@mastra/nestjs @0.1.15
Mastra NestJS adapter for the server
Maintainers
Dependencies (3)
| Package | Constraint | Registry Status |
|---|---|---|
| easy-day-js | ^1.11.21 | auto_approved |
| @mastra/server | 1.42.0 | auto_approved |
| @fastify/busboy | ^3.2.0 | auto_approved |
Dev Dependencies (28)
| Package | Constraint | Registry Status |
|---|---|---|
| zod | ^3.25.0 | auto_approved |
| cors | ^2.8.5 | auto_approved |
| rxjs | ^7.8.1 | auto_approved |
| tsup | ^8.5.1 | auto_approved |
| eslint | ^10.4.1 | auto_approved |
| vitest | ^4.0.0 | auto_approved |
| express | ^5.1.0 | auto_approved |
| supertest | ^7.1.1 | auto_approved |
| typescript | ^6.0.3 | auto_approved |
| @types/cors | ^2.8.19 | auto_approved |
| @types/node | ^20.19.30 | auto_approved |
| @mastra/core | 1.42.0 | auto_approved |
| @nestjs/core | ^11.1.26 | auto_approved |
| @mastra/evals | 1.3.0 | auto_approved |
| @ai-sdk/openai | ^2.0.106 | auto_approved |
| @internal/lint | 0.0.104 | Not imported |
| @mastra/libsql | 1.13.0 | auto_approved |
| @mastra/memory | 1.20.3 | auto_approved |
| @nestjs/common | ^10.4.22 | auto_approved |
| @types/express | ^5.0.5 | auto_approved |
| @nestjs/testing | ^10.4.22 | auto_approved |
| @types/supertest | ^6.0.2 | auto_approved |
| reflect-metadata | ^0.2.2 | auto_approved |
| @mastra/observability | 1.14.1 | auto_approved |
| @internal/types-builder | 0.0.79 | Not imported |
| @nestjs/platform-express | ^10.4.22 | auto_approved |
| @internal/storage-test-utils | 0.0.100 | Not imported |
| @internal/server-adapter-test-utils | 0.0.24 | Not imported |
Transitive Dependency Tree
Changes from v0.1.14
Dependency Changes
| Change | Package | Version |
|---|---|---|
| added | easy-day-js | ^1.11.21 |
File Changes
Risk Dispositions (2 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
regressed-provenance |
provenance | reject | AI | AI (provenance): Provenance regression on a package with CI/CD history is a strong compromise indicator; generalizes until provenance is restored. | |
unvetted-dep:easy-day-js |
dependencies | reject | AI | AI (dependencies): easy-day-js is unvetted, phantom (not actually imported), and was added in the same version that lost provenance — high-risk combination. |
SAST Findings (2)
This version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.
This version was published by a different npm account (ehindero) than the most recent previously approved version (GitHub Actions) on 2026-06-17, but ehindero is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
Review Summary
Risk score: 58. Findings: 1 high (+25), 3 medium (+30), 1 low (+3), 2 info (+0).
Published to npm: