mastra Security: Moderate severity vulnerabilities in AI SDK dependencies

Security: Moderate severity vulnerabilities in AI SDK dependencies

Open memaxo opened this issue 1 month ago • 0 comments

Running npm audit reveals moderate severity vulnerabilities in the AI SDK dependencies of @mastra/[email protected] and current stable version

nanoid < 3.3.8 vulnerability in:
- @ai-sdk/provider-utils
- @ai-sdk/anthropic
- @ai-sdk/openai
- anthropic-vertex-ai

The vulnerability allows predictable results in nanoid generation when given non-integer values (GHSA-mwcw-c2x4-8c55).

Manually updating AI SDK dependencies to latest versions doesn't fully resolve the issue
The vulnerability persists due to nested dependencies

Recommendation:

Update the AI SDK dependencies to use newer versions of nanoid
Consider making AI SDK dependencies optional for users who don't need AI features
Or provide a way to use Mastra core features without the AI dependencies

{
"@mastra/core": "^0.1.27-alpha.67",
"@ai-sdk/anthropic": "^1.1.2",
"@ai-sdk/openai": "^1.1.2",
"@ai-sdk/provider-utils": "^2.1.2",
"anthropic-vertex-ai": "^1.0.2"
}

Steps to Reproduce:

Install @mastra/[email protected] or latest stable 0.1.26
Run npm audit

Jan 23 '25 23:01 memaxo

mastra mastra copied to clipboard

Security: Moderate severity vulnerabilities in AI SDK dependencies

mastra
mastra copied to clipboard