[Snyk] Security upgrade @modelcontextprotocol/sdk from 1.5.0 to 1.25.2#17
[Snyk] Security upgrade @modelcontextprotocol/sdk from 1.5.0 to 1.25.2#17
Conversation
…mcp-server/pnpm-lock.yaml to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-MODELCONTEXTPROTOCOLSDK-14871802
There was a problem hiding this comment.
Pull request overview
This PR upgrades the @modelcontextprotocol/sdk dependency from version 1.5.0 to 1.25.2 to address a high-severity Regular Expression Denial of Service (ReDoS) vulnerability (SNYK-JS-MODELCONTEXTPROTOCOLSDK-14871802) with a priority score of 828.
Changes:
- Upgrades
@modelcontextprotocol/sdkfrom ^1.5.0 to ^1.25.2 in package.json - Updates pnpm-lock.yaml to reflect the new SDK version and its transitive dependencies
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| examples/agent-kit-mcp-server/package.json | Updates the @modelcontextprotocol/sdk version specification to ^1.25.2 |
| examples/agent-kit-mcp-server/pnpm-lock.yaml | Reflects the dependency resolution with the new SDK version and adds numerous transitive dependencies including express 5.2.1, hono 4.11.3, ajv, jose, and others |
Files not reviewed (1)
- examples/agent-kit-mcp-server/pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@modelcontextprotocol/sdk": "^1.25.2", | ||
| "dotenv": "^16.4.7", | ||
| "solana-agent-kit": "1.4.8", | ||
| "zod": "^3.24.2" |
There was a problem hiding this comment.
The upgraded @modelcontextprotocol/sdk version 1.25.2 specifies a peer dependency of zod ^3.25 || ^4.0, but the project is using zod 3.24.2. While pnpm has allowed the installation, this version mismatch could lead to compatibility issues or unexpected behavior. Consider upgrading zod to at least version 3.25.0 to meet the SDK's peer dependency requirements.
| "zod": "^3.24.2" | |
| "zod": "^3.25.0" |
Snyk has created this PR to fix 1 vulnerabilities in the pnpm dependencies of this project.
Snyk changed the following file(s):
examples/agent-kit-mcp-server/package.jsonexamples/agent-kit-mcp-server/pnpm-lock.yamlVulnerabilities that will be fixed with an upgrade:
SNYK-JS-MODELCONTEXTPROTOCOLSDK-14871802
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)