TanStack React Start (server)
npm@tanstack/react-start-serverTanStack React Start Server handles the Node.js server runtime for TanStack Start applications, providing request handling, server function dispatch, and SSR rendering. It runs in the server process that receives incoming HTTP requests and has access to all server-side environment variables.
Checking TanStack React Start (server)
@tanstack/react-start-server 1.56.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.
curl "https://api.attestd.io/v1/check?product=%40tanstack%2Freact-start-server&version=1.56.0" \
-H "Authorization: Bearer YOUR_API_KEY"{
"product": "@tanstack/react-start-server",
"version": "1.56.0",
"supported": true,
"risk_state": "none",
"supply_chain": {
"compromised": false,
"sources": [],
"malware_type": null,
"description": null,
"advisory_url": null,
"compromised_at": null,
"removed_at": null
},
"last_updated": "2026-05-01T00:00:00Z"
}Why this package is monitored
Server runtime packages process every incoming request before any route handler or middleware runs. A compromised server runtime package has access to all request bodies, cookies, and authorization headers across the application.
Attestd monitors @tanstack/react-start-server using the following detection sources:
registryManually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.
osvOSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.
npm_deprecationnpm package versions with deprecation messages containing targeted attack language such as malicious, backdoor, or compromised. Confidence 0.80.