Uncategorized

TanStack weighs invitation-only pull requests after supply chain attack

1966woodenghost May 19, 2026 0

Security

Shai-Hulud worm exploited GitHub Actions misconfiguration to poison shared cache, now project weighing nuclear option on unsolicited contributions

The TanStack team has documented security measures and proposals following a damaging breach last week, including the possibility of making pull requests
(PRs) by invitation only – a break from the open-contribution model that defines most open source projects.

The attack used code from the Shai-Hulud
worm, published
by malware outfit TeamPCP, which can extract secrets from memory
used by GitHub Actions. It began with a PR that triggered an automatic workflow via TanStack’s use of the pull_request_target
feature, causing the malicious code to be built and run by a GitHub Action, poisoning a
cache used across the entire repository.

 

The TanStack team said that its workflow used a pattern GitHub warns against: pull_request_target id intended for PRs that “do not
require dangerous processing, say building or running the content of the
PR.”

Since the attack, TanStack has removed all use of
pull_request_target from its continuous integration (CI) pipeline, disabled
caches used by pnpm (a Node.js package manager) and GitHub Actions, pinned actions
to commit SHA (Secure Hash Algorithm) hashes rather than retargetable tags, and disabled use of text messages for 2-factor authentication.

The TanStack repository also now uses a feature of pnpm 11 called
minimumReleaseAge, which requires dependencies to have been published for a set period
before they can be installed. The idea is that compromised packages are usually
detected and removed before that period completes. 

A more drastic proposal is closing the
ability for external contributors to open pull requests at all. “We are absolutely
not going closed source,” the team said, but it could put in place a mechanism
where contributions begin with an issue or discussion, and a PR can be
submitted only by invitation.

TanStack acknowledged that it would be a radical step to take as “open PRs are part of how a lot of us became maintainers in the first
place.” It might not be necessary if the repository can be hardened enough that
malicious PRs cannot cause damage.

It is a debate that maintainers of other open source
projects will watch with interest. Supply chain security is a huge issue, but making
pull requests invitation-only could hurt projects by deterring contributions. 

Another aspect of this is the extent to which GitHub itself is
to blame. “Cache scoping in GitHub Actions shouldn’t silently bridge fork
PRs and base-repo branches,” said the TanStack team.®

Source: www.theregister.com…

Related Articles
We will be happy to hear your thoughts

Leave a reply

About Forlifedeals

Forlifedeals is a comprehensive source of independent reviews of the most recent SaaS (Software as a Service) tools and platforms. It is a great resource for businesses, marketers, and agencies, providing expert assessment of software solutions in various categories such as productivity, marketing, sales, and others.

🚀 Get First Access to SaaS Deals – Subscribe Now!

FOR LIFE DEALS
Logo
Register New Account
Compare items
  • Total (0)
Compare
0