David

All firewall-mitigated traffic is now free on Vercel. Starting today, you aren't charged for requests that are denied, challenged, or rate-limited by Vercel Firewall. This extends free DDoS mitigation to rules you configure. vercel.com/changelog/web-…

Friday, April 10 → Friday, April 17 25 → 22 Another 12% decrease. Pretty good for a package that just crossed 13 million downloads this week. x.com/anthonysheww/s…

SECURITY ADVISORY — TanStack npm packages A supply-chain compromise affecting 42 @tanstack/* packages (84 versions total) was published to npm earlier today at approximately 19:20 and 19:26 UTC. Two malicious versions per package. Status: ACTIVE — packages are deprecated, npm security engaged, publish path being shut down. Severity: HIGH — payload exfiltrates AWS, GCP, Kubernetes, and Vault credentials, GitHub tokens, .npmrc contents, and SSH keys. If you installed any @tanstack/* package between 19:20 and 19:30 UTC today, treat the host as potentially compromised: • Rotate cloud, GitHub, and SSH credentials immediately • Audit cloud audit logs for the last several hours • Pin to a prior known-good version and reinstall from a clean lockfile Detection — the malicious manifest contains: "optionalDependencies": { "@tanstack/setup": "github:tanstack/router#79ac49ee..." } Any version with this entry is compromised. The payload is delivered via a git-resolved optionalDependency whose prepare script runs router_init.js (~2.3 MB, smuggled into each tarball at the package root). Unpublish is blocked by npm policy for most affected packages due to existing third-party dependents. All 84 versions are being deprecated with a SECURITY warning, and npm security has been engaged to pull tarballs at the registry level. Full technical breakdown, complete package and version list, and rolling status updates: github.com/TanStack/route… Credit to the security researcher for responsible disclosure.

NEW SERIES DROPS TOMORROW — join the watch party tomorrow at 3pm Pacific @itsthatladydev hosts a new series that explores just how much AI has impacted the "build vs. buy" conversation around SaaS by putting devs to the test to build popular SaaS tools, presented by @replayio