TanStack Considers Invitation-Only PRs After Supply Chain Breach

TanStack Considers Invitation-Only PRs After Supply Chain Breach

The TanStack team is weighing drastic measures including invitation-only pull requests following a supply chain attack that exploited GitHub Actions misconfiguration. The Shai-Hulud worm extracted secrets from memory during automated workflows triggered by pull_request_target, poisoning a shared cache across the repository. TanStack has removed all use of pull_request_target, disabled caches, and pinned actions to commit SHA hashes.

The proposal to close external contributions represents a potential break from open-source norms, highlighting tensions between supply chain security and contribution models.

️ Open sources - closed narratives

@sitreports

Source: Telegram "sitreports"