chore(deps): update build tools by daneatmastra · Pull Request #17657 · mastra-ai/mastra

daneatmastra · 2026-06-08T01:22:41Z

This PR contains the following updates:

Package	Type	Update	Change	Pending
@microsoft/api-extractor (source)	devDependencies	patch	`^7.52.8` -> `^7.58.7`	`7.58.8`
@microsoft/api-extractor (source)	devDependencies	patch	`^7.57.7` -> `^7.58.7`	`7.58.8`
@rollup/plugin-commonjs (source)	devDependencies	patch	`29.0.2` -> `29.0.3`
@types/node (source)	devDependencies	patch	`22.19.15` -> `22.19.20`
@types/node (source)	devDependencies	patch	`22.13.17` -> `22.19.20`
@types/node (source)	devDependencies	patch	`22.19.7` -> `22.19.20`
@types/node (source)	devDependencies	patch	`^20.19.30` -> `^20.19.42`
@types/node (source)	devDependencies	patch	`^22.14.0` -> `^22.19.20`
@types/node (source)	devDependencies	patch	`22.15.21` -> `22.19.20`
dotenv	devDependencies	minor	`^17.3.1` -> `^17.4.2`
dotenv	devDependencies	minor	`^17.0.0` -> `^17.4.2`
dotenv	devDependencies	patch	`^17.3.1` -> `^17.4.2`
dotenv	devDependencies	minor	`17.3.1` -> `17.4.2`
rollup (source)	devDependencies	minor	`^4.59.0` -> `^4.61.1`
rollup (source)	devDependencies	minor	`^4.59.0` -> `^4.61.1`
tsup (source)	devDependencies	patch	`^8.5.0` -> `^8.5.1`
tsup (source)	devDependencies	patch	`^8.4.0` -> `^8.5.1`
vitest (source)	devDependencies	patch	`^4.0.0` -> `^4.1.8`
vitest (source)	devDependencies	patch	`4.1.0` -> `4.1.8`
vitest (source)	devDependencies	patch	`^4.1.0` -> `^4.1.8`

Release Notes

rollup/plugins (@rollup/plugin-commonjs)

`v29.0.3`

2026-05-29

Bugfixes

commonjs: make #1868 es5-compatible (#1981)

motdotla/dotenv (dotenv)

`v17.4.2`

Compare Source

Changed

Improved skill files - tightened up details (#1009)

`v17.4.1`

Compare Source

Changed

Change text injecting to injected (#1005)

`v17.4.0`

Compare Source

Added

Add skills/ folder with focused agent skills: skills/dotenv/SKILL.md (core usage) and skills/dotenvx/SKILL.md (encryption, multiple environments, variable expansion) for AI coding agent discovery via the skills.sh ecosystem (npx skills add motdotla/dotenv)

Changed

Tighten up logs: ◇ injecting env (14) from .env (#1003)

rollup/rollup (rollup)

`v4.61.1`

Compare Source

2026-06-04

Bug Fixes

Avoid extraneous newlines when adding headers via plugins (#6403)
Fix a rare issue where starting Rollup would hang on Windows (#6404)

Pull Requests

#6402: Improve documentation for manualPureFunctions (@lukastaegert)
#6403: Does not add an extra leading line feed for addons (@TrickyPi)
#6404: fix: set report.excludeNetwork=true before getReport() to avoid blocking PTR lookups (@jdz321, @lukastaegert)

`v4.61.0`

Compare Source

2026-06-01

Features

Sort entry modules to make chunk hashes deterministic (#6391)

Pull Requests

#6376: Eliminate AWS credential exposure on fork PRs in REPL artefact workflow (@lukastaegert)
#6378: fix(deps): update minor/patch updates (@renovate[bot])
#6379: chore(deps): update dependency lint-staged to v17 (@renovate[bot], @lukastaegert)
#6380: chore(deps): update dependency lru-cache to v11 (@renovate[bot], @lukastaegert)
#6381: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)
#6382: chore(deps): update dependency @types/node to ^20.19.41 (@renovate[bot])
#6386: fix(deps): update minor/patch updates (@renovate[bot])
#6387: chore(deps): update aws-actions/configure-aws-credentials action to v6 (@renovate[bot])
#6388: fix(deps): update swc monorepo (major) (@renovate[bot], @lukastaegert)
#6389: chore(deps): lock file maintenance (@renovate[bot])
#6391: Sort entry modules to make chunk hash names deterministic (@TrickyPi)
#6394: fix(deps): update minor/patch updates (@renovate[bot], @lukastaegert)
#6395: chore(deps): update react monorepo to v19 (@renovate[bot], @lukastaegert)
#6396: fix(deps): update rust crate swc_compiler_base to v57 (@renovate[bot], @lukastaegert)
#6397: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)
#6400: docs: fix broken links (@jiyujie2006)

`v4.60.4`

Compare Source

2026-05-14

Bug Fixes

Improve stability of chunk hashes (#6362)

Pull Requests

#6362: fix: stabilize chunk assignment across parallel file reads (@sonukapoor, @Sonu Kapoor, @TrickyPi, @lukastaegert)
#6370: fix(deps): update minor/patch updates (@renovate[bot])
#6371: chore(deps): update dependency lru-cache to v11 (@renovate[bot], @lukastaegert)
#6372: chore(deps): update react monorepo to v19 (major) (@renovate[bot])
#6373: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)
#6375: Resolve vulnerabilities (@lukastaegert)

vitest-dev/vitest (vitest)

`v4.1.8`

Compare Source

🐞 Bug Fixes

browser:
- Disable client cdp API when allowWrite/allowExec: false [backport to v4] - by @hi-ogawa and Codex in #10450 (e4067)
- Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4] - by @toxik and @Zelys-DFKH in #10474 (675b4)

View changes on GitHub

`v4.1.7`

Compare Source

🐞 Bug Fixes

runner: Limit concurrency per task branch in addition to per leaf callbacks (backport) - by @hi-ogawa in #10384 (4f0f2)

View changes on GitHub

Configuration

📅 Schedule: Branch creation - "before 6am every weekday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

changeset-bot · 2026-06-08T01:22:45Z

⚠️ No Changeset found

Latest commit: 941c038

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

vercel · 2026-06-08T01:22:47Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
mastra-docs-1.x	Ready	Preview, Comment	Jun 9, 2026 2:42pm
mastra-playground-ui	Ready	Preview, Comment	Jun 9, 2026 2:42pm

dane-ai-mastra · 2026-06-08T01:23:48Z

PR triage

Linked issue check skipped for core contributor @daneatmastra.

PR complexity score

Factor	Value	Score impact
Files changed	163	+60
Lines changed	2934	+60
Author merged PRs	305	-20
Test files changed	No	-0
Final score		100

Applied label: complexity: critical

Changed test gate

No changed test files were detected.

Label: tests: no tests added

socket-security · 2026-06-08T01:27:00Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Package	Supply Chain Security	Quality
@ai-sdk/openai@3.0.68 ⏵ 2.0.106		^-2
get-port@7.1.0
npm-cli-login@1.0.0
form-data@2.5.5
verdaccio@6.2.5
verdaccio-auth-memory@10.3.1
rollup@4.60.4 ⏵ 4.61.1	⁺¹

View full report

socket-security · 2026-06-08T01:27:01Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		Critical CVE: npm `form-data` uses unsafe random function in form-data for choosing boundary CVE: GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary (CRITICAL) Affected versions: < 2.5.4; >= 3.0.0 < 3.0.4; >= 4.0.0 < 4.0.4 Patched version: 2.5.4 From: e2e-tests/create-mastra/pnpm-lock.yaml → `npm/npm-cli-login@1.0.0` → `npm/form-data@2.3.3` ℹ Read more on: This package \| This alert \| What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/form-data@2.3.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Handlebars.js has JavaScript Injection via AST Type Confusion CVE: GHSA-2w6w-674q-4c4q Handlebars.js has JavaScript Injection via AST Type Confusion (CRITICAL) Affected versions: >= 4.0.0 < 4.7.9 Patched version: 4.7.9 From: e2e-tests/create-mastra/pnpm-lock.yaml → `npm/verdaccio@6.2.5` → `npm/handlebars@4.7.8` ℹ Read more on: This package \| This alert \| What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/handlebars@4.7.8`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm `argparse` under Python-2.0.1 License: Python-2.0.1 - The applicable license policy does not permit this license (5) (package/LICENSE) From: e2e-tests/create-mastra/pnpm-lock.yaml → `npm/verdaccio@6.2.5` → `npm/argparse@2.0.1` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/argparse@2.0.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm `bcrypt-pbkdf` under BSD-3-Clause-HP License: BSD-3-Clause-HP - The applicable license policy does not permit this license (5) (package/LICENSE) From: e2e-tests/create-mastra/pnpm-lock.yaml → `npm/verdaccio@6.2.5` → `npm/npm-cli-login@1.0.0` → `npm/bcrypt-pbkdf@1.0.2` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/bcrypt-pbkdf@1.0.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm `bcryptjs` under BSD-3-Clause-HP License: BSD-3-Clause-HP - The applicable license policy does not permit this license (5) (package/LICENSE) From: e2e-tests/create-mastra/pnpm-lock.yaml → `npm/verdaccio@6.2.5` → `npm/bcryptjs@2.4.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/bcryptjs@2.4.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm `rollup` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: e2e-tests/create-mastra/pnpm-lock.yaml → `npm/vitest@4.1.8` → `npm/rollup@4.53.5` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/rollup@4.53.5`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm `spdx-exceptions` under CC-BY-3.0 License: CC-BY-3.0 - The applicable license policy does not permit this license (5) (npm metadata) License: CC-BY-3.0 - The applicable license policy does not permit this license (5) (package/package.json) From: e2e-tests/create-mastra/pnpm-lock.yaml → `npm/npm-cli-login@1.0.0` → `npm/spdx-exceptions@2.5.0` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/spdx-exceptions@2.5.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm `unix-crypt-td-js` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: e2e-tests/create-mastra/pnpm-lock.yaml → `npm/verdaccio@6.2.5` → `npm/unix-crypt-td-js@1.1.4` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/unix-crypt-td-js@1.1.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm `validator` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: e2e-tests/create-mastra/pnpm-lock.yaml → `npm/verdaccio@6.2.5` → `npm/validator@13.15.26` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/validator@13.15.26`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

daneatmastra added the automation label Jun 8, 2026

dane-ai-mastra Bot added the complexity: critical Critical-complexity PR label Jun 8, 2026

vercel Bot deployed to Preview – mastra-playground-ui June 8, 2026 01:24 View deployment

dane-ai-mastra Bot added the tests: no tests added PR does not change test files label Jun 8, 2026

vercel Bot deployed to Preview – mastra-docs-1.x June 8, 2026 01:24 View deployment

github-actions Bot approved these changes Jun 8, 2026

View reviewed changes

vercel Bot deployed to Preview – mastra-playground-ui June 8, 2026 01:26 View deployment

vercel Bot deployed to Preview – mastra-docs-1.x June 8, 2026 01:26 View deployment

chore(deps): update build tools

5ce4f13

daneatmastra force-pushed the renovate/build-tools branch from ff12b2b to 5ce4f13 Compare June 9, 2026 01:14

vercel Bot deployed to Preview – mastra-playground-ui June 9, 2026 01:16 View deployment

chore: update pnpm-lock.yaml files

9842c3e