Every pnpm install in CI is followed by pnpm audit:supply-chain,
which runs scripts/audit-supply-chain.mjs. It scans pnpm-lock.yaml
against a baked-in list of known-compromised package@version pairs
and exits non-zero on any hit.
pnpm install in CI uses --ignore-scripts. Lifecycle scripts run
only after the audit gate passes (pnpm rebuild). This prevents a
compromised tarball's prepare/postinstall from executing before
the audit notices it.
When a new advisory is published:
- Identify affected
package@versionpairs from the GHSA or vendor advisory. - Append them to
KNOWN_BADinscripts/audit-supply-chain.mjs. - Add a
# Source:comment with the GHSA / CVE / blog URL. - Run
pnpm audit:supply-chainlocally — it must pass before committing.
| ID | Date | Packages | Notes |
|---|---|---|---|
| GHSA-g7cv-rxg3-hmpx | 2026-05-11 | 42 @tanstack/* packages, 84 versions |
TanStack supply-chain incident. @tanstack/query*, @tanstack/table*, @tanstack/form*, @tanstack/virtual*, @tanstack/store, @tanstack/start (meta) confirmed clean. |
Treat the install host as potentially compromised. Even a partial
install of a malicious tarball can run the prepare lifecycle script
before npm/pnpm errors out.
- Stop. Do not run further
pnpm/npm/yarncommands on the host. - Rotate credentials reachable from the host — AWS, GCP, Kubernetes,
Vault, GitHub, npm, SSH. (Per GHSA-g7cv-rxg3-hmpx, the exfil channel
is the Session/Oxen messenger network at
filev2.getsession.org/seed{1,2,3}.getsession.org. End-to-end encrypted, so DNS/IP blocks are the only network mitigation.) - Audit dotfiles that contained credentials:
~/.npmrc~/.git-credentials~/.aws/credentials~/.kube/config~/.ssh/
- Wipe and reinstall the workspace:
rm -rf node_modules pnpm-lock.yaml pnpm store prune pnpm install --ignore-scripts pnpm audit:supply-chain pnpm rebuild
- Check your maintained npm packages — the GHSA-g7cv-rxg3-hmpx
malware self-propagates by republishing other packages owned by the
victim. Verify with
npm view <pkg> versions --jsonthat no unexpected version was published from your account.
The desktop app (apps/desktop) is a Tauri 2 shell. It executes the
rsmm Python CLI as a sidecar with a narrowly scoped allow-list in
src-tauri/capabilities/default.json. The webview cannot execute
arbitrary shell commands; only rsmm <args> invocations are permitted.
The API (apps/api) trusts only the origins enumerated in
TRUSTED_ORIGINS. Better Auth sessions are HTTP-only cookies; the
client sends them via credentials: 'include'.
The signed-PUT upload flow (/mods/upload) only issues URLs to
authenticated users and requires x-amz-checksum-sha256 matching the
declared body hash — the storage backend rejects mismatched uploads.
Email security@rsmm.dev (or, until that is provisioned, open a
private security advisory on the GitHub repo). Do not file public
issues for security reports.