build(deps): Bump esbuild and tsup in /packages/agentmesh-integrations/mastra-agentmesh

[dependabot]

Bumps esbuild to 0.27.5 and updates ancestor dependency tsup. These dependencies need to be updated together.

Updates esbuild from 0.19.12 to 0.27.5

Release notes

Sourced from esbuild's releases.

v0.27.5

• Fix for an async generator edge case (#4401, #4417)

  Support for transforming async generators into the equivalent state machine was added in version 0.19.0. However, the generated state machine didn't work correctly when polling async generators concurrently, such as in the following code:

  async function* inner() { yield 1; yield 2 }
  async function* outer() { yield* inner() }
  let gen = outer()
  for await (let x of [gen.next(), gen.next()]) console.log(x)

  Previously esbuild's output of the above code behaved incorrectly when async generators were transformed (such as with --supported:async-generator=false). The transformation should be fixed starting with this release.

  This fix was contributed by @​2767mr.

• Fix a regression when metafile is enabled (#4420, #4418)

  This release fixes a regression introduced by the previous release. When metafile: true was enabled in esbuild's JavaScript API, builds with build errors were incorrectly throwing an error about an empty JSON string instead of an object containing the build errors.

• Use define semantics for TypeScript parameter properties (#4421)

  Parameter properties are a TypeScript-specific code generation feature that converts constructor parameters into class fields when they are prefixed by certain keywords. When "useDefineForClassFields": true is present in tsconfig.json, the TypeScript compiler automatically generates class field declarations for parameter properties. Previously esbuild didn't do this, but esbuild will now do this starting with this release:

  // Original code
  class Foo {
    constructor(public x: number) {}
  }
  // Old output (with --loader=ts)
  class Foo {
  constructor(x) {
  this.x = x;
  }
  }
  // New output (with --loader=ts)
  class Foo {
  constructor(x) {
  this.x = x;
  }
  x;
  }

• Allow es2025 as a target in tsconfig.json (#4432)

  TypeScript recently added es2025 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2024

This changelog documents all esbuild versions published in the year 2024 (versions 0.19.12 through 0.24.2).

0.24.2

• Fix regression with --define and import.meta (#4010, #4012, #4013)

  The previous change in version 0.24.1 to use a more expression-like parser for define values to allow quoted property names introduced a regression that removed the ability to use --define:import.meta=.... Even though import is normally a keyword that can't be used as an identifier, ES modules special-case the import.meta expression to behave like an identifier anyway. This change fixes the regression.

  This fix was contributed by @​sapphi-red.

0.24.1

• Allow es2024 as a target in tsconfig.json (#4004)

  TypeScript recently added es2024 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

  {
    "compilerOptions": {
      "target": "ES2024"
    }
  }

  As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

  This fix was contributed by @​billyjanitsch.

• Allow automatic semicolon insertion after get/set

  This change fixes a grammar bug in the parser that incorrectly treated the following code as a syntax error:

  class Foo {
    get
    *x() {}
    set
    *y() {}
  }

  The above code will be considered valid starting with this release. This change to esbuild follows a similar change to TypeScript which will allow this syntax starting with TypeScript 5.7.

• Allow quoted property names in --define and --pure (#4008)

  The define and pure API options now accept identifier expressions containing quoted property names. Previously all identifiers in the identifier expression had to be bare identifiers. This change now makes --define and --pure consistent with --global-name, which already supported quoted property names. For example, the following is now possible:

... (truncated)

Commits

• 0102ae3 publish 0.27.5 to npm
• eb93887 split off CHANGELOG-2025.md
• a54a51a fix #4421: use define for ts parameter props
• 31a7c67 remove unused variable in __asyncGenerator
• 1ea01a6 update release notes
• a8f8c0e fix: Handle non-awaited async generator (#4417)
• 4844d4b fix #4420, close #4418: metafile JSON regression
• edbdce8 fix #4432: add es2025 as a valid target
• f9c9012 publish 0.27.4 to npm
• 207dbc7 js api: fall back to js-based metafile json parser
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for esbuild since your current version.

Updates tsup from 8.0.0 to 8.5.1

Release notes

Sourced from tsup's releases.

v8.5.1

   🐞 Bug Fixes

• Add script tag validation  -  by @​benhoad in egoist/tsup#1314 (df736)
• Update esbuild to fix sourcemap source issue  -  by @​ArcherGu and @​sxzz in egoist/tsup#1316 (fb8ae)

    View changes on GitHub

v8.5.0

   🚀 Features

• Use fix-dts-default-cjs-exports to transform CJS types  -  by @​userquin in egoist/tsup#1310 (c654e)
• Allow passing custom swc configuration to swcPlugin  -  by @​Romakita in egoist/tsup#1313 (fdfd5)

   🐞 Bug Fixes

• Make removeNodeProtocol work with shims  -  by @​aryaemami59 (769aa)
• CopyPublicDir in watch mode  -  by @​geeee in egoist/tsup#1331 (7c1e1)

    View changes on GitHub

v8.4.0

   🚀 Features

• Upgrade svelte and css compiler  -  by @​DaniAcu in egoist/tsup#1288 (c3f32)

   🐞 Bug Fixes

• Upgrade esbuild to 0.25  -  by @​RobinTail in egoist/tsup#1309 (89c47)

    View changes on GitHub

v8.3.6

   🐞 Bug Fixes

• Don't await sub-process of onSuccess  -  by @​laat in egoist/tsup#1256 (314a6)

    View changes on GitHub

v8.3.5

   🐞 Bug Fixes

• Run experimentalDts only once  -  by @​aryaemami59 in egoist/tsup#1236 (fddd4)

    View changes on GitHub

v8.3.4

No significant changes

    View changes on GitHub

... (truncated)

Commits

• 1ecb6a5 chore: release v8.5.1
• e92ba64 chore: upgrade esbuild
• fb8ae7d fix: update esbuild to fix sourcemap source issue (#1316)
• db7cfaa chore: upgrade pnpm
• df7360b fix: add script tag validation (#1314)
• 65e8547 chore: bump source-map to 0.7.6 (#1358)
• f127e57 ci: switch to trusted publisher
• 8b6907d chore: add maintenance info in README (#1332)
• 92ee842 chore: release v8.5.0
• 7c1e13e fix: copyPublicDir in watch mode (#1331)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for tsup since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

Welcome to the Agent Governance Toolkit! Thanks for your first pull request.
Please ensure tests pass, code follows style (ruff check), and you have signed the CLA.
See our Contributing Guide.

[github-actions]

✅ PR Review Summary

Check	Status	Details
🔍 Code Review	⏳ Pending	Awaiting results
🛡️ Security Scan	⏳ Pending	Awaiting results
🔄 Breaking Changes	⏳ Pending	Awaiting results
📝 Docs Sync	⏳ Pending	Awaiting results
🧪 Test Coverage	⏳ Pending	Awaiting results

Verdict: ⏳ Still running — some checks have not completed yet

💡 Individual agent reports are collapsed below for reference.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 754438a.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
npm/@esbuild/aix-ppc64	0.27.5	Unknown	Unknown
npm/@esbuild/android-arm	0.27.5	Unknown	Unknown
npm/@esbuild/android-arm64	0.27.5	Unknown	Unknown
npm/@esbuild/android-x64	0.27.5	Unknown	Unknown
npm/@esbuild/darwin-arm64	0.27.5	Unknown	Unknown
npm/@esbuild/darwin-x64	0.27.5	Unknown	Unknown
npm/@esbuild/freebsd-arm64	0.27.5	Unknown	Unknown
npm/@esbuild/freebsd-x64	0.27.5	Unknown	Unknown
npm/@esbuild/linux-arm	0.27.5	Unknown	Unknown
npm/@esbuild/linux-arm64	0.27.5	Unknown	Unknown
npm/@esbuild/linux-ia32	0.27.5	Unknown	Unknown
npm/@esbuild/linux-loong64	0.27.5	Unknown	Unknown
npm/@esbuild/linux-mips64el	0.27.5	Unknown	Unknown
npm/@esbuild/linux-ppc64	0.27.5	Unknown	Unknown
npm/@esbuild/linux-riscv64	0.27.5	Unknown	Unknown
npm/@esbuild/linux-s390x	0.27.5	Unknown	Unknown
npm/@esbuild/linux-x64	0.27.5	Unknown	Unknown
npm/@esbuild/netbsd-arm64	0.27.5	Unknown	Unknown
npm/@esbuild/netbsd-x64	0.27.5	Unknown	Unknown
npm/@esbuild/openbsd-arm64	0.27.5	Unknown	Unknown
npm/@esbuild/openbsd-x64	0.27.5	Unknown	Unknown
npm/@esbuild/openharmony-arm64	0.27.5	Unknown	Unknown
npm/@esbuild/sunos-x64	0.27.5	Unknown	Unknown
npm/@esbuild/win32-arm64	0.27.5	Unknown	Unknown
npm/@esbuild/win32-ia32	0.27.5	Unknown	Unknown
npm/@esbuild/win32-x64	0.27.5	Unknown	Unknown
npm/bundle-require	5.1.0	Unknown	Unknown
npm/chokidar	4.0.3	🟢 4.1	Details Check Score Reason Code-Review 🟢 3 Found 9/25 approved changesets -- score normalized to 3 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Pinned-Dependencies 🟢 10 all dependencies are pinned Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Security-Policy ⚠️ 0 security policy file not detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/confbox	0.1.8	Unknown	Unknown
npm/consola	3.4.2	Unknown	Unknown
npm/esbuild	0.27.5	🟢 4.3	Details Check Score Reason Maintained 🟢 10 22 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Code-Review ⚠️ 1 Found 3/30 approved changesets -- score normalized to 1 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/fix-dts-default-cjs-exports	1.0.1	Unknown	Unknown
npm/mlly	1.8.2	🟢 4.6	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 2 Found 6/24 approved changesets -- score normalized to 2 Maintained 🟢 10 11 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/pkg-types	1.3.1	Unknown	Unknown
npm/postcss-load-config	6.0.1	🟢 4.1	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 3 Found 11/30 approved changesets -- score normalized to 3 Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/readdirp	4.1.2	🟢 3.4	Details Check Score Reason Pinned-Dependencies 🟢 10 all dependencies are pinned Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Code-Review ⚠️ 0 Found 2/28 approved changesets -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/source-map	0.7.6	🟢 4.2	Details Check Score Reason Code-Review 🟢 8 Found 10/12 approved changesets -- score normalized to 8 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Binary-Artifacts 🟢 9 binaries present in source code Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/tsup	8.5.1	🟢 3.5	Details Check Score Reason Code-Review 🟢 4 Found 12/29 approved changesets -- score normalized to 4 Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy ⚠️ 0 security policy file not detected Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/ufo	1.6.3	🟢 5.4	Details Check Score Reason Code-Review 🟢 3 Found 9/27 approved changesets -- score normalized to 3 Security-Policy 🟢 10 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 12 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• packages/agentmesh-integrations/mastra-agentmesh/package-lock.json

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.