heise PlusAbo

After cyberattacks: TanStack considers restrictions for pull requests

TanStack tightens security measures after supply chain attacks. Pull requests may soon only be possible by invitation.

listen Print view
In the center, a red security lock with a finger on it, surrounded by other security locks in blue.

(Image: Ole.CNX / Shutterstock.com)

2 min. read
Developer
By
  • Manuel Masiero

In response to the recent supply chain attacks, TanStack has strengthened its internal security measures. The provider of JavaScript/TypeScript libraries is also considering an additional security measure. It could involve allowing pull requests only by invitation in the future.

As part of the Mini Shai-Hulud attack wave ongoing since the end of April, cybercriminals have also targeted TanStack. They are placing numerous @tanstack/* packages infected with credential stealers on the JavaScript package manager npm.

JavaScript conference by heise: enterJS 2026
enterJS 2026

(Image: jaboy / 123rf.com)

Tools and trends in the JavaScript world: The enterJS 2026 will take place on June 16 and 17 in Mannheim. The program revolves around JavaScript and TypeScript, frameworks, tools and libraries, security, UX, and more. Tickets are available in the online ticket shop.

At TanStack, a manipulated pull request (PR) serves as the attack vector for cybercriminals. The PR is automatically executed by pull_request_target and can thus infect the GitHub Actions cache. The wave has now also spread to the AntV ecosystem of Ant Group.

In its blog, TanStack writes that it acted too carelessly, especially since GitHub has been warning about security vulnerabilities related to pull_request_target for years. TanStack has now removed the GitHub Actions event trigger from CI and replaced it with the GitHub-recommended workflow_run. Furthermore, all pnpm and GitHub Actions caches are now deactivated, all actions are pinned to fixed commit SHAs, and SMS-based 2FA on npm and GitHub has been switched off.

As additional security measures, TanStack intends to introduce the static analysis tool zizmor as a mandatory PR check for all repositories and use a CODEOWNERS file for the .github folders, so that changes to workflows can only be made by core maintainers. Additionally, the pnpm setup cache is replaced by the actions/cache/restore function, which is intended to make attacks more difficult due to its significantly more conservative default behavior.

Videos by heise

Isolation as a Solution?

TanStack is least in agreement about another measure being discussed. It concerns whether external contributors should no longer be allowed to open pull requests against TanStack repos. A deterrent effect is feared, as the classic path from user to committer to maintainer often begins with opening a PR and its review. This measure would not have helped against the supply chain attack, in which a malicious PR was executed in CI, as TanStack admits.

(mro)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten