security: pin @tanstack/history to 1.161.4 (GHSA-rmmr-r34h-pfm5, alert #29)

[vredchenko]

Summary

• Pins @tanstack/history to 1.161.4 via overrides in package.json, regenerates package-lock.json.
• Closes code-scanning alert #29 (GHSA-rmmr-r34h-pfm5, MAL-2026-3463).

Background

@tanstack/history@1.161.6 is flagged by osv-scanner as malware: the "Mini Shai-Hulud is back" worm by the TeamPCP threat actor. The worm steals credentials and propagates itself to packages it can publish to.

It landed in our package-lock.json via a Dependabot bulk minor-bump on 2026-03-17 (commit 04e38da), as a transitive dep of @tanstack/react-router and @tanstack/router-core. Both still pin @tanstack/history: 1.161.6 in their latest 1.169.2 release — TanStack has not yet shipped a router patch that escapes the bad transitive, so an overrides block is the only available fix.

Why pin to 1.161.4 (not 1.161.5)

Version	Published	Status
1.161.4	2026-02-21 11:19 UTC	~3.5 weeks pre-incident — pin target
1.161.5	2026-03-15 15:30 UTC	Same publish window as the flagged release; not explicitly cleared
1.161.6	2026-03-15 22:42 UTC	Caught by GHSA >=0 blanket marker; not in OSV's explicit version list
1.161.9, 1.161.12	(unpublished from npm)	Explicitly listed as malicious in OSV

OSV's authoritative malicious-version list contains only 1.161.9 and 1.161.12. 1.161.6 was matched by the package-level >=0 marker, not an explicit content flag. Even so, the pin moves us back to a release pre-dating any suspect publish activity from the maintainer account.

Exposure assessment

For this branch's regenerated lockfile and node_modules:

• IoC scan across all of node_modules/ for known worm domains (git-tanstack.com, *.getsession.org, api.masscan.cloud) — clean.
• @tanstack/history@1.161.4 on disk inspected — no install scripts, no IoC strings, no obvious exfil patterns.

For the previous state (lockfile pinned 1.161.6 on main from 2026-03-17 onwards):

• The sha512 in the pre-fix package-lock.json matched the registry's current dist.integrity for 1.161.6 — no silent republish; the artifact installed was the one OSV examined.
• Static scan of that artifact prior to its removal: no child_process, eval, atob, Buffer.from(.., 'base64'), fromCharCode arrays, hard-coded IPs, or token-name strings.
• The package has no install / preinstall / postinstall scripts, so nothing executed during npm install itself.
• However, the code IS imported by @tanstack/react-router, which our apps import directly — so any npm run dev / npm run build between 2026-03-17 and now would have loaded the code in Node (Vite transforms) and emitted it into browser bundles.

Suggested actions for maintainers:

1. Audit CI runners: any GitHub Actions runs since 2026-03-17 that did npm install / npm ci against the unpinned lockfile loaded the suspect package. Review whether GITHUB_TOKEN, deploy keys, or other secrets were in those job environments. Ephemeral runners limit but don't eliminate risk.
2. Audit any preview deploys / artifact uploads of apps/smartem built between 2026-03-17 and today — the bundle would have included @tanstack/history@1.161.6; if it was served to a browser, the browser-side payload (if any) reached users.
3. Developer machines: anyone who ran npm install against main in this window should treat their workstation as having executed unverified code. Static-scan evidence is reassuring but not conclusive. Prudent to rotate session-bound credentials (PATs, npm tokens) used in that window from a different machine, per OSV's standard guidance for any flagged MAL- advisory.

Notes on osv-scanner

osv-scanner may still flag 1.161.4 on this PR because the OSV record uses a >= 0 SEMVER range (no fixed version). The explicit versions: ['1.161.12', '1.161.9'] list in the OSV record is the authoritative malicious set; the >= 0 range is a precautionary blanket pending vendor cleanup. If the scan fails, the documented dismissal path is an osv-scanner.toml entry:

[[IgnoredVulns]]
id = "MAL-2026-3463"
reason = "Pinned to 1.161.4 (pre-incident, 2026-02-21). OSV explicit version list is 1.161.9/12; >=0 range is package-level marker, not content-flagged. IoC scan clean."

Not added here — leaving for maintainers to decide.

Test plan

• npm install regenerates lockfile with @tanstack/history@1.161.4 only (lockfile entries for parent deps still list 1.161.6 in their dependencies metadata; resolution is via override).
• npm run dev:smartem:mock — Vite v8 dev server boots in ~1.2 s, no errors.
• osv-scanner CI on this PR — see "Notes on osv-scanner" above if it fails.
• Manual smoke of routing in a browser after merge.

Out of scope

• Long-term: bump to a fixed @tanstack/react-router when upstream releases one that escapes the bad transitive history, then drop the override.