TanStack Query is not the loudest part of TanStack right now. That is the point. The Query repo has 49,504 stars, 30 GitHub releases in 90 days, a 96 shipping score, and a 94 ToolVitals score while the wider TanStack project is pushing AI, Virtual, Start, and security hardening in public.

That is a useful signal for teams choosing boring infrastructure. Query does server-state and async state management for TS and JS apps across React, Solid, Svelte, and Vue. The official site frames TanStack as an open-source application stack for the web, and the Query repo is MIT licensed. ToolVitals classifies it as OSI-approved open source.

The interesting signal is not just Query

The recent first-party posts are mostly about TanStack as a platform, not only TanStack Query. That matters because Query sits inside a broader set of headless, type-safe libraries that are moving fast.

In late April and May, TanStack published work on AI audio generation, AG-UI compatibility, structured output streaming, multi-turn structured output, RSC composition models, and TanStack Virtual performance. The Virtual post claims a worst-case resizeItem storm on 10k items dropped from nearly two seconds to 1.3 milliseconds, and that iOS Safari momentum scroll now works for dynamic-height lists.

That does not prove Query itself got a feature breakthrough this month. It does show that TanStack is still investing in low-level library ergonomics, browser edge cases, and agent-facing APIs around the same project family.

The supply-chain postmortem is the sharper test

The strongest recent narrative is the May 2026 npm compromise and the follow-up hardening work. TanStack says the affected incident involved Router and Start packages, not Query, and that Query remained unaffected. The postmortem says 84 malicious versions were published across 42 packages, then deprecated within the hour and removed by npm shortly after.

The follow-up post is more important than the apology. It describes the attack path, then lays out hardening work after the incident. For a technical buyer, that is the difference between a team that got hit and went quiet, and a team that documented the failure mode in enough detail for other maintainers to learn from it.

ToolVitals should not turn that into a blanket security guarantee. It can say TanStack responded publicly and that Query was named by TanStack as unaffected. It cannot say future package releases are risk-free.

What ToolVitals can and cannot infer

ToolVitals sees public maintenance signals. For TanStack Query, those signals are strong: 49,504 GitHub stars, 30 releases in 90 days, 7 release events in 30 days, a 93 health score, and a 96 shipping score.

ToolVitals does not see code quality, production incident rates, user satisfaction, revenue, maintainer burnout, or whether Query fits your app architecture. It also does not inspect every release artifact. The metrics say the project is active and healthy by public signals. They do not certify that the library will work well in your codebase.

The payload has null values for 30-day commits and active contributors, so those should not be inferred. The high score is still meaningful, but the missing fields are real gaps.

Framework comparisons

Inside the related framework set, Query is ahead of Qwik on raw ToolVitals signals: 94 ToolVitals score versus Qwik’s 89 shipping score and 6 release events in 30 days. Analog has 8 release events in 30 days and a 92 shipping score, so it is shipping too, but from a much smaller GitHub base at 3,124 stars.

The broader related set includes bigger hype numbers. LangChain has 137,571 stars, 13 release events in 30 days, and a 100 shipping score. n8n has 189,586 stars, 24 release events in 30 days, and a 100 shipping score, but ToolVitals classifies n8n as fair-code, not OSI-approved open source. That distinction matters if license freedom is part of your selection criteria.

TanStack Query’s position is different. It is a mature OSI-approved open-source library with high maintenance scores, not a newly explosive automation product.

Recommendation

If your team builds React, Solid, Svelte, or Vue apps and wants a battle-tested server-state layer, evaluate TanStack Query first because the public maintenance signal is strong and the license is simple MIT.

If your concern is supply-chain risk, do not stop at the score. Read TanStack’s postmortem and hardening post, pin dependencies, audit transitive packages, and make sure your release process can react quickly when a trusted package family has an incident. Query looks healthy, but healthy dependencies still need adult supervision.

Sources