Kevin Thomas Van Cott

3.7K posts

Kevin Thomas Van Cott

@KevinVanCott

Sometimes called Kevin Vandy. Software Engineer and OSS maintainer. Creator of material-react-table and mantine-react-table. TanStack maintainer.

Nebraska Katılım Kasım 2012

850 Takip Edilen2.9K Takipçiler

Sabitlenmiş Tweet

Kevin Thomas Van Cott@KevinVanCott·26 Nis

I'm excited to keep working hard on TanStack Table and make even greater time commitments to it going forward. My TanStack Table documentation rewrite is about 3/4ths of the way done and we'll keep working on making the best lean and mean tools for building powerful data grids.

Tanner Linsley@tannerlinsley

💖 I'm sponsoring @KevinVanCott because he GOAT'd on @Tan_Stack Table!!! github.com/sponsors/Kevin…

English

25.9K

Kevin Thomas Van Cott retweetledi

Manuel Schiller@schanuelmiller·21h

TanStack Start now supports Vite’s experimental bundled dev mode Enable it with: `experimental: { bundledDev: true }` Give it a try and let us know how it performs in your apps!

English

373

31.5K

Kevin Thomas Van Cott@KevinVanCott·4d

@claudiucjc I am. And we're using Socket. We have strict pnpm dep rules now too, and it was highlighting a few false-positives, so I was manually inspecting those before running my full local pnpm install.

English

Claudiu@claudiucjc·4d

@KevinVanCott Why not using AI to audit?

English

Kevin Thomas Van Cott@KevinVanCott·4d

I'm at the point where I'm manually inspecting the code of every dependency on NPM on every package upgrade today...

English

2.6K

Kevin Thomas Van Cott@KevinVanCott·5d

@aidenybai Make sure you clear any caches too

English

979

Aiden Bai@aidenybai·5d

Security update: We found a malicious payload in aidenybai/million and reverted it npm or published users are NOT affected The risk is limited to dev-only - if you cloned the repo locally and opened it with VSCode (+forks) or Claude Code

Adnan Khan@adnanthekhan

The aidenybai/million repository is compromised with Shai-Hulud. It injected a malicious claude settings file which adds a hook that runs the full Shai-Hulud payload. @aidenybai please revert this commit. github.com/aidenybai/mill…

English

142

45.6K

Kevin Thomas Van Cott@KevinVanCott·5d

@jenewland1999 @theo I'm an OSS dev in Nebraska lol

Jordan@jenewland1999·5d

@theo

QME

287

Theo - t3.gg@theo·5d

Cutting this off now. Too lazy to filter replies so I'll assume all 737 are cancellations. That's $7,370 I have to donate to open source. What projects should I consider? 👀

Theo - t3.gg@theo

For every person who replies with a screenshot of their cancelled Claude Code plan, I will donate $10 to open source.

English

313

1.7K

226.3K

Kevin Thomas Van Cott retweetledi

Manuel Schiller@schanuelmiller·5d

We have this available for React AND Solid in TanStack Start!

TANSTACK@tan_stack

New in TanStack Start: Deferred Hydration. Choose when selected parts of your app hydrate, like when they become visible, get interacted with, or the browser goes idle.

English

3.5K

Kevin Thomas Van Cott@KevinVanCott·5d

@caspian_ji If it's only a landing site with no interactivity, probably just Astro still. But if the site would ever evolve into anything more, I just "start" with TanStack

English

113

Caspian and 2,684 others@caspian_ji·5d

@KevinVanCott Would you use Start over Astro for landing sites?

English

Kevin Thomas Van Cott@KevinVanCott·6d

The reason why I have loved Astro so much is now a reason I love TanStack Start! When it comes to optimizing web page load performance for core web vitals and SEO, deferred/custom hydration is a killer feature!

TANSTACK@tan_stack

New in TanStack Start: Deferred Hydration. Choose when selected parts of your app hydrate, like when they become visible, get interacted with, or the browser goes idle.

English

5.5K

Kevin Thomas Van Cott@KevinVanCott·6d

@subproject_22 I disagree with your discourse over the past couple of days, but this poll is hilarious. Pls stahp tho

English

992

std dev@subproject_22·6d

Picking new name

English

39.9K

Kevin Thomas Van Cott@KevinVanCott·6d

@SocketSecurity This article also mentions the TanStack router packages again, but just want to be clear that that's just from last week and is resolved. Publish dates of 5-11

English

29.5K

Socket@SocketSecurity·6d

UPDATE: So far we've identified 639 compromised npm package versions across 323 unique packages in tonight’s Mini Shai-Hulud wave. That includes 558 versions across 279 unique @antv packages. Most were detected within ~6 minutes of publication. socket.dev/blog/antv-pack…

English

169

Socket@SocketSecurity·6d

🚨 BREAKING: Socket is investigating an active npm supply chain attack compromising hundreds of packages in the @antv ecosystem. The malicious publish wave appears tied to Mini Shai-Hulud and packages connected to the npm maintainer account atool.

English

262

1.1K

597.8K

Kevin Thomas Van Cott retweetledi

Adam Rackis@AdamRackis·16 May

My TanStack RSC post should be out Monday. I can't wait to share this one. I hate that the Next implementation soured everyone to RSC. It's actually a really cool, niche feature that can come in handy, occasionally. And TanStack's implementation is extremely nice.

English

7.1K

Kevin Thomas Van Cott@KevinVanCott·15 May

@V4ctim3 @tan_stack x.com/KevinVanCott/s…

TANSTACK@tan_stack

After a very thorough 3 day full security sweep and hardening process, we'd like to issue an official all clear ✅ on TanStack repo and package security. Full details have been updated in our post-mortem and security followup blog (linked below). TL;DR: - Only the Router/Start repo was affected. 42 monorepo packages, 2 versions per package. These were promptly deprecated within the hour and removed by NPM shortly after - All other repos and packages were unaffected and remain secure including: Query, DB, Store, AI, Table, Form, HotKeys, Virtual, Pacer, Config, Devtools, CLI, Intent, etc. - All available and published versions of every TanStack package are safe to download, including TanStack Router/Start. tanstack.com/blog/npm-suppl… tanstack.com/blog/incident-…

QME

Vectime@V4ctim3·15 May

@KevinVanCott @tan_stack Thanks for the answer. Still, it would be good to post it directly on the blog. ( full list ) The last two articles are quite cryptic. The user should be sure beyond a doubt. Not that he would look for it himself in discussions and on X. Tanstack is not a garage project. 😉

English

TANSTACK@tan_stack·14 May

30 seconds of spinners is not great UX. 🌀 @tanstack/ai now streams structured output straight into useChat. Pass a Zod schema, get a typed `partial` and `final` for free. ✨ Blog post link below 👇

English

839

72.8K

Kevin Thomas Van Cott retweetledi

TANSTACK@tan_stack·15 May

English

945

78.9K

Kevin Thomas Van Cott@KevinVanCott·15 May

@V4ctim3 @tan_stack Only TanStack Router packages were affected during a 20 minute period on Monday. They've been safe to install since we deprecated the infected versions. All of TanStack packgaes outside of Router/Start (like Query, Table, Form, AI, etc.) were never affected and are safe.

English

Vectime@V4ctim3·15 May

@tan_stack I still miss an official statement that all Tanstack packages are clean and safe to use after the SC attack. Installing Tanstack packages without verifying their purity after such an attack doesn't seem so trivial to me, you know.😀 (TS AI wasn't even on the *list in Postmortem)

English

284

Kevin Thomas Van Cott@KevinVanCott·15 May

@kentcdodds That would personally make me a bit sad. We're keeping Nebraska JS as all things web focused. Half of our meetups might include AI these days, but there's still a lot of really interesting topics to talk about in the JavaScript ecosystem itself.

English

1.1K

Kent C. Dodds 🏹@kentcdodds·14 May

The Utah React meetup has been converted to an "AI Native Engineering" meetup. This is a signal.

English

18.5K

Kevin Thomas Van Cott@KevinVanCott·12 May

@shubhamJReacts @AlemTuzlak right now, it just barely indicates what the internally configured deps are in that string. It's possible this could be improved.

English

Kevin Thomas Van Cott@KevinVanCott·11 May

One of the things that I'm really excited about for TanStack Table V9 is the return of Table Devtools! Maintaining devtool packages used to be such a pain, but @AlemTuzlak's work on TanStack Devtools made this so much easier going forward. What should we add to table devtools?

English

5.4K

Kevin Thomas Van Cott@KevinVanCott·12 May

@kentcdodds @TejasKumar_ Kent, you're too pure for this side of tech twitter

English

443

Kent C. Dodds 🏹@kentcdodds·11 May

@TejasKumar_ Does "goon" mean "going" as in you're going to work at Cloudflare? 😅

English

20.5K

Tejas Kumar@TejasKumar_·11 May

i goon to cloudflare

English

19.8K

Kevin Thomas Van Cott retweetledi

Tanner Linsley@tannerlinsley·12 May

Many recent TanStack Router versions from earlier today were compromised via a Mini Shai-Hulud Supply-Chain Attack. We've already unpublished affected versions and are still taking every action possible to secure our publishing pipelines. Luckily there's a lot of maintainers and talented people working on the issue. Follow the @Tan_Stack account or the tweet below for ongoing updates.

TANSTACK@tan_stack

SECURITY ADVISORY — TanStack npm packages A supply-chain compromise affecting 42 @tanstack/* packages (84 versions total) was published to npm earlier today at approximately 19:20 and 19:26 UTC. Two malicious versions per package. Status: ACTIVE — packages are deprecated, npm security engaged, publish path being shut down. Severity: HIGH — payload exfiltrates AWS, GCP, Kubernetes, and Vault credentials, GitHub tokens, .npmrc contents, and SSH keys. If you installed any @tanstack/* package between 19:20 and 19:30 UTC today, treat the host as potentially compromised: • Rotate cloud, GitHub, and SSH credentials immediately • Audit cloud audit logs for the last several hours • Pin to a prior known-good version and reinstall from a clean lockfile Detection — the malicious manifest contains: "optionalDependencies": { "@tanstack/setup": "github:tanstack/router#79ac49ee..." } Any version with this entry is compromised. The payload is delivered via a git-resolved optionalDependency whose prepare script runs router_init.js (~2.3 MB, smuggled into each tarball at the package root). Unpublish is blocked by npm policy for most affected packages due to existing third-party dependents. All 84 versions are being deprecated with a SECURITY warning, and npm security has been engaged to pull tarballs at the registry level. Full technical breakdown, complete package and version list, and rolling status updates: github.com/TanStack/route… Credit to the security researcher for responsible disclosure.

English

723

80.8K

Keşfet

@claudiucjc @aidenybai @jenewland1999 @theo @caspian_ji @subproject_22 @SocketSecurity @antv