supply chain / tanstack-react-start-client

TanStack React Start (client)

registrynpm

package name@tanstack/react-start-client

maintainerTanStack

TanStack React Start Client provides the browser-side runtime for TanStack Start, handling client hydration, router initialization, and client-side navigation. It is the entry point loaded in the browser for TanStack Start applications.

api usage

Checking TanStack React Start (client)

@tanstack/react-start-client 1.56.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=%40tanstack%2Freact-start-client&version=1.56.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "@tanstack/react-start-client",
  "version": "1.56.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

Client-side runtime packages run in the browser with access to localStorage, cookies, and any in-memory authentication state. A compromised version can harvest session tokens and authentication data from the client environment.

Attestd monitors @tanstack/react-start-client using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

npm_deprecation

npm package versions with deprecation messages containing targeted attack language such as malicious, backdoor, or compromised. Confidence 0.80.

Supply chain overview All npm packages TanStack React Start TanStack React Router Response fields