Query client integration leaks information between requests

[Benjamin-Lee]

Which project does this relate to?

Create Tanstack App

Describe the bug

When using the default configuration of TanStack Query, state is injected into all requests, even if they came from a different user. This could leak information and should not the default.

Your Example Website or App

https://github.com/Benjamin-Lee/tanstack-start-query

Steps to Reproduce the Bug or Issue

1. Create a new TanStack Start project with the Query integration active
2. Load the demo route for Query: http://localhost:3000/demo/tanstack-query
3. Go to another page and reload: the server side context is injected back into page

Expected behavior

There should be no server side state injected into different requests. This could be a security issue if an authenticated client runs a query which is cached on the server, which then uses that cache to inject the state for a different user.

To get the expected behavior, I have made this my router.tsx:

// Create a new router instance
export const createRouter = () => {
  const queryClient = new QueryClient()
  const router = routerWithQueryClient(
    createTanstackRouter({
      routeTree,
      context: {
        queryClient,
      },
      scrollRestoration: true,
      defaultPreloadStaleTime: 0,
      defaultPreload: "intent",
    }),
    queryClient
  )

  return router
}

Screenshots or Videos

No response

Platform

• OS: macOS
• Browser: all
• Version: 0.15.3

Additional context

No response