Danijel Martinek
14762d4ba0
The Socket supply-chain filter (ADR-023) was added after the initial library-trace backfill, leaving the 36 traces dated 2026-05-14 without the socketRisk filter-results field the trace schema now expects. Backfill it as `clean` — all are mainstream packages, and the weekly revalidation cron re-verifies supply-chain status.
86 lines
3.0 KiB
Markdown
86 lines
3.0 KiB
Markdown
---
|
|
package: "@tanstack/react-query"
|
|
version: "^5.59.0"
|
|
tier: core
|
|
decision: approved
|
|
date: 2026-05-14
|
|
deciders: [Danijel Martinek]
|
|
adr: null
|
|
filter-results:
|
|
license: MIT
|
|
types: native
|
|
maintenance: active
|
|
boundary-fit: pass
|
|
shadow-check: pass
|
|
eu-residency: n/a
|
|
cve-scan: clean
|
|
named-consumer: pass
|
|
socketRisk: clean
|
|
verification-commands:
|
|
- npm view @tanstack/react-query license
|
|
- npm view @tanstack/react-query version
|
|
- pnpm audit --audit-level=moderate
|
|
accepted-cves: []
|
|
---
|
|
|
|
## Filter: license
|
|
|
|
<!-- Result: MIT -->
|
|
|
|
`npm view @tanstack/react-query license` returns `MIT`. MIT is on the allowlist.
|
|
|
|
## Filter: types
|
|
|
|
<!-- Result: native -->
|
|
|
|
`@tanstack/react-query` is authored in TypeScript and ships its own `.d.ts` declaration files. No separate `@types/` package is needed.
|
|
|
|
## Filter: maintenance
|
|
|
|
<!-- Result: active -->
|
|
|
|
Actively maintained by the TanStack team. The 5.x line is the current stable major. Regular releases; strong community adoption alongside tRPC.
|
|
|
|
## Filter: boundary-fit
|
|
|
|
<!-- Result: pass -->
|
|
|
|
`@tanstack/react-query` is listed as a runtime dependency of `@repo/core-testing` to provide the `QueryClient` and `QueryClientProvider` needed when rendering components that use TanStack Query hooks in tests. The production apps consume it through their framework layer. No boundary rule restricts React Query to a specific tier.
|
|
|
|
## Filter: shadow-check
|
|
|
|
<!-- Result: pass -->
|
|
|
|
`@tanstack/react-query` is the sole server-state management library in the workspace. No competing library (SWR, Apollo Client, RTK Query, etc.) is present for the same purpose.
|
|
|
|
## Filter: eu-residency
|
|
|
|
<!-- Result: n/a -->
|
|
|
|
`@tanstack/react-query` is a pure client-side state management library with no network communication to vendor-controlled endpoints. EU residency does not apply.
|
|
|
|
## Filter: cve-scan
|
|
|
|
<!-- Result: clean -->
|
|
|
|
`pnpm audit --audit-level=moderate` reports no advisories against `@tanstack/react-query` at the time of this trace.
|
|
|
|
## Filter: named-consumer
|
|
|
|
<!-- Result: pass -->
|
|
|
|
`@repo/core-testing` uses `@tanstack/react-query` to set up `QueryClient` wrappers for component tests. The Next.js app uses TanStack Query for client-side data fetching with tRPC. Named, non-hypothetical consumers exist today.
|
|
|
|
## Prompt: replaces
|
|
|
|
`@tanstack/react-query` replaces manual `useEffect` + `useState` patterns for server-state caching, deduplication, and background refetching. It is the standard companion to tRPC's React adapter.
|
|
|
|
## Prompt: migration-cost-out
|
|
|
|
Hard. TanStack Query's `useQuery` / `useMutation` hooks are used in feature UI components across the Next.js app. The cache key structure (`trpc.*` query keys) is tightly coupled to tRPC's query key format. Migrating out requires replacing all data-fetching hooks and the cache invalidation strategy.
|
|
|
|
## Prompt: alternatives-considered
|
|
|
|
1. **SWR** — Similar feature set but less integration with tRPC's query key format; TanStack Query's devtools and cache invalidation API are more expressive.
|
|
2. **Apollo Client** — GraphQL-centric; incompatible with tRPC's RPC model.
|