supply chain / tanstack-react-router-devtools

TanStack React Router Devtools

registrynpm

package name@tanstack/react-router-devtools

maintainerTanStack

TanStack React Router Devtools provides a browser panel for inspecting routing state, matched routes, and loader data in TanStack React Router applications. Like other devtools packages, it is intended for development environments but is sometimes included in production builds.

api usage

Checking TanStack React Router Devtools

@tanstack/react-router-devtools 1.56.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=%40tanstack%2Freact-router-devtools&version=1.56.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "@tanstack/react-router-devtools",
  "version": "1.56.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

Development tooling packages bundled into production have access to application state that application code may not expect to be exposed. A malicious devtools package can serialize and exfiltrate route state, loader data, and navigation history from the client.

Attestd monitors @tanstack/react-router-devtools using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

npm_deprecation

npm package versions with deprecation messages containing targeted attack language such as malicious, backdoor, or compromised. Confidence 0.80.

Supply chain overview All npm packages TanStack React Router TanStack Router Devtools Core Response fields