@mastra/server @2.1.1
Typed HTTP handlers and utilities for exposing a `Mastra` instance over HTTP. This package powers `mastra dev` and can be added to your own server to provide REST and streaming endpoints for agents, workflows, telemetry and more.
Maintainers
Dependencies (2)
| Package | Constraint | Registry Status |
|---|---|---|
| hono | ^4.12.8 | auto_approved |
| easy-day-js | ^1.11.21 | auto_approved |
Dev Dependencies (23)
| Package | Constraint | Registry Status |
|---|---|---|
| tsx | ^4.22.4 | auto_approved |
| zod | ^4.4.3 | auto_approved |
| tsup | ^8.5.1 | auto_approved |
| eslint | ^10.4.1 | auto_approved |
| vitest | 4.1.5 | No greenflagged match |
| superjson | ^2.2.6 | auto_approved |
| zod-to-ts | ^2.0.0 | auto_approved |
| @vitest/ui | 4.1.5 | auto_approved |
| typescript | ^6.0.3 | auto_approved |
| @types/node | 22.19.15 | auto_approved |
| @mastra/core | 1.42.0 | auto_approved |
| canonicalize | ^1.0.8 | No greenflagged match |
| @ai-sdk/openai | ^1.3.24 | auto_approved |
| @internal/core | 0.0.0 | No greenflagged match |
| @internal/lint | 0.0.104 | Not imported |
| @internal/voice | 0.0.5 | Not imported |
| @ai-sdk/openai-v5 | npm:@ai-sdk/[email protected] | No greenflagged match |
| @vitest/coverage-v8 | 4.1.5 | auto_approved |
| @internal/test-utils | 0.0.40 | Not imported |
| @mastra/agent-builder | 1.0.41 | No greenflagged match |
| @mastra/schema-compat | 1.2.11 | auto_approved |
| @internal/types-builder | 0.0.79 | Not imported |
| @internal/storage-test-utils | 0.0.100 | Not imported |
Transitive Dependency Tree
Changes from v1.42.0
Dependency Changes
| Change | Package | Version |
|---|---|---|
| added | easy-day-js | ^1.11.21 |
File Changes
SAST Findings (2)
This version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.
This version was published by a different npm account (ehindero) than the most recent previously approved version (GitHub Actions) on 2026-06-17, but ehindero is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
Review Summary
Risk score: 51. Findings: 1 high (+25), 2 medium (+20), 2 low (+6), 2 info (+0).
Published to npm: