registry  /  mastra  /  1.18.1

mastra@1.18.1

cli for mastra

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 18 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 33 file(s), 2.95 MB of source, external domains: aomediacodec.github.io, api.open-meteo.com, app.posthog.com, cloud-api.livekit.io, gateway-api.mastra.ai, gateway-api.staging.mastra.ai, geocoding-api.open-meteo.com, github.com, mastra.ai, observability.mastra.ai, platform.mastra.ai, prettier.io, projects.mastra.ai, radix-ui.com, raw.githubusercontent.com, react.dev, studio.mastra.ai, studio.staging.mastra.ai, us.posthog.com
Oversized source lightweight scan
dist/studio/assets/main-D9a0smyR.js6.53 MB file, sampled 256 KB
HighEntropyStringsMinifiedUrlStringsmastra.airadix-ui.comreact.dev

Source & flagged code

8 flagged · loading source
dist/studio/assets/livekit-client.esm-CKIgC2IJ.jsView file
13patternName = generic_password severity = medium line = 13 matchedText = `},e.par...+`\r
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/studio/assets/livekit-client.esm-CKIgC2IJ.jsView on unpkg · L13
dist/studio/assets/engine-compile-BkERmzkH.jsView file
1const de=String.raw,Ee=de`(?:\p{Emoji}\uFE0F\u20E3?|\p{Emoji_Modifier_Base}\p{Emoji_Modifier}?|\p{Emoji_Presentation})`,ve=de`\u{E0061}-\u{E007A}`,dt=()=>new RegExp(de`[\u{1F1E6}-\... L2: \\(?: \d+
High
Child Process

Package source references child process execution.

dist/studio/assets/engine-compile-BkERmzkH.jsView on unpkg · L1
dist/chunk-EXG3XKBK.jsView file
60} else if (isWSL()) { L61: execFileSync("powershell.exe", ["-NoProfile", "-Command", `Start-Process '${url.replace(/'/g, "''")}'`]); L62: } else {
High
Shell

Package source references shell execution.

dist/chunk-EXG3XKBK.jsView on unpkg · L60
dist/studio/assets/babel-CmeIX3PZ.jsView file
2- Did you mean \`export { '${t}' as '${e}' } from 'some-module'\`?`,ExportDefaultFromAsIdentifier:"'from' is not allowed as an identifier after 'export default'.",ForInOfLoopInitia... L3: - Did you mean \`import { "${t}" as foo }\`?`,ImportCallArity:"`import()` requires exactly one or two arguments.",ImportCallNotNewExpression:"Cannot use new with import(...).",Impo... L4: `:`\r
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/studio/assets/babel-CmeIX3PZ.jsView on unpkg · L2
dist/chunk-4LX4IHFE.jsView file
245const installCommand = shellQuote.quote([pm, "install"]); L246: await exec(installCommand, { L247: cwd: projectPath ... L254: } L255: var TEMPLATES_API_URL = process.env.MASTRA_TEMPLATES_API_URL || "https://mastra.ai/api/templates.json"; L256: async function loadTemplates() {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/chunk-4LX4IHFE.jsView on unpkg · L245
dist/studio/assets/CommitMono-700-Regular-DmOSN4kd.woff2View file
path = dist/studio/assets/CommitMono-700-Regular-DmOSN4kd.woff2 kind = high_entropy_blob sizeBytes = 68648 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/studio/assets/CommitMono-700-Regular-DmOSN4kd.woff2View on unpkg
dist/studio/assets/main-D9a0smyR.jsView file
path = dist/studio/assets/main-D9a0smyR.js kind = oversized_source_file sizeBytes = 6848792 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/studio/assets/main-D9a0smyR.jsView on unpkg
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = mastra@1.18.0 matchedIdentity = npm:bWFzdHJh:1.18.0 similarity = 0.906 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg

Findings

6 High6 Medium6 Low
HighChild Processdist/studio/assets/engine-compile-BkERmzkH.js
HighShelldist/chunk-EXG3XKBK.js
HighSame File Env Network Executiondist/chunk-4LX4IHFE.js
HighShips High Entropy Blobdist/studio/assets/CommitMono-700-Regular-DmOSN4kd.woff2
HighOversized Source Filedist/studio/assets/main-D9a0smyR.js
HighPrevious Version Dangerous Deltadist/index.js
MediumSecret Patterndist/studio/assets/livekit-client.esm-CKIgC2IJ.js
MediumDynamic Requiredist/studio/assets/babel-CmeIX3PZ.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings