fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security] by renovate[bot] · Pull Request #103 · loonghao/webhook_bridge

renovate · 2025-12-02T18:57:58Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@modelcontextprotocol/sdk (source)	`^0.5.0` → `^1.25.2`

GitHub Vulnerability Alerts

CVE-2025-66414

The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with StreamableHTTPServerTransport or SSEServerTransport and has not enabled enableDnsRebindingProtection, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances.

Note that running HTTP-based MCP servers locally without authentication is not recommended per MCP security best practices. This issue does not affect servers using stdio transport.

Servers created via createMcpExpressApp() now have this protection enabled by default when binding to localhost. Users with custom Express configurations are advised to update to version 1.24.0 and apply the exported hostHeaderValidation() middleware when running an unauthenticated server on localhost.

CVE-2026-0621

Impact

A ReDoS vulnerability in the UriTemplate class allows attackers to cause denial of service. The partToRegExp() function generates a regex pattern with nested quantifiers (([^/]+(?:,[^/]+)*)) for exploded template variables (e.g., {/id*}, {?tags*}), causing catastrophic backtracking on malicious input.

Who is affected: MCP servers that register resource templates with exploded array patterns and accept requests from untrusted clients.

Attack result: An attacker sends a crafted URI via resources/read request, causing 100% CPU utilization, server hang/crash, and denial of service for all clients.

Affected Versions

All versions of @modelcontextprotocol/sdk prior to the patched release.

Patches

v1.25.2 contains b392f02ffcf37c088dbd114fedf25026ec3913d3 the fix modifies the regex pattern to prevent backtracking.

Workarounds

Avoid using exploded patterns ({/id*}, {?tags*}) in resource templates
Implement request timeouts and rate limiting
Validate URIs before processing to reject suspicious patterns

Release Notes

modelcontextprotocol/typescript-sdk (@modelcontextprotocol/sdk)

`v1.25.2`

Compare Source

What's Changed

ci: trigger workflow on v1.x branch by @felixweinberger in #1319
fix: README badges links destinations by @antonpk1 in #907
fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport) by @pcarleton in #1365

New Contributors

@antonpk1 made their first contribution in #907

Full Changelog: modelcontextprotocol/typescript-sdk@1.25.1...v1.25.2

`v1.25.1`

Compare Source

What's Changed

spec types - backwards compatibility changes by @KKonstantinov in #1306
chore: bump version for patch fix by @felixweinberger in #1307

Full Changelog: modelcontextprotocol/typescript-sdk@1.25.0...1.25.1

`v1.25.0`

Compare Source

What's Changed

list changed handlers on client constructor by @mattzcarey in #1206
Role - moved from inline to reusable type by @KKonstantinov in #1221
fix: use versioned npm tag for non-main branch releases by @pcarleton in #1236
No automatic completion support unless needed - Revisited yet again by @cliffhall in #1237
fix: Support updating output schema by @vincent0426 in #1048
Remove type dependency on @cfworker/json-schema by @LucaButBoring in #1229
Relocate tests under /test by @KKonstantinov in #1220
Fix tsconfig: remove tests by @KKonstantinov in #1240
tsconfig - tests and build fix by @KKonstantinov in #1243
fix a typo in examples README by @DaleSeo in #1246
Protocol date validation by @mattzcarey in #1247
Flaky test fix on Types.test.ts by @KKonstantinov in #1244
SPEC COMPLIANCE: Remove loose/passthrough types not allowed/defined by MCP spec + Task types by @KKonstantinov in #1242
Follow-up fixes for PR #1242 by @felixweinberger in #1274
Update server examples and docs by @DaleSeo in #1285
Update TypeScript config to ES2020 to fix AJV imports by @mattzcarey in #1297
Fix Zod v4 schema description extraction by @felixweinberger in #1296
Add optional description field to Implementation schema by @calclavia in #1295
Add theme property to Icon schema by @DaleSeo in #1290
feat: fetch transport by @mattzcarey in #1209
chore: bump version for release by @felixweinberger in #1301

New Contributors

@vincent0426 made their first contribution in #1048

Full Changelog: modelcontextprotocol/typescript-sdk@1.24.3...1.25.0

`v1.24.3`

Compare Source

What's Changed

chore: fix dev dependency security vulnerabilities by @felixweinberger in #1227
chore(deps): bump express from 5.0.1 to 5.2.1 in the npm_and_yarn group across 1 directory by @dependabot[bot] in #1228
fix: release HTTP connections after POST responses by @mattzcarey in #1214
fix: skip priming events and closeSSEStream for old protocol versions by @felixweinberger in #1233
chore: bump version for patch release by @felixweinberger in #1235

Full Changelog: modelcontextprotocol/typescript-sdk@1.24.2...1.24.3

`v1.24.2`

Compare Source

What's Changed

feat: add optional resource annotations by @vhorvath2010 in #954
chore: refresh CLAUDE.md by @LucaButBoring in #1217
refactor: make Server class framework-agnostic by moving express to separate module by @cytle in #1223
chore: bump version to 1.24.2 by @pcarleton in #1224

New Contributors

@vhorvath2010 made their first contribution in #954
@cytle made their first contribution in #1223

Full Changelog: modelcontextprotocol/typescript-sdk@1.24.1...1.24.2

`v1.24.1`

Compare Source

What's Changed

fix(streamableHttp): fix infinite retries when maxRetries is set to 0 by @mrorigo in #1216
chore: update protocol version to 2025-11-25 by @dsp-ant in #1218
chore: bump version for release by @felixweinberger in #1219

New Contributors

@mrorigo made their first contribution in #1216

Full Changelog: modelcontextprotocol/typescript-sdk@1.24.0...1.24.1

`v1.24.0`

Compare Source

Summary

This release brings us up to speed with the latest MCP spec 2025-11-25. Take a look at the latest spec as well as the release blog post.

What's Changed

fix: update spec links from latest to draft by @domdomegg in #1171
Make sure to consume HTTP error response bodies by @GreenStage in #1173
docs: add GET request handling for streamableHttp stateless mode by @saharis9988 in #1161
SEP-1686: Tasks by @LucaButBoring in #1041
Fix JSON parse error on SSE events with empty data by @felixweinberger in #1184
Fix StreamableHTTPClientTransport instantiation by @yuwzho in #944
feat: eslint rule to prefer node protocols by @mattzcarey in #1187
fix: call tasks/result to deliver side-channel messages by @felixweinberger in #1185
Add invalid_target oauth error (rfc 8707) by @GreenStage in #1183
fix(client): use StreamableHTTPError instead of plain Error in send() by @yamadashy in #1178
coerce 'expires_in' to be a number by @adam-kuhn in #1111
Allow HTTP issuer URLs when MCP_DEV_MODE is enabled by @jerome3o-anthropic in #1189
fix: update registerTool signature for proper typed ToolCallback by @mattzcarey in #1188
SEP-1046: Client credentials flow for M2M without user interaction by @KKonstantinov in #1157
adds the transitive @types/express-serve-static-core dependency as a direct devDependency by @mgyarmathy in #1078
Fix optional argument handling in prompts for Zod V4 by @filip-bartuska-ipf in #1199
fix hanging stdio servers by @mattzcarey in #1200
README refactor by @KKonstantinov in #1197
[Docs] Fix typo by @koic in #1067
feat: add closeSSEStream callback to RequestHandlerExtra by @felixweinberger in #1166
fix: improve SSE reconnection behavior by @felixweinberger in #1191
fix: normalize headers in sse transport by @marcrasi in #856
feat: add closeStandaloneSSEStream for GET stream polling by @felixweinberger in #1203
fix: normalize null to undefined in ElicitResultSchema content field by @mattzcarey in #1204
Modify Origin header validation in validateRequestHeaders (streamableHttp.ts and sse.ts) to allow requests without an Origin, as they are not relevant to server DNS rebinding protection. by @jacopoc in #1205
fix: allow zod 4 transformations by @mattzcarey in #1213
feat: backwards-compatible createMessage overloads for SEP-1577 by @felixweinberger in #1212
chore: bump version for release by @felixweinberger in #1215

New Contributors

@GreenStage made their first contribution in #1173
@saharis9988 made their first contribution in #1161
@yuwzho made their first contribution in #944
@yamadashy made their first contribution in #1178
@adam-kuhn made their first contribution in #1111
@mgyarmathy made their first contribution in #1078
@filip-bartuska-ipf made their first contribution in #1199
@koic made their first contribution in #1067
@marcrasi made their first contribution in #856
@jacopoc made their first contribution in #1205

Full Changelog: modelcontextprotocol/typescript-sdk@1.23.0...1.24.0

`v1.23.1`

Compare Source

Fixed:

Disabled SSE priming events to fix backwards compatibility - 1.23.x clients crash on empty SSE data (JSON.parse(""))

This is a patch for servers still on 1.23.x that were breaking clients not handling the the 2025-11-25 priming event behavior with empty SSE data fields. See #1233 for more details.

Full Changelog: modelcontextprotocol/typescript-sdk@1.23.0...1.23.1

`v1.23.0`

Compare Source

What's Changed

Migrate to vitest from jest by @mattzcarey in #1074
ci: add workflow_dispatch trigger for manual CI runs by @felixweinberger in #1114
Fix: @types/node incompatibility with vite warnings on npm install by @KKonstantinov in #1121
Fix: clean up accidental spec.types.ts by @KKonstantinov in #1122
fix: Pass RequestInit options to auth requests by @dsp-ant in #1066
SEP-1036: URL Elicitation by @nbarbettini in #1105
add none to test and the router. by @m-henderson in #1116
[auth] Adjust scope management to line up with SEP-835 by @pcarleton in #1133
chore: add .idea/ to .gitignore by @maxisbey in #1134
chore: remove unused @types/eslint__js dependency by @mattzcarey in #1128
feat: url based client metadata registration (SEP 991) by @mattzcarey in #1127
feat: zod v4 with backwards compatibility for v3.25+ by @dclark27 in #1040
fix: remove pnpm lock and regenerate package-lock by @mattzcarey in #1138
docs: update installation instructions for zod peer dependency by @mattzcarey in #1139
Implement SEP-1577 - Sampling With Tools by @ochafik in #1101
Follow up: unify v3 and v4 zod types via describe matrix and a test helper by @KKonstantinov in #1141
chore: Add deprecated marker to old elicitInput overload by @nbarbettini in #1142
fix: Connect error in URL elicitation example by @nbarbettini in #1136
Support upscoping on insufficient_scope 403 by @Nayana-Parameswarappa in #1115
Support beta releases by publishing with --tag beta by @felixweinberger in #1146
Bump version to 1.23.0-beta.0 by @felixweinberger in #1147
SEP-1613: use.catchall() on inputSchema/outputSchema to support JSON Schema 2020-12 by @felixweinberger in #1135
sampling: validate tools, tool_use, tool_result constraints by @ochafik in #1156
fix: React to upstream RC schema changes for form mode elicitation requests by @felixweinberger in #1164
feat: implement SEP-1699 SSE polling via server-side disconnect by @felixweinberger in #1129
chore: bump package number for release by @felixweinberger in #1170

New Contributors

@nbarbettini made their first contribution in #1105
@m-henderson made their first contribution in #1116
@maxisbey made their first contribution in #1134
@dclark27 made their first contribution in #1040
@Nayana-Parameswarappa made their first contribution in #1115

Full Changelog: modelcontextprotocol/typescript-sdk@1.22.0...1.23.0

`v1.22.0`

Compare Source

What's Changed

registerTool: accept ZodType for input and output schema by @ksinder in #816
SEP-1319: Decouple Request Payloads, Remove passthrough iteration, Typecheck fixes by @KKonstantinov in #1086
add pkg-pr-new bot by @pcarleton in #1088
Upgrade to Node LTS by @mattzcarey in #1072
change step name by @pcarleton in #1089
SEP-1034: Default values for Elicitation Schemas by @KKonstantinov in #1096
SEP-1330: Compatibility with SEP-1034 by @KKonstantinov in #1100
Implementation of SEP-986: Specify Format for Tool Names by @kentcdodds in #900
[auth] Fix march spec fallback for metadata discovery by @pcarleton in #1108
chore: bump version for release by @felixweinberger in #1110

New Contributors

@ksinder made their first contribution in #816

Full Changelog: modelcontextprotocol/typescript-sdk@1.21.1...1.22.0

`v1.21.2`

Compare Source

What's changed

This is a patch release for a regression highlighted by #1103

This patch contains only the cherry picked fix in #1108

Full Changelog: modelcontextprotocol/typescript-sdk@1.21.1...1.21.2

`v1.21.1`

Compare Source

What's Changed

Only use path-based discovery URLs from the authorization server to discover metadata by @roadmapper in #1070
Add @deprecated annotations to legacy APIs by @domdomegg in #1018
fix: Support WWW-Authenticate scope param for SEP-835 by @chipgpt in #983
move CLI script to dedicated scripts directory by @mattzcarey in #1073
Check script which typechecks using Typescripts new Go port by @mattzcarey in #1075
FIX: use a nightly spec.types.ts by @mattzcarey in #1087
chore: bump version for release by @felixweinberger in #1085

New Contributors

@roadmapper made their first contribution in #1070

Full Changelog: modelcontextprotocol/typescript-sdk@1.21.0...1.21.1

`v1.21.0`

Compare Source

What's Changed

feat: pluggable JSON schema validator providers by @mattzcarey in #1012
Update metadata.ts by @pcarleton in #1010
fix: Prefer the token_endpoint_auth_method response from DCR registration by @chipgpt in #1022
Fix: Non-existent tool, disabled tool and inputSchema validation return MCP protocol level instead of CallToolResult with isError: true by @KKonstantinov in #1044
chore: bump version to 1.21.0 for release by @felixweinberger in #1062

New Contributors

@chipgpt made their first contribution in #1022

Full Changelog: modelcontextprotocol/typescript-sdk@1.20.2...1.21.0

`v1.20.2`

Compare Source

What's Changed

fix: Zod to JSONSchema pipe strategies by @pierreliefauche in #962
chore: bump version for weekly release by @felixweinberger in #1042

New Contributors

@pierreliefauche made their first contribution in #962

Full Changelog: modelcontextprotocol/typescript-sdk@1.20.1...1.20.2

`v1.20.1`

Compare Source

What's Changed

fix: Add Accept header to auth metadata request by @SVLaursen in #901
Allow empty string as valid URL in DCR workflow by @fredericbarthelet in #987
docs: fix summary contents at readme by @starfish719 in #1025
chore: bump version to 1.20.1 for release by @felixweinberger in #1032

New Contributors

@SVLaursen made their first contribution in #901
@starfish719 made their first contribution in #1025

Full Changelog: modelcontextprotocol/typescript-sdk@1.20.0...1.20.1

`v1.20.0`

Compare Source

What's Changed

docs: improve main README with better quick start, include examples of stateless HTTP, explain tools v resources v prompts by @domdomegg in #980
chore: add lint:fix script by @mattzcarey in #1013
Default to S256 code challenge if not specified in authorization server metadata by @LucaButBoring in #992

New Contributors 🙏

@mattzcarey made their first contribution in #1013

Full Changelog: modelcontextprotocol/typescript-sdk@1.19.0...1.20.0

`v1.19.1`

Compare Source

`v1.18.2`

Compare Source

What's Changed

Updates the sampling code example in the README by @viniciuscsouza in #958
Use redirect Uri passed in in demoInMemoryOAuthProvider by @TylerLeonhardt in #931
fix(auth-router): correct Protected Resource Metadata for pathful RS and add explicit resourceServerUrl (RFC 9728) by @blustAI in #858
chore: update version to 1.18.2 for weekly release by @felixweinberger in #970

New Contributors

@viniciuscsouza made their first contribution in #958
@TylerLeonhardt made their first contribution in #931
@blustAI made their first contribution in #858

Full Changelog: modelcontextprotocol/typescript-sdk@1.18.1...1.18.2

`v1.18.1`

Compare Source

What's Changed

fix: prevent streamable http wite after end from crashing the node process by @MQ37 in #933
chore: update version to 1.18.1 for weekly release by @felixweinberger in #950

New Contributors

@MQ37 made their first contribution in #933

Full Changelog: modelcontextprotocol/typescript-sdk@1.18.0...1.18.1

`v1.18.0`

Compare Source

What's Changed

mcp: update SDK for SEP 973 + add to example server by @jesselumarie in #904
feat: add _meta field support to tool definitions by @knguyen-figma in #922
Fix automatic log level handling for sessionless connections by @cliffhall in #917
1.17.6 by @ihrpr in #936
1.18.0 by @ihrpr in #937
ignore icons for now by @ihrpr in #938

New Contributors

@jesselumarie made their first contribution in #904
@knguyen-figma made their first contribution in #922

Full Changelog: modelcontextprotocol/typescript-sdk@1.17.5...1.18.0

`v1.17.5`

Compare Source

What's Changed

Automatic handling of logging level by @cliffhall in #882
Fix the SDK vs Spec types test that is breaking CI by @cliffhall in #908

Full Changelog: modelcontextprotocol/typescript-sdk@1.17.4...1.17.5

`v1.17.4`

Compare Source

What's Changed

feature(middleware): Composable fetch middleware for auth and cross‑cutting concerns by @m-paternostro in #485
restrict url schemes allowed in oauth metadata by @pcarleton in #877
[auth] OAuth protected-resource-metadata: fallback on 4xx not just 404 by @pcarleton in #879
chore: bump version to 1.17.4 by @felixweinberger in #894

Full Changelog: modelcontextprotocol/typescript-sdk@1.17.3...1.17.4

`v1.17.3`

Compare Source

What's Changed

Fix quit command in Example client with OAuth by @DaleSeo in #864
fix: client import & server imports by @jatinsandilya in #851
fix: pass fetchfn parameter to registerClient and refreshAuthorizatio… by @arjunkmrm in #850
docs: correct parameter schema key in Dynamic Servers documentation by @bianbianzhu in #789
version: patch to 0.17.3 by @felixweinberger in #878

New Contributors

@DaleSeo made their first contribution in #864
@jatinsandilya made their first contribution in #851
@arjunkmrm made their first contribution in #850
@bianbianzhu made their first contribution in #789

Full Changelog: modelcontextprotocol/typescript-sdk@1.17.2...1.17.3

`v1.17.2`

Compare Source

What's Changed

fix: retry next endpoint on CORS error during auth server discovery by @xiaoyijun in #827

Full Changelog: modelcontextprotocol/typescript-sdk@1.17.1...1.17.2

`v1.17.1`

Compare Source

What's Changed

(fix): Update fallbackRequestHandler type to match _requestHandlers leaves type by @fredericbarthelet in #784
fix: prevent responses being sent to wrong client when multiple transports connect by @grimmerk in #820
1.17.1 by @ihrpr in #831

Full Changelog: modelcontextprotocol/typescript-sdk@1.17.0...1.17.1

`v1.17.0`

Compare Source

What's Changed

Add CODEOWNERS file for sdk by @ihrpr in #781
Add more robust base64 check by @cliffhall in #786
update codeowners by @ihrpr in #803
Fix indent by @jiec-msft in #807
fix: Explicitly declare accpet type to json when exchanging oauth token by @JoJoJoJoJoJoJo in #801
feat: support oidc discovery in client sdk by @xiaoyijun in #652
fix: remove extraneous code block in README.md by @sd0ric4 in #791
Bump form-data from 4.0.2 to 4.0.4 in the npm_and_yarn group across 1 directory by @dependabot[bot] in #798
Bump version 1.17.0 by @ihrpr in #810

New Contributors 🙏

@jiec-msft made their first contribution in #807
@sd0ric4 made their first contribution in #791

Full Changelog: modelcontextprotocol/typescript-sdk@1.16.0...1.17.0

`v1.16.0`

Compare Source

What's Changed

Add type compatibility test between SDK and spec types by @ochafik in #729
Add OIDC ID token support by @dankelleher in #680
Add prompt=consent for OIDC offline_access scope by @dankelleher in #681
Non-critical: Readme syntax and typographical error fixes by @freakynit in #765
make client side client_id generation configurable in the oauth router by @cdaguerre in #734
Adding invalidateCredentials() to OAuthClientProvider by @geelen in #570
fix: use authorization_server_url as issuer when fetching metadata by @JoJoJoJoJoJoJo in #763
feat(protocol): Debounce notifications to improve network efficiancy by @jneums in #746
fix(731): StreamableHTTPClientTransport Fails to Reconnect on Non-Resumable Streams by @jneums in #732
fix: consistently use consumer-provided fetch function by @LucaButBoring in #767
fix client id issuance date should only be sent when generated by @cdaguerre in #775
1.16.0 by @ihrpr in #779

New Contributors 🙏

@dankelleher made their first contribution in #680
[@freakynit](https://redirect.github.com

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

codecov · 2025-12-02T19:02:16Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 7.92%. Comparing base (676baf1) to head (7933751).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff            @@
##            main    #103      +/-   ##
========================================
- Coverage   8.12%   7.92%   -0.20%     
========================================
  Files         45      45              
  Lines       9977    7768    -2209     
========================================
- Hits         811     616     -195     
+ Misses      9093    7079    -2014     
  Partials      73      73

Flag	Coverage Δ
go	`7.92% <ø> (-0.20%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 44 files with indirect coverage changes

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

renovate bot changed the title ~~fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security]~~ fix(deps): update dependency @modelcontextprotocol/sdk to ^0.7.0 [security] Dec 3, 2025

renovate bot force-pushed the renovate/npm-modelcontextprotocol-sdk-vulnerability branch 2 times, most recently from f4e212d to dc706dc Compare December 3, 2025 21:06

renovate bot changed the title ~~fix(deps): update dependency @modelcontextprotocol/sdk to ^0.7.0 [security]~~ fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security] Dec 3, 2025

renovate bot changed the title ~~fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security]~~ fix(deps): update dependency @modelcontextprotocol/sdk to ^0.7.0 [security] Dec 10, 2025

renovate bot force-pushed the renovate/npm-modelcontextprotocol-sdk-vulnerability branch 2 times, most recently from e506ee0 to 15eafdb Compare December 10, 2025 18:09

renovate bot changed the title ~~fix(deps): update dependency @modelcontextprotocol/sdk to ^0.7.0 [security]~~ fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security] Dec 10, 2025

renovate bot changed the title ~~fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security]~~ fix(deps): update dependency @modelcontextprotocol/sdk to ^0.7.0 [security] Dec 15, 2025

renovate bot force-pushed the renovate/npm-modelcontextprotocol-sdk-vulnerability branch 2 times, most recently from eb46f49 to 6b3a820 Compare December 15, 2025 21:30

renovate bot changed the title ~~fix(deps): update dependency @modelcontextprotocol/sdk to ^0.7.0 [security]~~ fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security] Dec 15, 2025

renovate bot changed the title ~~fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security]~~ fix(deps): update dependency @modelcontextprotocol/sdk to ^0.7.0 [security] Dec 30, 2025

renovate bot force-pushed the renovate/npm-modelcontextprotocol-sdk-vulnerability branch 2 times, most recently from bbc074e to d3b9071 Compare December 30, 2025 17:25

renovate bot changed the title ~~fix(deps): update dependency @modelcontextprotocol/sdk to ^0.7.0 [security]~~ fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security] Dec 30, 2025

renovate bot force-pushed the renovate/npm-modelcontextprotocol-sdk-vulnerability branch from d3b9071 to 9cdbdf9 Compare December 31, 2025 14:57

renovate bot changed the title ~~fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security]~~ fix(deps): update dependency @modelcontextprotocol/sdk to ^0.7.0 [security] Dec 31, 2025

renovate bot force-pushed the renovate/npm-modelcontextprotocol-sdk-vulnerability branch from 9cdbdf9 to 7c0c85e Compare December 31, 2025 20:47

renovate bot changed the title ~~fix(deps): update dependency @modelcontextprotocol/sdk to ^0.7.0 [security]~~ fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security] Dec 31, 2025

renovate bot force-pushed the renovate/npm-modelcontextprotocol-sdk-vulnerability branch from 7c0c85e to db921af Compare January 7, 2026 16:46

renovate bot changed the title ~~fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security]~~ fix(deps): update dependency @modelcontextprotocol/sdk to ^0.7.0 [security] Jan 8, 2026

renovate bot force-pushed the renovate/npm-modelcontextprotocol-sdk-vulnerability branch 2 times, most recently from 520b6e7 to c5fc30a Compare January 8, 2026 21:56

renovate bot changed the title ~~fix(deps): update dependency @modelcontextprotocol/sdk to ^0.7.0 [security]~~ fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security] Jan 8, 2026

renovate bot changed the title ~~fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security]~~ fix(deps): update dependency @modelcontextprotocol/sdk to ^0.7.0 [security] Jan 19, 2026

renovate bot force-pushed the renovate/npm-modelcontextprotocol-sdk-vulnerability branch 2 times, most recently from a06edf2 to 5744567 Compare January 19, 2026 22:38

renovate bot changed the title ~~fix(deps): update dependency @modelcontextprotocol/sdk to ^0.7.0 [security]~~ fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security] Jan 19, 2026

renovate bot force-pushed the renovate/npm-modelcontextprotocol-sdk-vulnerability branch from d4006b9 to 19c6fb1 Compare February 17, 2026 20:32

renovate bot changed the title ~~fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security]~~ fix(deps): update dependency @modelcontextprotocol/sdk to ^0.7.0 [security] Feb 17, 2026

renovate bot force-pushed the renovate/npm-modelcontextprotocol-sdk-vulnerability branch from 19c6fb1 to 0c810d5 Compare February 18, 2026 01:03

renovate bot changed the title ~~fix(deps): update dependency @modelcontextprotocol/sdk to ^0.7.0 [security]~~ fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security] Feb 18, 2026

renovate bot force-pushed the renovate/npm-modelcontextprotocol-sdk-vulnerability branch from 0c810d5 to d081d42 Compare February 24, 2026 14:13

renovate bot changed the title ~~fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security]~~ fix(deps): update dependency @modelcontextprotocol/sdk to ^0.7.0 [security] Feb 24, 2026

renovate bot force-pushed the renovate/npm-modelcontextprotocol-sdk-vulnerability branch from d081d42 to d25b00e Compare February 24, 2026 19:13

renovate bot changed the title ~~fix(deps): update dependency @modelcontextprotocol/sdk to ^0.7.0 [security]~~ fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security] Feb 24, 2026

renovate bot force-pushed the renovate/npm-modelcontextprotocol-sdk-vulnerability branch from d25b00e to d07ad6c Compare February 25, 2026 12:57

renovate bot changed the title ~~fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security]~~ fix(deps): update dependency @modelcontextprotocol/sdk to ^0.7.0 [security] Feb 25, 2026

renovate bot force-pushed the renovate/npm-modelcontextprotocol-sdk-vulnerability branch from d07ad6c to 756de8c Compare February 25, 2026 19:04

renovate bot changed the title ~~fix(deps): update dependency @modelcontextprotocol/sdk to ^0.7.0 [security]~~ fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security] Feb 25, 2026

renovate bot force-pushed the renovate/npm-modelcontextprotocol-sdk-vulnerability branch from 756de8c to 6862847 Compare February 27, 2026 13:28

renovate bot changed the title ~~fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security]~~ fix(deps): update dependency @modelcontextprotocol/sdk to ^0.7.0 [security] Feb 27, 2026

renovate bot force-pushed the renovate/npm-modelcontextprotocol-sdk-vulnerability branch from 6862847 to fa6de5c Compare February 27, 2026 17:07

renovate bot changed the title ~~fix(deps): update dependency @modelcontextprotocol/sdk to ^0.7.0 [security]~~ fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security] Feb 27, 2026

renovate bot force-pushed the renovate/npm-modelcontextprotocol-sdk-vulnerability branch from fa6de5c to b46b78a Compare March 5, 2026 09:56

renovate bot changed the title ~~fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security]~~ fix(deps): update dependency @modelcontextprotocol/sdk to ^0.7.0 [security] Mar 5, 2026

renovate bot force-pushed the renovate/npm-modelcontextprotocol-sdk-vulnerability branch from b46b78a to a307e8c Compare March 5, 2026 19:14

renovate bot changed the title ~~fix(deps): update dependency @modelcontextprotocol/sdk to ^0.7.0 [security]~~ fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security] Mar 5, 2026

renovate bot changed the title ~~fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security]~~ fix(deps): update dependency @modelcontextprotocol/sdk to ^0.7.0 [security] Mar 13, 2026

renovate bot force-pushed the renovate/npm-modelcontextprotocol-sdk-vulnerability branch 2 times, most recently from 9e2d99a to 74580e1 Compare March 13, 2026 21:36

renovate bot changed the title ~~fix(deps): update dependency @modelcontextprotocol/sdk to ^0.7.0 [security]~~ fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security] Mar 13, 2026

renovate bot changed the title ~~fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security]~~ fix(deps): update dependency @modelcontextprotocol/sdk to ^0.7.0 [security] Mar 26, 2026

renovate bot force-pushed the renovate/npm-modelcontextprotocol-sdk-vulnerability branch 2 times, most recently from ed3f680 to 56597ba Compare March 26, 2026 21:11

renovate bot changed the title ~~fix(deps): update dependency @modelcontextprotocol/sdk to ^0.7.0 [security]~~ fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security] Mar 26, 2026

renovate bot changed the title ~~fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security]~~ fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security] - autoclosed Mar 27, 2026

fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security]

7933751

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security]#103

fix(deps): update dependency @modelcontextprotocol/sdk to v1 [security]#103
loonghao merged 1 commit intomainfrom
renovate/npm-modelcontextprotocol-sdk-vulnerability

renovate bot commented Dec 2, 2025 •

edited

Loading

Uh oh!

codecov bot commented Dec 2, 2025 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

renovate bot commented Dec 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Impact

Affected Versions

Patches

Workarounds

Release Notes

What's Changed

New Contributors

What's Changed

What's Changed

New Contributors

What's Changed

What's Changed

New Contributors

What's Changed

New Contributors

Summary

What's Changed

New Contributors

Fixed:

What's Changed

New Contributors

What's Changed

New Contributors

What's changed

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors 🙏

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

What's Changed

What's Changed

New Contributors

What's Changed

What's Changed

What's Changed

New Contributors 🙏

What's Changed

New Contributors 🙏

Configuration

Uh oh!

codecov bot commented Dec 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

renovate bot commented Dec 2, 2025 •

edited

Loading

codecov bot commented Dec 2, 2025 •

edited

Loading