@mastra/deployer
Core deployment infrastructure for Mastra applications, handling build, packaging, and deployment processes.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/core-XIDAXLRB.js | AI (source-diff): Bundled Zod v4 core from build; readable code with source maps, not obfuscation. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Monorepo sub-package; empty description is stable and benign. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Build output with content-hashed filenames rotates each release; expected churn. | ai | |
| source-diff | obfuscated-file:dist/core-6CQRSKZJ.js | AI (source-diff): Bundled zod library code from rollup build output; stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/dist-WKLFRGVR.cjs | AI (source-diff): Standard rollup/tsup bundle output with readable source comments; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/dist-PXHGZMQ4.js | AI (source-diff): Standard rollup/tsup bundle output with readable source comments; not obfuscated. | ai | |
| phantom-deps | phantom-dep:@babel/helper-module-imports | AI (phantom-deps): Framework-scoped; convention-loaded by Babel. | ai | |
| phantom-deps | phantom-dep:builtins | AI (phantom-deps): Build-time dependency; stable for this package. | ai | |
| phantom-deps | phantom-dep:dotenv | AI (phantom-deps): Config-file reference; stable pattern for this build tool. | ai | |
| phantom-deps | phantom-dep:detect-libc | AI (phantom-deps): Build-time dependency; stable for this package. | ai | |
| phantom-deps | phantom-dep:@neon-rs/load | AI (phantom-deps): Build-time dependency; stable for this package. | ai | |
| phantom-deps | phantom-dep:rollup-plugin-node-externals | AI (phantom-deps): Rollup plugin loaded by convention; stable for this package. | ai | |
| dependencies | unvetted-dep:@optimize-lodash/rollup-plugin | AI (dependencies): Legitimate rollup plugin for lodash optimization; stable build tooling dependency for this package. | ai | |
| phantom-deps | phantom-dep:ws | AI (phantom-deps): WebSocket dep used via config/convention in this deployer package. | ai | |
| phantom-deps | phantom-dep:@babel/preset-typescript | AI (phantom-deps): Framework-scoped preset loaded by convention; stable FP. | ai | |
| phantom-deps | phantom-dep:@types/babel__traverse | AI (phantom-deps): Type-only dep; stable FP for this package. | ai | |
| phantom-deps | phantom-dep:@sindresorhus/slugify | AI (phantom-deps): Referenced in config files; stable FP for this package. | ai | |
| phantom-deps | phantom-dep:@babel/traverse | AI (phantom-deps): Framework-scoped; loaded by convention in this build/deploy tooling. | ai | |
| phantom-deps | phantom-dep:esbuild | AI (phantom-deps): Deployer/bundler package; esbuild is a known implicit runtime/binary dep. | ai | |
| phantom-deps | phantom-dep:resolve-from | AI (phantom-deps): Referenced in config files; stable false positive for this bundler package. | ai | |
| phantom-deps | phantom-dep:@hono/node-ws | AI (phantom-deps): Framework-scoped dep loaded by convention in deployer; stable FP. | ai |
Versions (showing 51 of 58)
| Version | Deps | Published |
|---|---|---|
| 1.41.0 | 27 / 24 | |
| 1.40.0 | 27 / 24 | |
| 1.39.0 | 27 / 24 | |
| 1.38.0 | 27 / 24 | |
| 1.37.1 | 27 / 24 | |
| 1.37.0 | 27 / 24 | |
| 1.36.0 | 27 / 24 | |
| 1.35.0 | 27 / 24 | |
| 1.34.0 | 27 / 24 | |
| 1.33.1 | 27 / 24 | |
| 1.33.0 | 27 / 24 | |
| 1.32.1 | 28 / 24 | |
| 1.32.0 | 28 / 24 | |
| 1.31.0 | 28 / 24 | |
| 1.30.0 | 28 / 24 | |
| 1.29.1 | 28 / 24 | |
| 1.29.0 | 28 / 24 | |
| 1.28.0 | 28 / 24 | |
| 1.27.0 | 28 / 24 | |
| 1.26.0 | 28 / 24 | |
| 1.25.0 | 28 / 24 | |
| 1.24.1 | 28 / 24 | |
| 1.24.0 | 28 / 24 | |
| 1.23.0 | 28 / 24 | |
| 1.22.0 | 28 / 24 | |
| 1.21.0 | 26 / 23 | |
| 1.20.0 | 26 / 23 | |
| 1.19.0 | 26 / 23 | |
| 1.18.0 | 26 / 23 | |
| 1.17.0 | 26 / 23 | |
| 1.16.0 | 26 / 23 | |
| 1.15.0 | 26 / 23 | |
| 1.14.0 | 26 / 23 | |
| 1.13.2 | 26 / 23 | |
| 1.13.1 | 26 / 23 | |
| 1.13.0 | 26 / 23 | |
| 1.10.0 | 24 / 22 | |
| 1.9.0 | 24 / 22 | |
| 1.8.0 | 24 / 22 | |
| 1.7.0 | 24 / 22 | |
| 1.6.0 | 24 / 22 | |
| 1.5.0 | 24 / 22 | |
| 1.4.0 | 24 / 22 | |
| 1.3.0 | 24 / 22 | |
| 1.2.0 | 24 / 22 | |
| 1.1.0 | 24 / 22 | |
| 1.0.4 | 24 / 22 | |
| 1.0.0 | 24 / 22 | |
| 0.24.9 | 30 / 20 | |
| 0.24.8 | 30 / 20 | |
| 0.24.7 | 30 / 20 |
v1.41.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.40.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.39.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.38.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.37.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.37.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.36.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.35.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.34.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.33.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.33.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.32.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.32.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.31.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.30.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.29.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.28.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.27.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.26.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.25.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.24.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.24.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.23.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.22.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.21.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.20.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.19.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.18.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.17.0
2 findingsThis version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.
This version was published by a different npm account (wardpeet) than the most recent previously approved version (GitHub Actions) on 2026-03-26, but wardpeet is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.16.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.15.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.14.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.13.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.13.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.13.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.10.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.9.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.8.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.7.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.6.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.5.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.4.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.24.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.24.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.24.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.