- Random bump (#18178)
- Random bump (#18178)
-
Security remediation for the 2026-06-17 "easy-day-js" supply-chain incident. Patch bump to publish clean versions and move the
latestdist-tag forward, superseding the compromised versions that declared the maliciouseasy-day-jsdependency. (#18056) -
Updated dependencies [
339c57c,1dd4117,2b11d1f,77a2351,b7dff0a,02087e1,49af8df,30ce559,c241b92,7d6ff70,ab975d4,9d6aa1b]:- @mastra/core@1.44.0
-
Security remediation for the 2026-06-17 "easy-day-js" supply-chain incident. Patch bump to publish clean versions and move the
latestdist-tag forward, superseding the compromised versions that declared the maliciouseasy-day-jsdependency. (#18056) -
Updated dependencies [
77a2351]:- @mastra/core@1.43.1-alpha.0
-
Removed Hono from @mastra/core and auth package runtime dependencies. Auth providers now receive framework-agnostic request types that support standard Request objects and Hono-compatible request shapes. MCP and deployer avoid relying on core-bundled Hono context types at package boundaries. (#17410)
-
Updated dependencies [
c973db4,552285e,77e686c,ece8dba,e751af2,e2a8380,be3f1cd,a34d9db]:- @mastra/core@1.39.0
-
Removed Hono from @mastra/core and auth package runtime dependencies. Auth providers now receive framework-agnostic request types that support standard Request objects and Hono-compatible request shapes. MCP and deployer avoid relying on core-bundled Hono context types at package boundaries. (#17410)
-
Updated dependencies [
c973db4,552285e,77e686c,ece8dba,e751af2,e2a8380,be3f1cd,a34d9db]:- @mastra/core@1.39.0-alpha.0
-
Authentication now refreshes expired server-side sessions transparently, so recoverable token expiry no longer causes unexpected user sign-outs. Only truly expired sessions (e.g. refresh token dead) return a 401. (#15819)
Server adapters now forward refreshed session cookies consistently, and auth-studio logs session validation and refresh failures to improve diagnostics.
-
Updated dependencies [
28caa5b,c1ae974,b510d36,13b4d7c,7a7b313,c04417b,cf25a03,8a71261,9e973b0,dd934a0,ba6b0c5,a6dac0a,5a4b1ee,5a4b1ee,5a4b1ee,6c8c6c7,5a4b1ee,7d056b6,9cef83b,d30e215,021a60f,73f2809,aedeea4,26f1f94,8126d86,73b45fa,ae97520,7a7b313,441670a]:- @mastra/core@1.29.0
-
Authentication now refreshes expired server-side sessions transparently, so recoverable token expiry no longer causes unexpected user sign-outs. Only truly expired sessions (e.g. refresh token dead) return a 401. (#15819)
Server adapters now forward refreshed session cookies consistently, and auth-studio logs session validation and refresh failures to improve diagnostics.
-
Updated dependencies [
28caa5b,7d056b6,26f1f94]:- @mastra/core@1.29.0-alpha.5
-
Fix session refresh for studio-deployed instances. Sessions now properly refresh when expired, preventing users from being logged out every 5 minutes. (#15024)
-
Fix Bearer token authentication to extract role from /auth/verify response. Previously, CLI tokens created via
mastra auth token createwould fail permission checks because the role was not being extracted, causing MastraRBACStudio to fall back to empty default permissions. (#15075) -
Updated dependencies [
f32b9e1,7d6f521,a50d220,665477b,4cc2755,ac7baf6,ed425d7,1371703,0df8321,98f8a8b,ba6f7e9,7eb2596,1805ddc,fff91cf,61109b3,33f1ead]:- @mastra/core@1.23.0
-
Fix Bearer token authentication to extract role from /auth/verify response. Previously, CLI tokens created via
mastra auth token createwould fail permission checks because the role was not being extracted, causing MastraRBACStudio to fall back to empty default permissions. (#15075) -
Updated dependencies [
1371703,98f8a8b]:- @mastra/core@1.23.0-alpha.5
-
Fix session refresh for studio-deployed instances. Sessions now properly refresh when expired, preventing users from being logged out every 5 minutes. (#15024)
-
Updated dependencies [
ed425d7,ba6f7e9,7eb2596]:- @mastra/core@1.23.0-alpha.0
- Add configurable cookie domain support (#14285)
- Add
cookieDomainoption toMastraAuthStudioOptionsfor explicit configuration - Support
MASTRA_COOKIE_DOMAINenvironment variable as fallback - Use hostname-based detection for auto-detecting
.mastra.aidomain (prevents false positives from malicious URLs) - Maintain backward compatibility with existing
.mastra.aiauto-detection
- Add
- Updated dependencies [
51970b3,4444280,085e371,b77aa19,dbb879a,8b4ce84,8d4cfe6,dd6ca1c,ce26fe2,68a019d,4cb4edf,8de3555,b26307f,68a019d]:- @mastra/core@1.14.0
- Add configurable cookie domain support (#14285)
- Add
cookieDomainoption toMastraAuthStudioOptionsfor explicit configuration - Support
MASTRA_COOKIE_DOMAINenvironment variable as fallback - Use hostname-based detection for auto-detecting
.mastra.aidomain (prevents false positives from malicious URLs) - Maintain backward compatibility with existing
.mastra.aiauto-detection
- Add
-
Added
@mastra/auth-studio— an auth provider for deployed Mastra Studio instances that proxies authentication through the Mastra shared API. (#13163)Deployed instances need no secrets — all WorkOS authentication is handled by the shared API. The package provides SSO login/callback flows, session management via sealed cookies, RBAC with organization-scoped permissions, and automatic forced account picker on deploy logins.
- Updated dependencies [
504fc8b,f9c150b,88de7e8,edee4b3,3790c75,e7a235b,d51d298,6dbeeb9,d5f0d8d,09c3b18,b896379,85c84eb,a89272a,ee9c8df,77b4a25,276246e,08ecfdb,d5f628c,524c0f3,c18a0e9,4bd21ea,115a7a4,22a48ae,3c6ef79,9311c17,7edf78f,1c4221c,d25b9ea,fe1ce5c,b03c0e0,0a8366b,85664e9,bc79650,9257d01,3a3a59e,3108d4e,0c33b2c,191e5bd,f77cd94,e8135c7,daca48f,257d14f,352f25d,93477d0,31c78b3,0bc0720,36516ac,e947652,3c6ef79,9257d01,ec248f6]:- @mastra/core@1.9.0
-
Added
@mastra/auth-studio— an auth provider for deployed Mastra Studio instances that proxies authentication through the Mastra shared API. (#13163)Deployed instances need no secrets — all WorkOS authentication is handled by the shared API. The package provides SSO login/callback flows, session management via sealed cookies, RBAC with organization-scoped permissions, and automatic forced account picker on deploy logins.
- Updated dependencies [
504fc8b,f9c150b,88de7e8,edee4b3,3790c75,e7a235b,d51d298,6dbeeb9,d5f0d8d,09c3b18,b896379,85c84eb,a89272a,ee9c8df,77b4a25,276246e,08ecfdb,d5f628c,524c0f3,c18a0e9,4bd21ea,115a7a4,22a48ae,3c6ef79,9311c17,7edf78f,1c4221c,d25b9ea,fe1ce5c,b03c0e0,0a8366b,85664e9,bc79650,9257d01,3a3a59e,3108d4e,0c33b2c,191e5bd,f77cd94,e8135c7,daca48f,257d14f,352f25d,93477d0,31c78b3,0bc0720,36516ac,e947652,3c6ef79,9257d01,ec248f6]:- @mastra/core@1.9.0-alpha.0