supply chain / tanstack-eslint-plugin-start

TanStack ESLint Plugin (Start)

registrynpm

package name@tanstack/eslint-plugin-start

maintainerTanStack

The TanStack Start ESLint plugin provides lint rules specific to TanStack Start server functions and RSC boundaries, enforcing correct use of `use server` and `use client` directives.

api usage

Checking TanStack ESLint Plugin (Start)

@tanstack/eslint-plugin-start 1.56.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=%40tanstack%2Feslint-plugin-start&version=1.56.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "@tanstack/eslint-plugin-start",
  "version": "1.56.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

ESLint plugins have read access to every file they lint, including server function definitions that may contain database query patterns, authentication logic, and service credentials as constants.

Attestd monitors @tanstack/eslint-plugin-start using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

npm_deprecation

npm package versions with deprecation messages containing targeted attack language such as malicious, backdoor, or compromised. Confidence 0.80.

Supply chain overview All npm packages TanStack React Start ESLint Response fields