TanStack weighs invitation-only pull requests after supply chain attack

A malicious pull request exploited TanStack's use of GitHub Actions' pull_request_target to run the Shai-Hulud worm (attributed to TeamPCP), which poisoned a repository-wide cache and can extract secrets from CI memory; TanStack has removed pull_request_target, disabled caches, pinned actions to SHAs, changed 2FA methods, and is considering invitation-only PRs to prevent future supply-chain abuses.