build(deps): Bump github.com/modelcontextprotocol/go-sdk from 0.1.0 to 0.5.0

[dependabot]

Bumps github.com/modelcontextprotocol/go-sdk from 0.1.0 to 0.5.0.

Release notes

Sourced from github.com/modelcontextprotocol/go-sdk's releases.

v0.5.0

This release fixes several bugs related to schema validation, and makes the final set of breaking changes planned before the v1 release.

For more details, see the v0.5.0 milestone.

API Changes

• Removed transport constructors (#305). These were deprecated in #272, but we left the constructors so that they could more easily be inlined away via the go:fix inline directive and gopls. Now they are removed.
• Removed support for batching when the spec version is 2025-06-18 or higher (#21). This is newly strict, but aligns with the MCP spec.

Bug fixes

The following notable bugs are fixed, related to JSON schema validation.

• JSON schema for nested structs is now handled correctly (#437).
• Validation of types with custom JSON marshalling is fixed (#447).
• Validation now correctly catches missing fields (#449).
• Validation is now strictly case-sensitive (a consequence of the preceding fixes).

New Contributors

• @​flc1125 made their first contribution in modelcontextprotocol/go-sdk#427
• @​cruffinoni made their first contribution in modelcontextprotocol/go-sdk#363
• @​ankitm123 made their first contribution in modelcontextprotocol/go-sdk#451

Full Changelog: modelcontextprotocol/go-sdk@v0.4.0...v0.5.0

v0.4.0

This release fixes several bugs, and expands on OAuth support and examples. It also makes a few (hopefully minor) API changes as we approach a release candidate (see #328).

For more details, see the v0.4.0 milestone.

Thank you to all who tested the SDK, filed bugs, and contributed.

API Changes

This release includes the following incompatible changes:

• mcp.CallToolRequest now holds an mcp.CallToolParamsRaw, to avoid confusion about the raw state of Arguments (see proposal #377)
• mcp.ToolFor is unexported, as it was also a footgun: modifying the resulting schema was ineffective (see proposal #401).
• auth.TokenVerifier is changed from func(context.Context, string) (*TokenInfo, error) to func(context.Context, string, *net/http.Request) (*TokenInfo, error), to allow access to the HTTP request (see proposal #403).

Additionally, it includes the following additions:

• mcp.StreamableServerTransport.JSONResponse and mcp.StreamableHTTPOptions.JSONResponse are exported, to configure serving responses as application/json rather than text/event-stream (#397).
• auth.ErrOAuth is added.

New Examples

Several new examples are added to demonstrate different ways to use the SDK. We will continue to expand on these examples and other documentation as we approach the release.

... (truncated)

Commits

• c2c810b mcp: update jsonschema-go to v0.2.3, prepare README
• 159933c mcp: speed up TestCommandTransportDuration
• 9f1b864 mcp: propertly validate against JSON, independent of Go values
• eddef06 all: add a test that checks for missing or mismatching file copyright
• b666793 transport.go: disable stdio batching for newer protocols (#453)
• bf3ff50 mcp: remove json-rpc batching for more recent protocol versions
• 872b437 internal/readme: use go:generate rather than Make
• 3a66cf3 go.mod: update jsonschema to v0.2.2 (#446)
• 728e0e3 mcp: improve error messages from Wait for streamable clients
• b1c75f0 mcp: remove deprecated transport constructors
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #31.