New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: Moderate severity vulnerabilities in AI SDK dependencies #1508

Open

memaxo opened this issue Jan 23, 2025 · 0 comments

memaxo commented Jan 23, 2025

Running npm audit reveals moderate severity vulnerabilities in the AI SDK dependencies of @mastra/[email protected] and current stable version

nanoid < 3.3.8 vulnerability in:
- @ai-sdk/provider-utils
- @ai-sdk/anthropic
- @ai-sdk/openai
- anthropic-vertex-ai

The vulnerability allows predictable results in nanoid generation when given non-integer values (GHSA-mwcw-c2x4-8c55).

Manually updating AI SDK dependencies to latest versions doesn't fully resolve the issue
The vulnerability persists due to nested dependencies

Recommendation:

Update the AI SDK dependencies to use newer versions of nanoid
Consider making AI SDK dependencies optional for users who don't need AI features
Or provide a way to use Mastra core features without the AI dependencies

{
"@mastra/core": "^0.1.27-alpha.67",
"@ai-sdk/anthropic": "^1.1.2",
"@ai-sdk/openai": "^1.1.2",
"@ai-sdk/provider-utils": "^2.1.2",
"anthropic-vertex-ai": "^1.0.2"
}

Steps to Reproduce:

Install @mastra/[email protected] or latest stable 0.1.26
Run npm audit

The text was updated successfully, but these errors were encountered:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment