npm @tanstack/query-core not updated for two days

[jayvdb]

Similar to #147 , I am also using osv-scanner for license checking, which is now out of experimental phase.

It reports

+-------------------+-----------+-----------------------------------------------+---------+----------------+
| LICENSE VIOLATION | ECOSYSTEM | PACKAGE                                       | VERSION | SOURCE         |
+-------------------+-----------+-----------------------------------------------+---------+----------------+
| UNKNOWN           | npm       | @tanstack/query-broadcast-client-experimental | 5.69.0  | pnpm-lock.yaml |
| UNKNOWN           | npm       | @tanstack/query-core                          | 5.69.0  | pnpm-lock.yaml |
| UNKNOWN           | npm       | @tanstack/query-persist-client-core           | 5.69.0  | pnpm-lock.yaml |
| UNKNOWN           | npm       | @tanstack/query-sync-storage-persister        | 5.69.0  | pnpm-lock.yaml |
| UNKNOWN           | npm       | @tanstack/react-query                         | 5.69.0  | pnpm-lock.yaml |
| UNKNOWN           | npm       | @tanstack/query-broadcast-client-experimental | 5.69.0  | pnpm-lock.yaml |
| UNKNOWN           | npm       | @tanstack/query-core                          | 5.69.0  | pnpm-lock.yaml |
| UNKNOWN           | npm       | @tanstack/query-persist-client-core           | 5.69.0  | pnpm-lock.yaml |
| UNKNOWN           | npm       | @tanstack/query-sync-storage-persister        | 5.69.0  | pnpm-lock.yaml |
| UNKNOWN           | npm       | @tanstack/react-query                         | 5.69.0  | pnpm-lock.yaml |
+-------------------+-----------+-----------------------------------------------+---------+----------------+

This is because https://deps.dev/npm/%40tanstack%2Fquery-core and friends are stuck at 5.68.0 , whereas 5.69.0 was released two days ago. c.f. https://www.npmjs.com/package/@tanstack/query-core/v/5.69.0

the FAQ states

Meanwhile a background scan visits every known package at a constant rate to catch any updates that might be missed.
As a result, the data for commonly used packages is usually fresh, up to date to within an hour or so. Quiescent or obsolete packages can be presented with staler data, however.
There is no mechanism for users to trigger an update.

If this happens often, perhaps the "within an hour or so" needs to be revised to something more accurate.

I am wondering if it might also be possible to use incoming requests to trigger updates of that specific version. i.e. if a tool requests v5.69.0, and it isnt in deps.dev , that is a very good indication that the version exists and deps.dev could attempt to fetch it from the source.

Checks would need to be put in place to prevent abuse of this.

[slugclub]

Thank you for bringing this to our attention and big apologies for any inconvenience this has caused you.

After investigating, we believe that the delay in processing these new versions was due to an unusually high volume of npm package versions being published over the past few days. Those missing versions are now most of the way through our processing pipeline and should be visible in osv-scanner.

We will continue to investigate over the next week or so to see what improvements can be made to the pipeline to better handle these situations, including considering using incoming requests to prioritise updates and/or revising the "within an hour or so" phrasing to be more accurate.

Please let us know if you discover any further issues/have any additional questions. I'll post another update here when those missing versions have been fully processed and we have confirmed what happened upstream.