This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
+13 more
ReleasePort's take
Light signalThe release of tanstack‑compromise‑checker v1.2.0 addresses GHSA-g7cv-rxg3-hmpx and provides a signed Docker image and script to guarantee integrity.
Why it matters: Patch to v1.2.0 immediately to mitigate the addressed vulnerability; use the signed image/script to ensure artifact integrity.
Summary
AI summaryGHSA-g7cv-rxg3-hmpx — vulnerability addressed in tanstack‑compromise‑checker v1.2.0.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | High |
Enforces Docker image provenance signing and verification. Enforces Docker image provenance signing and verification. Source: granite4.1:30b@2026-05-22-audit Confidence: low |
— |
| Security | High |
Implements Sigstore keyless signature verification for the script. Implements Sigstore keyless signature verification for the script. Source: granite4.1:30b@2026-05-22-audit Confidence: low |
— |
| Security | Medium |
Signed Docker image and script ensure integrity. Signed Docker image and script ensure integrity. Source: llm_adapter@2026-05-22 Confidence: low |
— |
| Security | Medium |
Provides checksum verification for the script download. Provides checksum verification for the script download. Source: granite4.1:30b@2026-05-22-audit Confidence: low |
— |
| Feature | Low |
Adds GitHub Action workflow for scanning. Adds GitHub Action workflow for scanning. Source: granite4.1:30b@2026-05-22-audit Confidence: low |
— |
Full changelog
tanstack-compromise-checker v1.2.0
Verify before running — this is a security tool, treat it like one.
One-liner (bash, with checksum verification)
TAG=v1.2.0
curl -fsSLO https://github.com/fabriziosalmi/tanstack-compromise-checker/releases/download/$TAG/check.sh
curl -fsSLO https://github.com/fabriziosalmi/tanstack-compromise-checker/releases/download/$TAG/check.sh.sha256
sha256sum -c check.sh.sha256 && bash check.sh
Docker (works on macOS, Linux, Windows)
docker run --rm -v "$PWD":/scan ghcr.io/fabriziosalmi/tanstack-compromise-checker:1.2.0 /scan true fail tanstack-findings.json '' GHSA-g7cv-rxg3-hmpx
GitHub Action
- uses: fabriziosalmi/[email protected]
with:
scan-dir: .
online: 'true'
Image provenance is signed; verify with:
gh attestation verify oci://ghcr.io/fabriziosalmi/tanstack-compromise-checker:1.2.0 --repo fabriziosalmi/tanstack-compromise-checker
Script signature (Sigstore keyless, bound to this workflow):
cosign verify-blob \
--bundle check.sh.sigstore.json \
--certificate-identity-regexp 'https://github.com/fabriziosalmi/tanstack-compromise-checker/\.github/workflows/release\.yml@.*' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
check.sh
Full Changelog: https://github.com/fabriziosalmi/tanstack-compromise-checker/compare/v1.1.2...v1.2.0
Security Fixes
- GHSA-g7cv-rxg3-hmpx — vulnerability addressed in tanstack‑compromise‑checker v1.2.0
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About Tanstack Compromise Checker
All releases →Related context
Related tools
Beta — feedback welcome: [email protected]