build(deps): Bump the prod-minor-patch group with 4 updates

[dependabot]

Bumps the prod-minor-patch group with 4 updates: @mastra/core, @octokit/graphql, @octokit/rest and yaml.

Updates @mastra/core from 0.10.0 to 0.24.9

Release notes

Sourced from @​mastra/core's releases.

December 17, 2025

Changelog

Summary

• Total packages with changes: 14
• Packages with major changes: 0
• Packages with minor changes: 0
• Packages with patch changes: 1

---

@​mastra/client-js@​0.17.2-alpha.0

Dependency Updates

• @​mastra/core@​0.24.9-alpha.0

---

@​mastra/core@​0.24.9-alpha.0

Patch Changes

• Fix memory leak in telemetry decorators when processing large payloads. The @withSpan decorator now uses bounded serialization utilities to prevent unbounded memory growth when tracing agents with large inputs like base64 images. (#11231)

---

@​mastra/dane@​0.1.26-alpha.0

Dependency Updates

• @​mastra/core@​0.24.9-alpha.0

---

@​mastra/deployer@​0.24.9-alpha.0

Dependency Updates

• @​mastra/core@​0.24.9-alpha.0
• @​mastra/server@​0.24.9-alpha.0

---

@​mastra/deployer-cloud@​0.24.9-alpha.0

Dependency Updates

• @​mastra/core@​0.24.9-alpha.0

... (truncated)

Changelog

Sourced from @​mastra/core's changelog.

0.24.9

Patch Changes

• Fix memory leak in telemetry decorators when processing large payloads. The @withSpan decorator now uses bounded serialization utilities to prevent unbounded memory growth when tracing agents with large inputs like base64 images. (#11231)

0.24.9-alpha.1

0.24.9-alpha.0

Patch Changes

• Fix memory leak in telemetry decorators when processing large payloads. The @withSpan decorator now uses bounded serialization utilities to prevent unbounded memory growth when tracing agents with large inputs like base64 images. (#11231)

0.24.8

0.24.8-alpha.0

0.24.7

Patch Changes

• unexpected json parse issue, log error but dont fail (#10640)

• Emit error chunk and call onError when agent workflow step fails (#10905)

  When a workflow step fails (e.g., tool not found), the error is now properly emitted as an error chunk to the stream and the onError callback is called. This fixes the issue where agent.generate() would throw "promise 'text' was not resolved or rejected" instead of the actual error message.

• Improved typing for workflow.then to allow the provided steps inputSchema to be a subset of the previous steps outputSchema. Also errors if the provided steps inputSchema is a superset of the previous steps outputSchema. (#10775)

• Add timeTravel APIs and add timeTravel feature to studio (#10757)

• Fix backport (#10599)

• Fix type issue with workflow .parallel() when passing multiple steps, one or more of which has a resumeSchema provided. (#10712)

• Handle state update and bailing in foreach steps (#10826)

• Fix corrupted provider-registry.json file (#10605)

• Fix discriminatedUnion schema information lost when json schema is converted to zod (#10764)

• Fix writer.custom not working during workflow resume operations (#10921)

  When a workflow step is resumed, the writer parameter was not being properly passed through, causing writer.custom() calls to fail. This fix ensures the writableStream parameter is correctly passed to both run.resume() and run.start() calls in the workflow execution engine, allowing custom events to be emitted properly during resume operations.

• Add restart method to workflow run that allows restarting an active workflow run (#10703) Add status filter to getWorkflowRuns Add automatic restart to restart active workflow runs when server starts

... (truncated)

Commits

• 99225fc chore: version - exit prerelease mode
• aab8fd1 chore: version packages (alpha) (#11269)
• 840f5a3 ported deepClean improvements from main to 0.x (#11263)
• d775a6d chore: version packages (alpha) (#11233)
• c56f64b Fix memory leak in telemetry decorators when processing large payload (#11231)
• 5600f3f chore: version - exit prerelease mode
• 1c27c4e chore: version packages (alpha)
• 0c2bfe5 chore: version - exit prerelease mode
• b0c36d6 chore: version packages (alpha) (#11041)
• 67840c0 chore: version packages (alpha) (#10990)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​mastra/core since your current version.

Updates @octokit/graphql from 8.1.1 to 8.2.2

Release notes

Sourced from @​octokit/graphql's releases.

v8.2.2

8.2.2 (2025-04-10)

Bug Fixes

• deps: update dependency @​octokit/types to v14 (#649) (fceca07)

v8.2.1

8.2.1 (2025-02-14)

Bug Fixes

• deps: update dependency @​octokit/request to v9.2.2 [security] (#636) (0e582ca)

v8.2.0

8.2.0 (2025-01-31)

Features

• allow users to specify operationName in multi-operation queries (#629) (9a1787e)

v8.1.2

8.1.2 (2024-12-31)

Bug Fixes

• deps: bump Octokit dependencies (#620) (97a801c)

Commits

• fceca07 fix(deps): update dependency @​octokit/types to v14 (#649)
• 002b73a chore(deps): remove unused dependency @​types/fetch-mock to v9 (#639)
• 8cc34c8 build(deps): lock file maintenance (#646)
• b99a389 build(deps): bump vite from 6.2.0 to 6.2.5 (#648)
• ed3cff6 ci(prettier): use Node LTS instead of v16 (#645)
• ed39f32 chore(deps): update dependency prettier to v3.5.3 (#643)
• 6da8af6 build(deps): lock file maintenance (#644)
• 77e126e build(deps): lock file maintenance (#642)
• 5a0fdd5 chore(deps): update dependency semantic-release-plugin-update-version-in-file...
• 41a9ea7 chore(deps): update dependency prettier to v3.5.2 (#641)
• Additional commits viewable in compare view

Updates @octokit/rest from 21.0.2 to 21.1.1

Release notes

Sourced from @​octokit/rest's releases.

v21.1.1

21.1.1 (2025-02-14)

Bug Fixes

• deps: update Octokit dependencies to mitigate ReDos [security] (#484) (ca256c3)

v21.1.0

21.1.0 (2025-01-08)

Features

• new endpoints, bump Octokit deps to fix Deno (#477) (908b1c8)

Commits

• ca256c3 fix(deps): update Octokit dependencies to mitigate ReDos [security] (#484)
• e791111 chore(deps): update dependency esbuild to ^0.25.0 (#483)
• facaa50 build(deps-dev): Bump vitest and @​vitest/coverage-v8 (#481)
• 8a0c472 chore(deps): update dependency undici to v6.21.1 [security] (#480)
• 4abc914 chore(deps): update vitest monorepo to v3 (major) (#478)
• 908b1c8 feat: new endpoints, bump Octokit deps to fix Deno (#477)
• 751b522 chore(deps): update dependency fetch-mock to v12 (#470)
• 5ad12fd chore(deps): update dependency @​types/node to v22 (#472)
• c88980a ci(action): update actions/checkout digest to 11bd719 (#469)
• 94443df ci(action): update actions/checkout digest to eef6144 (#467)
• Additional commits viewable in compare view

Updates yaml from 2.5.1 to 2.9.0

Release notes

Sourced from yaml's releases.

v2.9.0

The changes here are really only patches, but I'm releasing this as a minor version to note a small change to the documentation of parseDocument() and parseAllDocuments(): I've removed the claim that they'll "never throw".

It remains the case that practically all non-malicious inputs will be handled without emitting an error, but there is a decent chance that code paths remain where e.g. a RangeError due to call stack exhaustion can be triggered by malicious inputs. Up to now, I've considered these as security vulnerabilities, and in fact it's the only category of error for which yaml CVEs have been issued so far.

Starting from this release, I'll be considering such errors as bugs, but not vulnerabilities. I do welcome people and/or LLMs looking for them, but please report them as normal issues rather than suspected security vulnerabilities. This also applies to previously undiscovered bugs in earlier releases.

• fix: Avoid calling Array.prototype.push.apply() with large source array
• fix(lexer): Avoid recursive calls that may exhaust the call stack

v2.8.4

• Disable alias resolution with maxAliasCount:0 (#677)
• Handle invalid unicode escapes (e1a1a77)
• Apply minFractionDigits only to decimal strings (#676)

v2.8.3

• Add trailingComma ToString option for multiline flow formatting (#670)
• Catch stack overflow during node composition (1e84ebb)

v2.8.2

• Serialize -0 as -0 (#638)
• Do not double newlines for empty map values (#642)

v2.8.1

• Preserve empty block literals (#634)

v2.8.0

• Add node cache for faster alias resolution (#612)
• Re-introduce compatibility with Node.js 14.6 (#614)
• Add --merge option to CLI tool (#611)
• Improve error for tag resolution error on null value (#616)
• Allow empty string as plain scalar representation, for failsafe schema (#616)
• docs: include cli example (#617)

v2.7.1

• Do not allow seq with single-line collection value on same line with map key (#603)
• Improve warning & avoid TypeError on bad YAML 1.1 nodes (#610)

v2.7.0

The library is now available on JSR as @​eemeli/yaml and on deno.land/x as yaml. In addition to Node.js and browsers, it should work in Deno, Bun, and Cloudflare Workers.

• Use .ts extension in all relative imports (#591)
• Ignore newline after block seq indicator as space before value (#590)
• Require Node.js 14.18 or later (was 14.6) (#598)

v2.6.1

• Do not strip :00 seconds from !!timestamp values (#578, with thanks to @​qraynaud)
• Tighten regexp for JSON !!bool (#587, with thanks to @​vra5107)
• Default to literal block scalar if folded would overflow (#585)

... (truncated)

Commits

• ddb21b0 2.9.0
• 167365b docs: Clarify that not all errors can be avoided
• 6eca2a7 fix: Avoid calling Array.prototype.push.apply() with large source array
• 0543cd5 fix(lexer): Avoid recursive calls that may exhaust the call stack
• ccdf743 2.8.4
• f625789 fix: Disable alias resolution with maxAliasCount:0 (#677)
• e1a1a77 fix: Handle invalid unicode escapes
• a163ea0 style: Satify Prettier
• b2a5a6c fix: Apply minFractionDigits only to decimal strings (#676)
• 93c951b chore: Bump JSR version to v2.8.3 (#673)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, npm. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.