Supply Chain Attack Defence

The TanStack is the latest victim in what is turning out to be quite a large supply chain attack that has affected at least 84 of the TanStack NPM packages. And so these supply chain attacks are only going to get worse and worse from So there is some services that you can use to help protect yourself from these supply chain attacks. The one really simple thing that you can do right now is to set a minimum release age on your packages and to set the version to exact. So setting a minimum release age is going to say don't install a version of this package that isn't at least X days old. So in my configuration here, I have it set to 10 days. So it's saying if a package version is not at least 10 days old, then don't install that version of the package into my system. And so that is going to protect you against things like this TanStack one that was introduced about 5 days ago. So obviously the longer you set this period the better, but you do want to get updates every now and again. So I think 10 days is probably a good chance that these package versions are going to get caught within that time. Setting the exact version means that you're not going to use NPM's semver. And so if you have it pinned to 1. 2. 3, you're going to install that exact version. I'm using Bun as my package manager, so I'm going to set this in my bunfig. toml. But if you're using NPM, you're going to set this in your npmrc and you're going to say save exact equals true and minimum release age. If you're using pnpm, you can do the same thing by setting save exact true and the minimum release. Make sure you do go and set this in all of your projects because even if you weren't a victim of this TanStack attack, you probably are going to be a victim of a supply chain attack in the future. If you're using NPM, it's just a matter of time.