supply chain / tanstack-nitro-v2-vite-plugin

TanStack Nitro Vite Plugin

registrynpm

package name@tanstack/nitro-v2-vite-plugin

maintainerTanStack

The TanStack Nitro Vite Plugin integrates the Nitro server engine into TanStack Start's Vite build pipeline, enabling server-side rendering, API routes, and deployment adapters for platforms like Cloudflare Workers, Vercel, and Node.js.

api usage

Checking TanStack Nitro Vite Plugin

@tanstack/nitro-v2-vite-plugin 1.56.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=%40tanstack%2Fnitro-v2-vite-plugin&version=1.56.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "@tanstack/nitro-v2-vite-plugin",
  "version": "1.56.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

Server engine integration plugins control how server-side code is compiled and bundled. A compromised plugin can inject code into server bundles that runs in production with access to all server-side environment variables and request data.

Attestd monitors @tanstack/nitro-v2-vite-plugin using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

npm_deprecation

npm package versions with deprecation messages containing targeted attack language such as malicious, backdoor, or compromised. Confidence 0.80.

Supply chain overview All npm packages TanStack React Start TanStack Router Plugin Response fields