Skip to content

docs(decisions): add SDK v1.0 stability, parity, and migration ADRs#3670

Open
Alberto Schiabel (jkomyno) wants to merge 23 commits into
nextfrom
docs/sdk-v1-decision-records
Open

docs(decisions): add SDK v1.0 stability, parity, and migration ADRs#3670
Alberto Schiabel (jkomyno) wants to merge 23 commits into
nextfrom
docs/sdk-v1-decision-records

Conversation

@jkomyno

Copy link
Copy Markdown
Collaborator

This PR:

  • builds on top of chore(agents): normalize repo guidance skills #3666
  • adds three decision records under docs/decisions/ capturing the settled plan for a coordinated Composio SDK 1.0, indexed in docs/decisions/README.md
  • sdk-1.0-stability-contract.md: scope (core + providers in; CLI and utility packages out), stable vs experimental.* tiers (Tool Router stabilized to stable, MCP stays experimental), coordinated milestone with independent version numbers, generated-client graduation, and the deprecation/rename-alias policy
  • cross-sdk-parity-policy.md: TypeScript as the reference implementation, the 1:1 naming rule and the @composio/google -> @composio/gemini rename, declared (n/a-by-design) provider divergence, Python sync + async, the shared COMPOSIO:: error-code catalog, the validate:sdk-parity check, and the living parity matrix
  • sdk-v0-to-v1-migration.md: final 0.x deprecation release, alias bridges through 1.x removed at 2.0, server-driven retirement of connected_accounts.initiate(), plus the codemod, v1-migration skill, migration doc page, and docs version selector
  • decision records only: they define the contract for the follow-up artifacts (validate:sdk-parity, the codemod, the v1-migration skill); no SDK code changes here

Stacked on #3666: review and merge that first, or review this against its base branch.

@vercel

vercel Bot commented Jun 25, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs Ready Ready Preview, Comment Jul 3, 2026 2:38pm

Request Review

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit d3eaccb. Configure here.

Comment thread docs/decisions/sdk-1.0-stability-contract.md
@jkomyno Alberto Schiabel (jkomyno) force-pushed the agents/normalize-guidance-skills branch 2 times, most recently from 25affad to cb04a69 Compare June 26, 2026 08:59
Base automatically changed from agents/normalize-guidance-skills to next June 26, 2026 20:36
Record the decisions settled for a coordinated Composio SDK 1.0:

- sdk-1.0-stability-contract: scope (core + providers in; CLI and
  utility packages out), stable vs experimental tiers (Tool Router
  stabilized to stable, MCP stays experimental), coordinated milestone
  with independent version numbers, generated-client graduation, and the
  deprecation/rename-alias policy.
- cross-sdk-parity-policy: TypeScript as reference implementation, the
  1:1 naming rule and the @composio/google -> @composio/gemini rename,
  declared (n/a-by-design) provider divergence, Python sync + async, the
  shared COMPOSIO:: error-code catalog, the validate:sdk-parity check,
  and the living parity matrix.
- sdk-v0-to-v1-migration: final 0.x deprecation release, alias bridges
  through 1.x removed at 2.0, server-driven retirement of initiate(),
  plus codemod + v1-migration skill + migration doc page + docs version
  selector.

Indexed in docs/decisions/README.md.
Companion to the v1.0 ADRs: the side-by-side SDK comparison and the
engineering backlog (blockers B1-B9, should-settle items, sequencing)
that the decision records reference but do not track. The decisions
themselves live in docs/decisions/.
Relocate the parity-and-readiness analysis from the repo root to
docs/decisions/sdk-v1-readiness.md so it sits beside the ADRs it
supports, and index it in the README.
Record the decision to replace Stainless with a self-hosted Hey API
codegen pipeline for composio-base-ts (@composio/client) and
composio-base-py (composio-client), keeping the deterministic
schema-committed PR flow. Wire it into the decisions index and
cross-reference it from the 1.0 stability contract's generated-client
section. Also fold in the parity-policy and readiness refinements that
mark validate:sdk-parity as planned (B9).
Fold the experimental (ctx, next) session-hooks proposal for
session.tools(...) into the SDK decision-record set, modeled on the
Pi provider's existing hooks. Index it in the decisions README.
@claude

claude Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Claude finished Alberto Schiabel (@jkomyno)'s task in 1m 51s —— View job


Docs review — SDK v1.0 decision records

  • Read docs-reviewer.md guidance
  • Diff against origin/next
  • Review changed docs files (3 ADRs + 3 .mdx edits + README index)
  • Verify claims against SDK source

Reviewed against docs/agent-guidance/agents/docs-reviewer.md. These are ADR-style records, so I checked for internal consistency, correctness of claims, and things that would mislead a reader, not prose style. Index entry (docs/decisions/README.md) is present for every new record ✅, and all cross-references between records resolve.


1. Confirmed — MCP tier is ambiguous (agrees with Cursor Bugbot) · sdk-1.0-stability-contract.md

The contract defines the two tiers as exhaustive and self-contained:

There is no third state. … Experimental (exempt from semver): everything reachable under the experimental.* namespace… (lines 29, 33)

But line 39 then declares MCP experimental, and MCP is not under experimental.* — it's a top-level namespace. Verified in source:

// ts/packages/core/src/composio.ts
this.mcp = new MCP(this.client);          // line 353 — top-level
this.experimental = new Experimental(...); // line 363 — the experimental.* namespace

So a reader following the definition literally can't tell whether composio.mcp follows semver-exempt (experimental) or frozen (stable) rules — the two rules that carry the whole contract. The parity matrix (line 67) also lists MCP as experimental without noting it lives outside experimental.*.

Fix: make the experimental tier definition name the surface explicitly rather than tie it solely to the namespace path. e.g. line 33:

**Experimental (exempt from semver):** the `experimental.*` namespace (custom tools,
custom toolkits, the shared-connection ACL) **and the top-level `mcp` namespace**, which
is experimental by declaration until it graduates in a 1.x minor. Experimental surfaces
can break in a minor release.

This keeps the "no third state" promise honest: mcp is a named exception carried at top level for ergonomics, not a hidden third tier. Fix this →


2. Minor — present-tense retirement is one day early for all-orgs · the 3 .mdx edits

The edits flip initiate() retirement from future to present tense: "no longer work", "is retired", "now raises". The all-org cutover is 2026-07-03 and today is 2026-07-02, so for orgs that haven't cut over yet (until tomorrow) initiate() still works. A developer on such an org reading "initiate() is retired … now raises …Error" while their call still succeeds could be briefly confused.

The "…after the 2026-05-08 / 2026-07-03 cutover" qualifier mostly covers this, so it's not a blocker — but "now raises" (migration guide) and "returns 400 BadRequest after the … cutover" read as fully-past for a window that closes tomorrow. If the docs go live today, consider keeping the all-org clause conditional ("raises … once your org's cutover completes") until 07-03. Not blocking.


Verdict

Nothing here would cause a developer to write broken code, and the records are internally consistent apart from the MCP tier gap. Finding #1 is worth fixing before merge — it's a genuine ambiguity in the core promise of the stability contract, not a style nit. #2 is optional. Otherwise this looks good.
· docs/sdk-v1-decision-records

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

⚠️ Security Audit Warning

The pnpm audit --prod check found security vulnerabilities in production dependencies.

Please review and fix the vulnerabilities. You can try running:

pnpm audit --fix --prod
Audit output
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ minimatch has a ReDoS via repeated wildcards with      │
│                     │ non-matching literal in pattern                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ minimatch                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=5.0.0 <5.1.7                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=5.1.7                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__packages__cli>openapi-typescript>@redocly/openapi- │
│                     │ core>minimatch                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-3ppc-4f35-3m26      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ minimatch has a ReDoS via repeated wildcards with      │
│                     │ non-matching literal in pattern                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ minimatch                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=9.0.0 <9.0.6                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=9.0.6                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__examples__google>@google/genai>google-auth-        │
│                     │ library>gaxios>rimraf>glob>minimatch                   │
│                     │                                                        │
│                     │ ts__examples__google>@google/genai>google-auth-        │
│                     │ library>gcp-metadata>gaxios>rimraf>glob>minimatch      │
│                     │                                                        │
│                     │ ts__examples__google>@google/genai>google-auth-        │
│                     │ library>gtoken>gaxios>rimraf>glob>minimatch            │
│                     │                                                        │
│                     │ ... Found 6 paths, run `pnpm why minimatch` for more   │
│                     │ information                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-3ppc-4f35-3m26      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ minimatch has ReDoS: matchOne() combinatorial          │
│                     │ backtracking via multiple non-adjacent GLOBSTAR        │
│                     │ segments                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ minimatch                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=5.0.0 <5.1.8                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=5.1.8                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__packages__cli>openapi-typescript>@redocly/openapi- │
│                     │ core>minimatch                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-7r86-cg39-jmmj      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ minimatch has ReDoS: matchOne() combinatorial          │
│                     │ backtracking via multiple non-adjacent GLOBSTAR        │
│                     │ segments                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ minimatch                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=9.0.0 <9.0.7                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=9.0.7                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__examples__google>@google/genai>google-auth-        │
│                     │ library>gaxios>rimraf>glob>minimatch                   │
│                     │                                                        │
│                     │ ts__examples__google>@google/genai>google-auth-        │
│                     │ library>gcp-metadata>gaxios>rimraf>glob>minimatch      │
│                     │                                                        │
│                     │ ts__examples__google>@google/genai>google-auth-        │
│                     │ library>gtoken>gaxios>rimraf>glob>minimatch            │
│                     │                                                        │
│                     │ ... Found 6 paths, run `pnpm why minimatch` for more   │
│                     │ information                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-7r86-cg39-jmmj      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ minimatch has ReDoS: matchOne() combinatorial          │
│                     │ backtracking via multiple non-adjacent GLOBSTAR        │
│                     │ segments                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ minimatch                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=10.0.0 <10.2.3                                       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=10.2.3                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__packages__cli>@zed-industries/claude-code-         │
│                     │ acp>minimatch                                          │
│                     │                                                        │
│                     │ ts__packages__cli>ts-morph>@ts-morph/common>minimatch  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-7r86-cg39-jmmj      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ minimatch ReDoS: nested *() extglobs generate          │
│                     │ catastrophically backtracking regular expressions      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ minimatch                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=5.0.0 <5.1.8                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=5.1.8                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__packages__cli>openapi-typescript>@redocly/openapi- │
│                     │ core>minimatch                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-23c5-xmqv-rm74      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ minimatch ReDoS: nested *() extglobs generate          │
│                     │ catastrophically backtracking regular expressions      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ minimatch                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=9.0.0 <9.0.7                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=9.0.7                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__examples__google>@google/genai>google-auth-        │
│                     │ library>gaxios>rimraf>glob>minimatch                   │
│                     │                                                        │
│                     │ ts__examples__google>@google/genai>google-auth-        │
│                     │ library>gcp-metadata>gaxios>rimraf>glob>minimatch      │
│                     │                                                        │
│                     │ ts__examples__google>@google/genai>google-auth-        │
│                     │ library>gtoken>gaxios>rimraf>glob>minimatch            │
│                     │                                                        │
│                     │ ... Found 6 paths, run `pnpm why minimatch` for more   │
│                     │ information                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-23c5-xmqv-rm74      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ minimatch ReDoS: nested *() extglobs generate          │
│                     │ catastrophically backtracking regular expressions      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ minimatch                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=10.0.0 <10.2.3                                       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=10.2.3                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__packages__cli>@zed-industries/claude-code-         │
│                     │ acp>minimatch                                          │
│                     │                                                        │
│                     │ ts__packages__cli>ts-morph>@ts-morph/common>minimatch  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-23c5-xmqv-rm74      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ @hono/node-server has authorization bypass for         │
│                     │ protected static paths via encoded slashes in Serve    │
│                     │ Static Middleware                                      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ @hono/node-server                                      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <1.19.10                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=1.19.10                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v3>@mastra/core>@modelcontextprotocol/sdk>@hono/node-  │
│                     │ server                                                 │
│                     │                                                        │
│                     │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v3>@mastra/mcp>@mastra/core>@modelcontextprotocol/     │
│                     │ sdk>@hono/node-server                                  │
│                     │                                                        │
│                     │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v3>@mastra/mcp>@modelcontextprotocol/sdk>@hono/node-   │
│                     │ server                                                 │
│                     │                                                        │
│                     │ ... Found 30 paths, run `pnpm why @hono/node-server`   │
│                     │ for more information                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-wc8c-qw6v-h7f6      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ express-rate-limit: IPv4-mapped IPv6 addresses bypass  │
│                     │ per-client rate limiting on servers with dual-stack    │
│                     │ network                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ express-rate-limit                                     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.2.0 <8.2.2                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.2.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v3>@mastra/core>@modelcontextprotocol/sdk>express-     │
│                     │ rate-limit                                             │
│                     │                                                        │
│                     │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v3>@mastra/mcp>@mastra/core>@modelcontextprotocol/     │
│                     │ sdk>express-rate-limit                                 │
│                     │                                                        │
│                     │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v3>@mastra/mcp>@modelcontextprotocol/sdk>express-rate- │
│                     │ limit                                                  │
│                     │                                                        │
│                     │ ... Found 30 paths, run `pnpm why express-rate-limit`  │
│                     │ for more information                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-46wh-pxpv-q5gq      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ Picomatch has a ReDoS vulnerability via extglob        │
│                     │ quantifiers                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ picomatch                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <2.3.2                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=2.3.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__packages__cli>ts-morph>@ts-morph/common>fast-      │
│                     │ glob>micromatch>picomatch                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-c2c7-rcm5-vvqj      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ lodash vulnerable to Code Injection via `_.template`   │
│                     │ imports key names                                      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ lodash                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=4.0.0 <=4.17.23                                      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.17.24                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__examples__llamaindex>llamaindex>lodash             │
│                     │                                                        │
│                     │ ts__packages__providers__llamaindex>llamaindex>lodash  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-r5fr-rjxr-66jc      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ fast-uri vulnerable to path traversal via              │
│                     │ percent-encoded dot segments                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-uri                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=3.1.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=3.1.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v3>@mastra/core>@modelcontextprotocol/sdk>ajv>fast-uri │
│                     │                                                        │
│                     │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v3>@mastra/core>@modelcontextprotocol/sdk>ajv-         │
│                     │ formats>ajv>fast-uri                                   │
│                     │                                                        │
│                     │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v3>@mastra/core>ajv>fast-uri                           │
│                     │                                                        │
│                     │ ... Found 68 paths, run `pnpm why fast-uri` for more   │
│                     │ information                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-q3j6-qgpj-74h6      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ fast-uri vulnerable to host confusion via              │
│                     │ percent-encoded authority delimiters                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-uri                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=3.1.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=3.1.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v3>@mastra/core>@modelcontextprotocol/sdk>ajv>fast-uri │
│                     │                                                        │
│                     │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v3>@mastra/core>@modelcontextprotocol/sdk>ajv-         │
│                     │ formats>ajv>fast-uri                                   │
│                     │                                                        │
│                     │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v3>@mastra/core>ajv>fast-uri                           │
│                     │                                                        │
│                     │ ... Found 68 paths, run `pnpm why fast-uri` for more   │
│                     │ information                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-v39h-62p7-jpjc      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ LangSmith SDK: Public prompt pull deserializes         │
│                     │ untrusted manifests without trust boundary warning     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ langsmith                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <0.6.0                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=0.6.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__examples__langchain>@langchain/core>langsmith      │
│                     │                                                        │
│                     │ ts__examples__langchain>@langchain/                    │
│                     │ langgraph>@langchain/core>langsmith                    │
│                     │                                                        │
│                     │ ts__examples__langchain>@langchain/                    │
│                     │ langgraph>@langchain/langgraph-checkpoint>@langchain/  │
│                     │ core>langsmith                                         │
│                     │                                                        │
│                     │ ... Found 23 paths, run `pnpm why langsmith` for more  │
│                     │ information                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-3644-q5cj-c5c7      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ ws: Memory exhaustion DoS from tiny fragments and data │
│                     │ chunks                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ ws                                                     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <8.21.0                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.21.0                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__e2e-tests__runtimes__cloudflare__cf-workers-       │
│                     │ basic>openai>ws                                        │
│                     │                                                        │
│                     │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v3>@mastra/core>ws                                     │
│                     │                                                        │
│                     │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v3>@mastra/mcp>@mastra/core>ws                         │
│                     │                                                        │
│                     │ ... Found 59 paths, run `pnpm why ws` for more         │
│                     │ information                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-96hv-2xvq-fx4p      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ protobufjs: Denial of service through unbounded Any    │
│                     │ expansion during JSON conversion                       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=7.6.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.6.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__examples__google>@google/genai>protobufjs          │
│                     │                                                        │
│                     │ ts__packages__providers__google>@google/               │
│                     │ genai>protobufjs                                       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-wcpc-wj8m-hjx6      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ brace-expansion: Zero-step sequence causes process     │
│                     │ hang and memory exhaustion                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ brace-expansion                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=2.0.0 <2.0.3                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=2.0.3                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__examples__google>@google/genai>google-auth-        │
│                     │ library>gaxios>rimraf>glob>minimatch>brace-expansion   │
│                     │                                                        │
│                     │ ts__examples__google>@google/genai>google-auth-        │
│                     │ library>gcp-                                           │
│                     │ metadata>gaxios>rimraf>glob>minimatch>brace-expansion  │
│                     │                                                        │
│                     │ ts__examples__google>@google/genai>google-auth-        │
│                     │ library>gtoken>gaxios>rimraf>glob>minimatch>brace-     │
│                     │ expansion                                              │
│                     │                                                        │
│                     │ ... Found 7 paths, run `pnpm why brace-expansion` for  │
│                     │ more information                                       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-f886-m6hf-6m8v      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ brace-expansion: Zero-step sequence causes process     │
│                     │ hang and memory exhaustion                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ brace-expansion                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=4.0.0 <5.0.5                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=5.0.5                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__packages__cli>@zed-industries/claude-code-         │
│                     │ acp>minimatch>brace-expansion                          │
│                     │                                                        │
│                     │ ts__packages__cli>ts-morph>@ts-morph/                  │
│                     │ common>minimatch>brace-expansion                       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-f886-m6hf-6m8v      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Picomatch: Method Injection in POSIX Character Classes │
│                     │ causes incorrect Glob Matching                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ picomatch                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <2.3.2                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=2.3.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__packages__cli>ts-morph>@ts-morph/common>fast-      │
│                     │ glob>micromatch>picomatch                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-3v7f-55p6-f55p      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ yaml is vulnerable to Stack Overflow via deeply nested │
│                     │ YAML collections                                       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ yaml                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=2.0.0 <2.8.3                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=2.8.3                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__packages__cli>@effect/cli>yaml                     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-48c2-rrv3-qjmp      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ lodash vulnerable to Prototype Pollution via array     │
│                     │ path bypass in `_.unset` and `_.omit`                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ lodash                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=4.17.23                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.17.24                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__examples__llamaindex>llamaindex>lodash             │
│                     │                                                        │
│                     │ ts__packages__providers__llamaindex>llamaindex>lodash  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-f23m-r3pf-42rh      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ @hono/node-server: Middleware bypass via repeated      │
│                     │ slashes in serveStatic                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ @hono/node-server                                      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <1.19.13                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=1.19.13                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v3>@mastra/core>@modelcontextprotocol/sdk>@hono/node-  │
│                     │ server                                                 │
│                     │                                                        │
│                     │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v3>@mastra/mcp>@mastra/core>@modelcontextprotocol/     │
│                     │ sdk>@hono/node-server                                  │
│                     │                                                        │
│                     │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v3>@mastra/mcp>@modelcontextprotocol/sdk>@hono/node-   │
│                     │ server                                                 │
│                     │                                                        │
│                     │ ... Found 30 paths, run `pnpm why @hono/node-server`   │
│                     │ for more information                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-92pp-h63x-v22m      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ LangSmith Client SDKs has Prototype Pollution in       │
│                     │ langsmith-sdk via Incomplete `__proto__` Guard in      │
│                     │ Internal lodash `set()`                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ langsmith                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=0.5.17                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=0.5.18                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__examples__langchain>@langchain/core>langsmith      │
│                     │                                                        │
│                     │ ts__examples__langchain>@langchain/                    │
│                     │ langgraph>@langchain/core>langsmith                    │
│                     │                                                        │
│                     │ ts__examples__langchain>@langchain/                    │
│                     │ langgraph>@langchain/langgraph-checkpoint>@langchain/  │
│                     │ core>langsmith                                         │
│                     │                                                        │
│                     │ ... Found 23 paths, run `pnpm why langsmith` for more  │
│                     │ information                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-fw9q-39r9-c252      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ LangSmith SDK: Streaming token events bypass output    │
│                     │ redaction                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ langsmith                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=0.5.18                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=0.5.19                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__examples__langchain>@langchain/core>langsmith      │
│                     │                                                        │
│                     │ ts__examples__langchain>@langchain/                    │
│                     │ langgraph>@langchain/core>langsmith                    │
│                     │                                                        │
│                     │ ts__examples__langchain>@langchain/                    │
│                     │ langgraph>@langchain/langgraph-checkpoint>@langchain/  │
│                     │ core>langsmith                                         │
│                     │                                                        │
│                     │ ... Found 23 paths, run `pnpm why langsmith` for more  │
│                     │ information                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-rr7j-v2q5-chgv      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ ip-address has XSS in Address6 HTML-emitting methods   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ ip-address                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=10.1.0                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=10.1.1                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v3>@mastra/core>@modelcontextprotocol/sdk>express-     │
│                     │ rate-limit>ip-address                                  │
│                     │                                                        │
│                     │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v3>@mastra/mcp>@mastra/core>@modelcontextprotocol/     │
│                     │ sdk>express-rate-limit>ip-address                      │
│                     │                                                        │
│                     │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v3>@mastra/mcp>@modelcontextprotocol/sdk>express-rate- │
│                     │ limit>ip-address                                       │
│                     │                                                        │
│                     │ ... Found 30 paths, run `pnpm why ip-address` for more │
│                     │ information                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-v2v4-37r5-5v8g      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ ws: Uninitialized memory disclosure                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ ws                                                     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=8.0.0 <8.20.1                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.20.1                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__examples__google>@google/genai>ws                  │
│                     │                                                        │
│                     │ ts__packages__providers__google>@google/genai>ws       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-58qx-3vcg-4xpx      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ uuid: Missing buffer bounds check in v3/v5/v6 when buf │
│                     │ is provided                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ uuid                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <11.1.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=11.1.1                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__examples__anthropic>@mastra/mcp>uuid               │
│                     │                                                        │
│                     │ ts__packages__providers__anthropic>@mastra/mcp>uuid    │
│                     │                                                        │
│                     │ ts__examples__langchain>@langchain/core>langsmith>uuid │
│                     │                                                        │
│                     │ ... Found 58 paths, run `pnpm why uuid` for more       │
│                     │ information                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-w5hq-g745-h8pq      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ uuid: Missing buffer bounds check in v3/v5/v6 when buf │
│                     │ is provided                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ uuid                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=13.0.0 <13.0.1                                       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=13.0.1                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v3>@mastra/mcp>uuid                                    │
│                     │                                                        │
│                     │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v4>@mastra/mcp>uuid                                    │
│                     │                                                        │
│                     │ ts__examples__langchain>@langchain/                    │
│                     │ langgraph>@langchain/langgraph-sdk>uuid                │
│                     │                                                        │
│                     │ ... Found 6 paths, run `pnpm why uuid` for more        │
│                     │ information                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-w5hq-g745-h8pq      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ brace-expansion: Large numeric range defeats           │
│                     │ documented `max` DoS protection                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ brace-expansion                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=5.0.0 <5.0.6                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=5.0.6                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__packages__cli>@zed-industries/claude-code-         │
│                     │ acp>minimatch>brace-expansion                          │
│                     │                                                        │
│                     │ ts__packages__cli>ts-morph>@ts-morph/                  │
│                     │ common>minimatch>brace-expansion                       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-jxxr-4gwj-5jf2      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ protobufjs : Schema-derived names can shadow           │
│                     │ runtime-significant properties                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ protobufjs                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=7.6.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.6.3                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__examples__google>@google/genai>protobufjs          │
│                     │                                                        │
│                     │ ts__packages__providers__google>@google/               │
│                     │ genai>protobufjs                                       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-f38q-mgvj-vph7      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ JS-YAML: Quadratic-complexity DoS in merge key         │
│                     │ handling via repeated aliases                          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ js-yaml                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <3.15.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=3.15.0                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v3>@mastra/core>gray-matter>js-yaml                    │
│                     │                                                        │
│                     │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v3>@mastra/mcp>@mastra/core>gray-matter>js-yaml        │
│                     │                                                        │
│                     │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v4>@mastra/core>gray-matter>js-yaml                    │
│                     │                                                        │
│                     │ ... Found 7 paths, run `pnpm why js-yaml` for more     │
│                     │ information                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-h67p-54hq-rp68      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ JS-YAML: Quadratic-complexity DoS in merge key         │
│                     │ handling via repeated aliases                          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ js-yaml                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=4.0.0 <=4.1.1                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.1.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v3>@mastra/mcp>@apidevtools/json-schema-ref-parser>js- │
│                     │ yaml                                                   │
│                     │                                                        │
│                     │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v4>@mastra/mcp>@apidevtools/json-schema-ref-parser>js- │
│                     │ yaml                                                   │
│                     │                                                        │
│                     │ ts__examples__anthropic>@mastra/mcp>@apidevtools/json- │
│                     │ schema-ref-parser>js-yaml                              │
│                     │                                                        │
│                     │ ... Found 5 paths, run `pnpm why js-yaml` for more     │
│                     │ information                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-h67p-54hq-rp68      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ @ai-sdk/provider-utils has an Uncontrolled Resource    │
│                     │ Consumption issue                                      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ @ai-sdk/provider-utils                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=3.0.97                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=3.0.98                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v3>@mastra/core>@ai-sdk/provider-utils                 │
│                     │                                                        │
│                     │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v3>@mastra/mcp>@mastra/core>@ai-sdk/provider-utils     │
│                     │                                                        │
│                     │ ts__e2e-tests__runtimes__node__mastra-tool-router-zod- │
│                     │ v4>@mastra/core>@ai-sdk/provider-utils                 │
│                     │                                                        │
│                     │ ... Found 11 paths, run `pnpm why                      │
│                     │ @ai-sdk/provider-utils` for more information           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-866g-f22w-33x8      │
└─────────────────────┴────────────────────────────────────────────────────────┘
34 vulnerabilities found
Severity: 1 low | 16 moderate | 17 high

One plan per road-to-v1.md phase (Steps 1-6, three parallel lanes)
plus a client-passthrough plan exposing granular Tool Router session
flags (search.enable, execute.enable_multi_execute) that today are
only reachable through SESSION_PRESET_DIRECT_TOOLS or the raw client.
Each plan carries requirements, key decisions, unit breakdown, and
verification gates; all ten were adversarially reviewed with codex.
@claude

claude Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Claude finished Alberto Schiabel (@jkomyno)'s task in 1m 37s —— View job


Docs review — SDK v1.0 decision records

  • Read docs-reviewer.md guidance
  • Review changed docs files (3 ADRs + supporting records + 3 .mdx edits + README index)
  • Verify claims against SDK source

Reviewed against docs/agent-guidance/agents/docs-reviewer.md. These are ADR-style records, so I checked for internal consistency, correctness of claims, and things that would mislead a reader, not prose style. Index entry (docs/decisions/README.md) present for every new record ✅, and all cross-references between records resolve ✅.


1. Still open — Experimental tier definition excludes top-level mcp · sdk-1.0-stability-contract.md:33,39

This was raised by Cursor Bugbot and my earlier pass, and the wording is unchanged, so re-flagging. The contract makes the two tiers exhaustive and self-contained:

Every public surface is either stable or experimental. There is no third state. (line 29)
Experimental (exempt from semver): everything reachable under the experimental.* namespace… (line 33)

But line 39 declares MCP experimental, and composio.mcp is a top-level namespace, not under experimental.*. Confirmed in source:

// ts/packages/core/src/composio.ts
this.mcp = new MCP(this.client);            // line 353 — top-level
this.experimental = new Experimental(...);  // line 363 — the experimental.* namespace

So a reader applying the definition literally cannot tell whether composio.mcp follows the semver-exempt (experimental) or the frozen (stable) rule — the two rules that carry the whole contract. The parity matrix (line 67) lists MCP as experimental with the same gap.

Fix — name the surface explicitly in the tier definition instead of tying it solely to the namespace path. e.g. line 33:

Experimental (exempt from semver): the experimental.* namespace (custom tools, custom toolkits, the shared-connection ACL) and the top-level mcp namespace, which is experimental by declaration until it graduates in a 1.x minor.

This keeps "no third state" honest: mcp is a named top-level exception carried for ergonomics, not a hidden tier. Fix this →


2. Resolved by date — present-tense initiate() retirement · the 3 .mdx edits

My earlier pass flagged the present tense ("is retired", "now raises", "returns 400 BadRequest") as one day early for orgs that hadn't cut over. Today is 2026-07-03 — the all-org cutover date — so the present tense is now accurate for every org. No change needed.


Verdict

Nothing here would cause a developer to write broken code, and the records are internally consistent apart from the MCP tier gap. Finding #1 is worth fixing before merge — it's a genuine ambiguity in the core promise of the stability contract, not a style nit, and it's a one-clause edit in two files. Everything else looks good.
· docs/sdk-v1-decision-records

@claude

claude Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Claude finished Alberto Schiabel (@jkomyno)'s task in 1m 14s —— View job


Docs review — SDK v1.0 decision records

  • Read docs-reviewer.md guidance
  • Review changed docs files (ADRs + supporting records + 3 .mdx edits + README index)
  • Verify claims against SDK source

Reviewed against docs/agent-guidance/agents/docs-reviewer.md. These are ADR-style records, so I checked for internal consistency, correctness of claims, and things that would mislead a reader, not prose style. Every new record has an index entry in docs/decisions/README.md ✅, and all cross-references between records resolve ✅.


1. Still open — Experimental tier definition excludes top-level mcp · sdk-1.0-stability-contract.md:33,39

Raised by Cursor Bugbot and two earlier passes; the wording is unchanged on this synchronize, so re-flagging. The contract makes the two tiers exhaustive and self-contained:

Every public surface is either stable or experimental. There is no third state. (line 29)
Experimental (exempt from semver): everything reachable under the experimental.* namespace… (line 33)

But line 39 declares MCP experimental, and composio.mcp is a top-level namespace, not under experimental.*. Confirmed in source:

// ts/packages/core/src/composio.ts
this.mcp = new MCP(this.client);            // line 353 — top-level
this.experimental = new Experimental(...);  // line 363 — the experimental.* namespace

So a reader applying the definition literally cannot tell whether composio.mcp follows the semver-exempt (experimental) or the frozen (stable) rule — the two rules that carry the whole contract. The parity matrix in cross-sdk-parity-policy.md:67 lists MCP as experimental with the same gap.

Fix — name the surface explicitly in the tier definition instead of tying it solely to the namespace path. e.g. line 33:

Experimental (exempt from semver): the experimental.* namespace (custom tools, custom toolkits, the shared-connection ACL) and the top-level mcp namespace, which is experimental by declaration until it graduates in a 1.x minor.

This keeps "no third state" honest: mcp is a named top-level exception carried for ergonomics, not a hidden tier. Fix this →


2. Resolved by date — present-tense initiate() retirement · the 3 .mdx edits

An earlier pass flagged the present tense ("is retired", "now raises", "returns 400 BadRequest") as one day early for orgs that hadn't cut over. Today is 2026-07-03 — the all-org cutover date — so the present tense is now accurate for every org. The retained "…after the 2026-05-08 / 2026-07-03 cutover" qualifiers keep it precise. No change needed.


Verdict

Nothing here would cause a developer to write broken code, and the records are internally consistent apart from the MCP tier gap. Finding #1 is worth fixing before merge — it's a genuine ambiguity in the core promise of the stability contract, not a style nit, and it's a one-clause edit in two files. Everything else looks good.
· docs/sdk-v1-decision-records

@claude

claude Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Claude finished Alberto Schiabel (@jkomyno)'s task in 1m 7s —— View job


Docs review — SDK v1.0 decision records

  • Read docs-reviewer.md guidance
  • Review changed docs files (ADRs + supporting records + 3 .mdx edits + README index)
  • Verify claims against SDK source

Reviewed against docs/agent-guidance/agents/docs-reviewer.md. ADR-style records, so I checked internal consistency, correctness of claims, and things that would mislead a reader — not prose style. Every new record has an index entry in docs/decisions/README.md ✅, and all cross-references resolve ✅.


1. Still open — Experimental tier definition excludes top-level mcp · sdk-1.0-stability-contract.md:33,39

Raised by Cursor Bugbot and three earlier passes; wording is unchanged on this synchronize, so re-flagging. The contract makes the two tiers exhaustive and self-contained:

Every public surface is either stable or experimental. There is no third state. (line 29)
Experimental (exempt from semver): everything reachable under the experimental.* namespace… (line 33)

But line 39 declares MCP experimental, and composio.mcp is a top-level namespace, not under experimental.*. Re-confirmed in source this pass:

// ts/packages/core/src/composio.ts
this.mcp = new MCP(this.client);            // top-level
this.experimental = new Experimental(...);  // the experimental.* namespace

So a reader applying the definition literally cannot tell whether composio.mcp follows the semver-exempt (experimental) or frozen (stable) rule — the two rules that carry the whole contract. cross-sdk-parity-policy.md:67 lists MCP as experimental with the same gap.

Fix — name the surface explicitly in the tier definition instead of tying it solely to the namespace path. e.g. line 33:

Experimental (exempt from semver): the experimental.* namespace (custom tools, custom toolkits, the shared-connection ACL) and the top-level mcp namespace, which is experimental by declaration until it graduates in a 1.x minor.

Keeps "no third state" honest: mcp is a named top-level exception carried for ergonomics, not a hidden tier. Fix this →


2. Resolved by date — present-tense initiate() retirement · the 3 .mdx edits

An earlier pass flagged the present tense ("is retired", "now raises", "returns 400 BadRequest") as one day early for orgs that hadn't cut over. Today is 2026-07-03 — the all-org cutover date — so the present tense is accurate for every org, and the retained "…after the 2026-05-08 / 2026-07-03 cutover" qualifiers keep it precise. No change needed.


Verdict

Nothing here would cause a developer to write broken code, and the records are internally consistent apart from the MCP tier gap. Finding #1 is worth fixing before merge — it's a genuine ambiguity in the core promise of the stability contract, not a style nit, and it's a one-clause edit in two files. Everything else looks good.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant