If you followed recent news, a new supply-chain attack affected recent versions of several TanStack packages. This article proposes a simple approach to reduce the likelihood and impact of this kind of security breach in your applications. Summary What is a supply-chain attack? What happened? Why did it affect other projects? How version locking reduces risks Limitations of this solution Conclusion What is a supply-chain attack? A software package depends on multiple elements throughout its lifecycle: Developer -> Computer -> GitHub Repository -> Package Registry (NPM) A supply-chain attack happens when one of these elements is compromised, allowing malicious code to propagate through the rest of the chain. In practice, this often means an attacker manages to inject malicious code into a package that many other projects depend on. What happened? An attacker submitted a malicious pull request targeting one of the TanStack packages. The pull request contained hidden malicious JavaScript code.…