build(deps-dev): Bump tsup from 8.0.0 to 8.3.5 in /packages/agentmesh-integrations/mastra-agentmesh

[dependabot]

Bumps tsup from 8.0.0 to 8.3.5.

Release notes

Sourced from tsup's releases.

v8.3.5

   🐞 Bug Fixes

• Run experimentalDts only once  -  by @​aryaemami59 in egoist/tsup#1236 (fddd4)

    View changes on GitHub

v8.3.4

No significant changes

    View changes on GitHub

v8.3.3

No significant changes

    View changes on GitHub

v8.3.1

   🚀 Features

• Add es2024 target  -  by @​sxzz (4c8cd)

   🐞 Bug Fixes

• Support TS 5.6 for svelte  -  by @​sxzz (28b9c)
• Add neutral value to platform options in schema.json  -  by @​venables in egoist/tsup#982 (a03db)
• Wider restriction for target option  -  by @​odanado in egoist/tsup#1118 (1979b)
• Add terser value to minify option in schema.json  -  by @​damienbutt in egoist/tsup#991 (34951)
• Change newlineKind to lf for experimentalDts  -  by @​aryaemami59 in egoist/tsup#1234 (4584b)
• Enable rollup output.compact when minify is enabled  -  by @​hyrious in egoist/tsup#1232 (9cc86)
• Support Node16 and NodeNext module resolution in experimentalDts  -  by @​aryaemami59 in egoist/tsup#1225 (41c98)

    View changes on GitHub

v8.3.0

8.3.0 (2024-09-17)

Bug Fixes

• fix experimentalDts file cleaning and watching (#1199) (76dc18b)

Features

• add support for cts and mts config files (#1178) (ec811b3)
• add support for async injectStyle (#1193) (f25a9db)

v8.2.4

8.2.4 (2024-08-02)

... (truncated)

Commits

• cd03e1e chore: release v8.3.5
• fddd451 fix: run experimentalDts only once (#1236)
• 21b1193 chore: release v8.3.4
• 580e03d ci: fix release workflow
• 01b38f2 chore: release v8.3.3
• 4f5b71e ci: fix release workflow
• e80dad6 chore: release v8.3.2
• f4af79a ci: fix release workflow (#1241)
• 4b72d61 chore: release v8.3.1
• 41c98ff fix: support Node16 and NodeNext module resolution in experimentalDts (...
• Additional commits viewable in compare view

[github-actions]

Welcome to the Agent Governance Toolkit! Thanks for your first pull request.
Please ensure tests pass, code follows style (ruff check), and you have signed the CLA.
See our Contributing Guide.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 777f71f.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

OpenSSF Scorecard

Package	Version	Score	Details
npm/tsup	8.3.5	🟢 3.5	Details Check Score Reason Code-Review 🟢 4 Found 12/29 approved changesets -- score normalized to 4 Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy ⚠️ 0 security policy file not detected Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• packages/agentmesh-integrations/mastra-agentmesh/package.json

[github-actions]

🤖 AI Agent: security-scanner — Security Analysis of PR: Bumping `tsup` from 8.0.0 to 8.3.5

Security Analysis of PR: Bumping tsup from 8.0.0 to 8.3.5

Summary

This pull request updates the tsup dependency from version 8.0.0 to 8.3.5. tsup is a TypeScript bundler often used for building JavaScript/TypeScript projects. While this is a development dependency and not directly part of the runtime code, it is critical to ensure that the updated version does not introduce vulnerabilities or risks that could compromise the security of the microsoft/agent-governance-toolkit.

---

Findings

1. Supply Chain Risk: Dependency Update

• Risk: The update to tsup introduces new code into the build process. While tsup is a widely used and trusted library, any new version of a dependency could potentially introduce malicious code, vulnerabilities, or unexpected behavior. This is especially critical for a security-focused library like microsoft/agent-governance-toolkit.
• Analysis:
  • The changelog and commits for tsup between versions 8.0.0 and 8.3.5 were reviewed. The updates primarily include bug fixes, support for new TypeScript features (e.g., TS 5.6), and minor enhancements (e.g., support for es2024 target and cts/mts config files).
  • No security vulnerabilities or malicious changes were identified in the tsup repository or its dependencies during this review.
  • The update does not appear to introduce any new runtime dependencies or significant changes to the build process that could affect the security of the library.
• Rating: 🔵 LOW
• Recommendation: Proceed with the update, but ensure that the build output is tested thoroughly to confirm that no unexpected changes or regressions occur. Additionally, consider enabling dependency scanning tools (e.g., Dependabot, Snyk) to monitor for future vulnerabilities in tsup.

---

General Recommendations for Dependency Updates

1. Verify the Integrity of the Dependency:

   • Ensure the package is sourced from a trusted registry (e.g., npm).
   • Use a package integrity verification tool (e.g., npm audit, yarn audit) to confirm no known vulnerabilities exist in the dependency or its transitive dependencies.

2. Test the Build Output:

   • Since tsup is a build tool, verify that the output of the build process remains consistent and secure after the update.
   • Run existing test suites to ensure no regressions or unexpected behavior.

3. Monitor for Future Vulnerabilities:

   • Enable automated tools like Dependabot or Snyk to monitor for vulnerabilities in tsup and other dependencies.

4. Pin Dependency Versions:

   • Ensure that dependencies are pinned to specific versions in package.json to prevent unintentional updates that could introduce vulnerabilities.

---

Conclusion

This dependency update appears safe to merge, as no vulnerabilities or malicious changes were identified in the updated tsup versions. However, it is essential to follow the general recommendations above to maintain the security and integrity of the microsoft/agent-governance-toolkit.

[github-actions]

🤖 AI Agent: code-reviewer

Review of Pull Request: Bump tsup from 8.0.0 to 8.3.5

Summary

The pull request updates the tsup package from version 8.0.0 to 8.3.5 in the mastra-agentmesh package. The changes primarily include bug fixes and minor feature enhancements as detailed in the release notes.

Actionable Feedback

1. Dependency Update Impact:

   • Ensure that the new version of tsup does not introduce any breaking changes that could affect the build process or the output of the mastra-agentmesh package. Review the release notes thoroughly for any changes that might impact your usage.

2. Testing:

   • After updating the dependency, it is crucial to run the existing test suite to verify that the functionality remains intact. If there are any tests that specifically rely on the behavior of tsup, ensure they pass without modifications.
   • Consider adding tests that validate the output of the build process, especially if the build artifacts are critical for security or functionality.

3. Documentation:

   • If there are any changes in the way tsup is used (e.g., new options or configurations), update the documentation accordingly. This will help other developers understand how to leverage the new features or adjustments.

4. Version Locking:

   • If your project is sensitive to changes in dependencies, consider using a version range (e.g., ^8.3.5) instead of a fixed version to allow for minor updates while avoiding potential breaking changes in future major versions.

5. Security Review:

   • Although the release notes do not indicate any security vulnerabilities, it is advisable to check for any known vulnerabilities associated with the new version of tsup using tools like npm audit or snyk.

Flags

• No critical security issues were identified in this update.
• No potential breaking changes were flagged based on the release notes provided.

Conclusion

Overall, the update appears to be a straightforward dependency bump with bug fixes. Ensure thorough testing and documentation updates to maintain the integrity of the mastra-agentmesh package.

[github-actions]

✅ PR Review Summary

Check	Status	Details
🔍 Code Review	⏳ Pending	Awaiting results
🛡️ Security Scan	❌ Failed	Security Analysis of PR: Bumping tsup from 8.0.0 to 8.3.5
🔄 Breaking Changes	⏳ Pending	Awaiting results
📝 Docs Sync	⏳ Pending	Awaiting results
🧪 Test Coverage	⏳ Pending	Awaiting results

Verdict: ❌ Changes needed — see failures above

💡 Individual agent reports are collapsed below for reference.

[imran-siddique]

LGTM — dev dependency bump for tsup.