Appreciate the tanstack postmortem, however the security issue as far as the rest of the npm ecosystem goes is still an ongoing concern, correct?
Is there evidence that any downstream packages that may have pulled/included tanstack packages should be considered safe?
NPM is getting all the attacks and attention because it is the biggest. But there's nothing language specific to this class of attacks.
Yes, that is clear. But in this particular instance the tanstack packages are downstream of a ton of other packages.
Tanstack infected a bunch of other packages; then resolving their issue doesn’t fix the widespread issue