- Random bump (#18178)
- Random bump (#18178)
-
Security remediation for the 2026-06-17 "easy-day-js" supply-chain incident. Patch bump to publish clean versions and move the
latestdist-tag forward, superseding the compromised versions that declared the maliciouseasy-day-jsdependency. (#18056) -
Updated dependencies [
339c57c,1dd4117,2b11d1f,77a2351,b7dff0a,02087e1,49af8df,30ce559,c241b92,7d6ff70,ab975d4,9d6aa1b]:- @mastra/core@1.44.0
-
Security remediation for the 2026-06-17 "easy-day-js" supply-chain incident. Patch bump to publish clean versions and move the
latestdist-tag forward, superseding the compromised versions that declared the maliciouseasy-day-jsdependency. (#18056) -
Updated dependencies [
77a2351]:- @mastra/core@1.43.1-alpha.0
-
Removed Hono from @mastra/core and auth package runtime dependencies. Auth providers now receive framework-agnostic request types that support standard Request objects and Hono-compatible request shapes. MCP and deployer avoid relying on core-bundled Hono context types at package boundaries. (#17410)
-
Updated dependencies [
c973db4,552285e,77e686c,ece8dba,e751af2,e2a8380,be3f1cd,a34d9db]:- @mastra/core@1.39.0
-
Removed Hono from @mastra/core and auth package runtime dependencies. Auth providers now receive framework-agnostic request types that support standard Request objects and Hono-compatible request shapes. MCP and deployer avoid relying on core-bundled Hono context types at package boundaries. (#17410)
-
Updated dependencies [
c973db4,552285e,77e686c,ece8dba,e751af2,e2a8380,be3f1cd,a34d9db]:- @mastra/core@1.39.0-alpha.0
-
Fix endpoint URL construction for Okta org authorization servers. (#15694)
MastraAuthOktaconcatenated/v1/authorize(and/token,/keys,/logout) directly ontoOKTA_ISSUER. That yields the right endpoint for a custom authorization server (https://{domain}/oauth2/default→.../oauth2/default/v1/authorize), but 404s on an Okta org authorization server (https://{domain}→.../v1/authorize, whereas the real org endpoint is.../oauth2/v1/authorize).An internal
endpointBaseis now derived from the issuer — verbatim when it already contains/oauth2/, otherwise${issuer}/oauth2— and used for the authorize, token, keys, and logout URLs. JWTiss-claim validation still uses the raw issuer so token validation stays correct on both server types. Trailing slashes on the issuer are also normalized soOKTA_ISSUER=https://{domain}/no longer produces.../oauth2//v1/.... -
Updated dependencies [
452036a,c272d50,27fd1b7,5ba7253,5556cc1,f73980d,5499303,a702009,9aee493,d8692af,1a9cc60,8cdb86c,8534d79,eda90c5,a935b0a,9c88701,c78f8cd,e146aad,ac79462,1a0ec78,e47bca7,afc004f,0031d0f,841a222,64c1e0b,40d83a9,4e88dc6,19018f0,19281c7,3498b49,d52b6fe,408be73,359439b,71a820b,1698f5e]:- @mastra/core@1.36.0
-
Fix endpoint URL construction for Okta org authorization servers. (#15694)
MastraAuthOktaconcatenated/v1/authorize(and/token,/keys,/logout) directly ontoOKTA_ISSUER. That yields the right endpoint for a custom authorization server (https://{domain}/oauth2/default→.../oauth2/default/v1/authorize), but 404s on an Okta org authorization server (https://{domain}→.../v1/authorize, whereas the real org endpoint is.../oauth2/v1/authorize).An internal
endpointBaseis now derived from the issuer — verbatim when it already contains/oauth2/, otherwise${issuer}/oauth2— and used for the authorize, token, keys, and logout URLs. JWTiss-claim validation still uses the raw issuer so token validation stays correct on both server types. Trailing slashes on the issuer are also normalized soOKTA_ISSUER=https://{domain}/no longer produces.../oauth2//v1/.... -
Updated dependencies [
27fd1b7,a702009,8534d79,c78f8cd,e146aad,1a0ec78,d52b6fe]:- @mastra/core@1.36.0-alpha.10
-
fix(auth-okta): harden security defaults and address code review feedback (#14553)
- Fix cache poisoning: errors in
fetchGroupsFromOktanow propagate so the outer.catchevicts the entry and retries on next request - Reduce cookie size: only store user claims, id_token (for logout), and expiry — access/refresh tokens are no longer stored, keeping cookies under the 4KB browser limit
- Add
id_token_hintto logout URL (required by Okta) - Add console.warn for auto-generated cookie password and in-memory state store in production
- Document missing env vars (
OKTA_CLIENT_SECRET,OKTA_REDIRECT_URI,OKTA_COOKIE_PASSWORD) in README and examples - Expand
MastraAuthOktaOptionsdocs to include all fields (session config, scopes, etc.) - Fix test to actually exercise
getUserIdcross-provider lookup path
- Fix cache poisoning: errors in
-
Updated dependencies [
68ed4e9,085c1da,be37de4,7dbd611,f14604c,4a75e10,f3ce603,423aa6f,f21c626,41aee84,2871451,085c1da,4bb5adc,4bb5adc,e06b520,d3930ea,dd9c4e0]:- @mastra/core@1.16.0
-
fix(auth-okta): harden security defaults and address code review feedback (#14553)
- Fix cache poisoning: errors in
fetchGroupsFromOktanow propagate so the outer.catchevicts the entry and retries on next request - Reduce cookie size: only store user claims, id_token (for logout), and expiry — access/refresh tokens are no longer stored, keeping cookies under the 4KB browser limit
- Add
id_token_hintto logout URL (required by Okta) - Add console.warn for auto-generated cookie password and in-memory state store in production
- Document missing env vars (
OKTA_CLIENT_SECRET,OKTA_REDIRECT_URI,OKTA_COOKIE_PASSWORD) in README and examples - Expand
MastraAuthOktaOptionsdocs to include all fields (session config, scopes, etc.) - Fix test to actually exercise
getUserIdcross-provider lookup path
- Fix cache poisoning: errors in
-
Updated dependencies [
f14604c,e06b520,dd9c4e0]:- @mastra/core@1.16.0-alpha.4
- Initial release with Okta RBAC and Auth integration