Skip to content

blog: refine incident timeline + all-clear banner; smoke: stabilize via TANSTACK_DOCS_USE_REMOTE#924

Merged
tannerlinsley merged 2 commits into
mainfrom
taren/vigilant-williamson-46a8b0
May 15, 2026
Merged

blog: refine incident timeline + all-clear banner; smoke: stabilize via TANSTACK_DOCS_USE_REMOTE#924
tannerlinsley merged 2 commits into
mainfrom
taren/vigilant-williamson-46a8b0

Conversation

@tannerlinsley
Copy link
Copy Markdown
Member

@tannerlinsley tannerlinsley commented May 15, 2026

Summary

  • Postmortem (npm-supply-chain-compromise-postmortem.md): corrected the timeline using verified GitHub/npm/shell-history timestamps. Key corrections: PR #7369 was merged 2026-05-09 (the 19:15 UTC May 11 event was a workflow re-run, not a fresh merge); StepSecurity issue opened at 19:46:46 UTC; deprecation actually ran in three phases at 20:19 / 20:41 / 21:03 UTC (not a single ~21:00 batch); the npm-side tarball removal window 22:13–23:55 UTC was reattributed to npm acting on the StepSecurity notification; formal IOC email to npm/GitHub Security went out at 05:02 UTC May 12 (not ~20:30 UTC May 11). Added a Response timing table, an all-clear status banner, a link to the companion followup, and a Changelog section.
  • Followup (incident-followup.md): corrected package count (14 → 42) and registry-exposure window ("about 20 min" → "20 to 26 min") to match verified data. Added the all-clear status banner and a Changelog section.
  • Smoke tests (tests/smoke.ts): docs routes were flaky in worktrees because ../../../../{repo} sibling resolution doesn't reach ~/GitHub/{repo} from inside .claude/worktrees/. Smoke now probes the existing dev server's docs route, and if it can't serve them, spawns its own dev server with TANSTACK_DOCS_USE_REMOTE=1 so docs lookups fetch from raw.githubusercontent.com via the existing fork point in shouldUseLocalDocsFiles().

Test plan

  • All 10 smoke tests pass locally (home, blog index, blog post, ethos, query/router/table docs, 3 OG images)
  • Pre-commit hooks pass (format, content:build, tsc, lint, smoke)
  • Visually verify both blog posts render correctly in the live preview after deploy

@tannerlinsley
blog: refine incident timeline, add all-clear banner; smoke: stabilize
b80b4e3 
- Postmortem: corrected timeline using verified GitHub/npm/shell-history timestamps (PR #7369 merge date, StepSecurity issue time, two-phase deprecation, npm-side removal attribution, IOC email time), reformatted date columns, added Response timing table, all-clear status banner, link to companion followup, and a Changelog section.
- Followup: corrected package count (14 → 42) and registry-exposure window to match verified data; added all-clear status banner and Changelog section.
- Smoke: added in-repo routes (blog index, blog post, ethos) against localhost and kept the library docs routes pointed at https://tanstack.com so they don't depend on sibling repo clones.
@tannerlinsley
test(smoke): route docs through TANSTACK_DOCS_USE_REMOTE for worktree…
40fdb6e 
… compatibility

Sibling-repo filesystem lookup (../../../../{repo} in documents.server.ts)
breaks from worktrees and fresh machines. Instead of testing against an
unreliable local docs path or hitting prod URLs, smoke now probes the
existing dev server's docs route — and if it can't serve them, spawns
its own dev server with TANSTACK_DOCS_USE_REMOTE=1 so docs lookups fetch
from raw.githubusercontent.com via the fork point that already exists in
shouldUseLocalDocsFiles().
@tannerlinsley tannerlinsley merged commit e52cd18 into main May 15, 2026
8 checks passed
@tannerlinsley tannerlinsley deleted the taren/vigilant-williamson-46a8b0 branch May 15, 2026 19:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tannerlinsley