Name: @tanstack/solid-router; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/solid-router

Affected ranges

Type: SEMVER
Events: Introduced

1.169.5

Fixed

1.169.9

Affected versions

1.*

1.169.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/solid-router-devtools

Package

Name: @tanstack/solid-router-devtools; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/solid-router-devtools

Affected ranges

Type: SEMVER
Events: Introduced

1.166.16

Fixed

1.166.20

Affected versions

1.*

1.166.16

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/solid-router-ssr-query

Package

Name: @tanstack/solid-router-ssr-query; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/solid-router-ssr-query

Affected ranges

Type: SEMVER
Events: Introduced

1.166.15

Fixed

1.166.19

Affected versions

1.*

1.166.15

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/solid-start

Package

Name: @tanstack/solid-start; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/solid-start

Affected ranges

Type: SEMVER
Events: Introduced

1.167.65

Fixed

1.167.69

Affected versions

1.*

1.167.65

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/solid-start-client

Package

Name: @tanstack/solid-start-client; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/solid-start-client

Affected ranges

Type: SEMVER
Events: Introduced

1.166.50

Fixed

1.166.54

Affected versions

1.*

1.166.50

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/solid-start-server

Package

Name: @tanstack/solid-start-server; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/solid-start-server

Affected ranges

Type: SEMVER
Events: Introduced

1.166.54

Fixed

1.166.58

Affected versions

1.*

1.166.54

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/start-client-core

Package

Name: @tanstack/start-client-core; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/start-client-core

Affected ranges

Type: SEMVER
Events: Introduced

1.168.5

Fixed

1.168.9

Affected versions

1.*

1.168.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/start-fn-stubs

Package

Name: @tanstack/start-fn-stubs; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/start-fn-stubs

Affected ranges

Type: SEMVER
Events: Introduced

1.161.9

Fixed

1.161.13

Affected versions

1.*

1.161.9

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/start-plugin-core

Package

Name: @tanstack/start-plugin-core; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/start-plugin-core

Affected ranges

Type: SEMVER
Events: Introduced

1.169.23

Fixed

1.169.27

Affected versions

1.*

1.169.23

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/start-server-core

Package

Name: @tanstack/start-server-core; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/start-server-core

Affected ranges

Type: SEMVER
Events: Introduced

1.167.33

Fixed

1.167.37

Affected versions

1.*

1.167.33

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/start-static-server-functions

Package

Name: @tanstack/start-static-server-functions; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/start-static-server-functions

Affected ranges

Type: SEMVER
Events: Introduced

1.166.44

Fixed

1.166.48

Affected versions

1.*

1.166.44

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/start-storage-context

Package

Name: @tanstack/start-storage-context; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/start-storage-context

Affected ranges

Type: SEMVER
Events: Introduced

1.166.38

Fixed

1.166.42

Affected versions

1.*

1.166.38

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/valibot-adapter

Package

Name: @tanstack/valibot-adapter; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/valibot-adapter

Affected ranges

Type: SEMVER
Events: Introduced

1.166.12

Fixed

1.166.16

Affected versions

1.*

1.166.12

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/virtual-file-routes

Package

Name: @tanstack/virtual-file-routes; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/virtual-file-routes

Affected ranges

Type: SEMVER
Events: Introduced

1.161.10

Fixed

1.161.14

Affected versions

1.*

1.161.10

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/vue-router

Package

Name: @tanstack/vue-router; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/vue-router

Affected ranges

Type: SEMVER
Events: Introduced

1.169.5

Fixed

1.169.9

Affected versions

1.*

1.169.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/vue-router-devtools

Package

Name: @tanstack/vue-router-devtools; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/vue-router-devtools

Affected ranges

Type: SEMVER
Events: Introduced

1.166.16

Fixed

1.166.20

Affected versions

1.*

1.166.16

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/vue-router-ssr-query

Package

Name: @tanstack/vue-router-ssr-query; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/vue-router-ssr-query

Affected ranges

Type: SEMVER
Events: Introduced

1.166.15

Fixed

1.166.19

Affected versions

1.*

1.166.15

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/vue-start

Package

Name: @tanstack/vue-start; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/vue-start

Affected ranges

Type: SEMVER
Events: Introduced

1.167.61

Fixed

1.167.65

Affected versions

1.*

1.167.61

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/vue-start-client

Package

Name: @tanstack/vue-start-client; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/vue-start-client

Affected ranges

Type: SEMVER
Events: Introduced

1.166.46

Fixed

1.166.50

Affected versions

1.*

1.166.46

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/vue-start-server

Package

Name: @tanstack/vue-start-server; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/vue-start-server

Affected ranges

Type: SEMVER
Events: Introduced

1.166.50

Fixed

1.166.54

Affected versions

1.*

1.166.50

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/zod-adapter

Package

Name: @tanstack/zod-adapter; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/zod-adapter

Affected ranges

Type: SEMVER
Events: Introduced

1.166.12

Fixed

1.166.16

Affected versions

1.*

1.166.12

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/arktype-adapter

Package

Name: @tanstack/arktype-adapter; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/arktype-adapter

Affected ranges

Type: SEMVER
Events: Introduced

1.166.15

Fixed

1.166.16

Affected versions

1.*

1.166.15

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/eslint-plugin-router

Package

Name: @tanstack/eslint-plugin-router; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/eslint-plugin-router

Affected ranges

Type: SEMVER
Events: Introduced

1.161.12

Fixed

1.161.13

Affected versions

1.*

1.161.12

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/eslint-plugin-start

Package

Name: @tanstack/eslint-plugin-start; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/eslint-plugin-start

Affected ranges

Type: SEMVER
Events: Introduced

0.0.7

Fixed

0.0.8

Affected versions

0.*

0.0.7

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/history

Package

Name: @tanstack/history; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/history

Affected ranges

Type: SEMVER
Events: Introduced

1.161.12

Fixed

1.161.13

Affected versions

1.*

1.161.12

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/nitro-v2-vite-plugin

Package

Name: @tanstack/nitro-v2-vite-plugin; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/nitro-v2-vite-plugin

Affected ranges

Type: SEMVER
Events: Introduced

1.154.15

Fixed

1.154.16

Affected versions

1.*

1.154.15

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/react-router

Package

Name: @tanstack/react-router; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/react-router

Affected ranges

Type: SEMVER
Events: Introduced

1.169.8

Fixed

1.169.9

Affected versions

1.*

1.169.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/react-router-devtools

Package

Name: @tanstack/react-router-devtools; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/react-router-devtools

Affected ranges

Type: SEMVER
Events: Introduced

1.166.19

Fixed

1.166.20

Affected versions

1.*

1.166.19

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/react-router-ssr-query

Package

Name: @tanstack/react-router-ssr-query; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/react-router-ssr-query

Affected ranges

Type: SEMVER
Events: Introduced

1.166.18

Fixed

1.166.19

Affected versions

1.*

1.166.18

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/react-start

Package

Name: @tanstack/react-start; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/react-start

Affected ranges

Type: SEMVER
Events: Introduced

1.167.71

Fixed

1.167.72

Affected versions

1.*

1.167.71

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/react-start-client

Package

Name: @tanstack/react-start-client; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/react-start-client

Affected ranges

Type: SEMVER
Events: Introduced

1.166.54

Fixed

1.166.55

Affected versions

1.*

1.166.54

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/react-start-rsc

Package

Name: @tanstack/react-start-rsc; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/react-start-rsc

Affected ranges

Type: SEMVER
Events: Introduced

0.0.50

Fixed

0.0.51

Affected versions

0.*

0.0.50

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/react-start-server

Package

Name: @tanstack/react-start-server; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/react-start-server

Affected ranges

Type: SEMVER
Events: Introduced

1.166.58

Fixed

1.166.59

Affected versions

1.*

1.166.58

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/router-cli

Package

Name: @tanstack/router-cli; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/router-cli

Affected ranges

Type: SEMVER
Events: Introduced

1.166.49

Fixed

1.166.50

Affected versions

1.*

1.166.49

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/router-core

Package

Name: @tanstack/router-core; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/router-core

Affected ranges

Type: SEMVER
Events: Introduced

1.169.8

Fixed

1.169.9

Affected versions

1.*

1.169.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/router-devtools

Package

Name: @tanstack/router-devtools; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/router-devtools

Affected ranges

Type: SEMVER
Events: Introduced

1.166.19

Fixed

1.166.20

Affected versions

1.*

1.166.19

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/router-devtools-core

Package

Name: @tanstack/router-devtools-core; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/router-devtools-core

Affected ranges

Type: SEMVER
Events: Introduced

1.167.9

Fixed

1.167.10

Affected versions

1.*

1.167.9

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/router-generator

Package

Name: @tanstack/router-generator; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/router-generator

Affected ranges

Type: SEMVER
Events: Introduced

1.166.48

Fixed

1.166.49

Affected versions

1.*

1.166.48

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/router-plugin

Package

Name: @tanstack/router-plugin; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/router-plugin

Affected ranges

Type: SEMVER
Events: Introduced

1.167.41

Fixed

1.167.42

Affected versions

1.*

1.167.41

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/router-ssr-query-core

Package

Name: @tanstack/router-ssr-query-core; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/router-ssr-query-core

Affected ranges

Type: SEMVER
Events: Introduced

1.168.6

Fixed

1.168.7

Affected versions

1.*

1.168.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/router-utils

Package

Name: @tanstack/router-utils; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/router-utils

Affected ranges

Type: SEMVER
Events: Introduced

1.161.14

Fixed

1.161.15

Affected versions

1.*

1.161.14

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/router-vite-plugin

Package

Name: @tanstack/router-vite-plugin; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/router-vite-plugin

Affected ranges

Type: SEMVER
Events: Introduced

1.166.56

Fixed

1.166.57

Affected versions

1.*

1.166.56

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/solid-router

Package

Name: @tanstack/solid-router; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/solid-router

Affected ranges

Type: SEMVER
Events: Introduced

1.169.8

Fixed

1.169.9

Affected versions

1.*

1.169.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/solid-router-devtools

Package

Name: @tanstack/solid-router-devtools; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/solid-router-devtools

Affected ranges

Type: SEMVER
Events: Introduced

1.166.19

Fixed

1.166.20

Affected versions

1.*

1.166.19

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/solid-router-ssr-query

Package

Name: @tanstack/solid-router-ssr-query; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/solid-router-ssr-query

Affected ranges

Type: SEMVER
Events: Introduced

1.166.18

Fixed

1.166.19

Affected versions

1.*

1.166.18

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/solid-start

Package

Name: @tanstack/solid-start; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/solid-start

Affected ranges

Type: SEMVER
Events: Introduced

1.167.68

Fixed

1.167.69

Affected versions

1.*

1.167.68

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/solid-start-client

Package

Name: @tanstack/solid-start-client; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/solid-start-client

Affected ranges

Type: SEMVER
Events: Introduced

1.166.53

Fixed

1.166.54

Affected versions

1.*

1.166.53

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/solid-start-server

Package

Name: @tanstack/solid-start-server; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/solid-start-server

Affected ranges

Type: SEMVER
Events: Introduced

1.166.57

Fixed

1.166.58

Affected versions

1.*

1.166.57

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/start-client-core

Package

Name: @tanstack/start-client-core; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/start-client-core

Affected ranges

Type: SEMVER
Events: Introduced

1.168.8

Fixed

1.168.9

Affected versions

1.*

1.168.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/start-fn-stubs

Package

Name: @tanstack/start-fn-stubs; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/start-fn-stubs

Affected ranges

Type: SEMVER
Events: Introduced

1.161.12

Fixed

1.161.13

Affected versions

1.*

1.161.12

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/start-plugin-core

Package

Name: @tanstack/start-plugin-core; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/start-plugin-core

Affected ranges

Type: SEMVER
Events: Introduced

1.169.26

Fixed

1.169.27

Affected versions

1.*

1.169.26

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/start-server-core

Package

Name: @tanstack/start-server-core; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/start-server-core

Affected ranges

Type: SEMVER
Events: Introduced

1.167.36

Fixed

1.167.37

Affected versions

1.*

1.167.36

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/start-static-server-functions

Package

Name: @tanstack/start-static-server-functions; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/start-static-server-functions

Affected ranges

Type: SEMVER
Events: Introduced

1.166.47

Fixed

1.166.48

Affected versions

1.*

1.166.47

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/start-storage-context

Package

Name: @tanstack/start-storage-context; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/start-storage-context

Affected ranges

Type: SEMVER
Events: Introduced

1.166.41

Fixed

1.166.42

Affected versions

1.*

1.166.41

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/valibot-adapter

Package

Name: @tanstack/valibot-adapter; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/valibot-adapter

Affected ranges

Type: SEMVER
Events: Introduced

1.166.15

Fixed

1.166.16

Affected versions

1.*

1.166.15

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/virtual-file-routes

Package

Name: @tanstack/virtual-file-routes; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/virtual-file-routes

Affected ranges

Type: SEMVER
Events: Introduced

1.161.13

Fixed

1.161.14

Affected versions

1.*

1.161.13

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/vue-router

Package

Name: @tanstack/vue-router; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/vue-router

Affected ranges

Type: SEMVER
Events: Introduced

1.169.8

Fixed

1.169.9

Affected versions

1.*

1.169.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/vue-router-devtools

Package

Name: @tanstack/vue-router-devtools; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/vue-router-devtools

Affected ranges

Type: SEMVER
Events: Introduced

1.166.19

Fixed

1.166.20

Affected versions

1.*

1.166.19

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/vue-router-ssr-query

Package

Name: @tanstack/vue-router-ssr-query; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/vue-router-ssr-query

Affected ranges

Type: SEMVER
Events: Introduced

1.166.18

Fixed

1.166.19

Affected versions

1.*

1.166.18

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/vue-start

Package

Name: @tanstack/vue-start; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/vue-start

Affected ranges

Type: SEMVER
Events: Introduced

1.167.64

Fixed

1.167.65

Affected versions

1.*

1.167.64

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/vue-start-client

Package

Name: @tanstack/vue-start-client; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/vue-start-client

Affected ranges

Type: SEMVER
Events: Introduced

1.166.49

Fixed

1.166.50

Affected versions

1.*

1.166.49

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/vue-start-server

Package

Name: @tanstack/vue-start-server; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/vue-start-server

Affected ranges

Type: SEMVER
Events: Introduced

1.166.53

Fixed

1.166.54

Affected versions

1.*

1.166.53

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"

@tanstack/zod-adapter

Package

Name: @tanstack/zod-adapter; View open source insights on deps.dev
Purl: pkg:npm/%40tanstack/zod-adapter

Affected ranges

Type: SEMVER
Events: Introduced

1.166.15

Fixed

1.166.16

Affected versions

1.*

1.166.15

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-g7cv-rxg3-hmpx/GHSA-g7cv-rxg3-hmpx.json"