chore(deps): update dependency @modelcontextprotocol/sdk to v1.19.1

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@modelcontextprotocol/sdk (source)	1.17.4 -> 1.19.1

---

Release Notes

modelcontextprotocol/typescript-sdk (@​modelcontextprotocol/sdk)

v1.19.1

Compare Source

v1.18.2

Compare Source

What's Changed

• Updates the sampling code example in the README by @​viniciuscsouza in #​958
• Use redirect Uri passed in in demoInMemoryOAuthProvider by @​TylerLeonhardt in #​931
• fix(auth-router): correct Protected Resource Metadata for pathful RS and add explicit resourceServerUrl (RFC 9728) by @​blustAI in #​858
• chore: update version to 1.18.2 for weekly release by @​felixweinberger in #​970

New Contributors

• @​viniciuscsouza made their first contribution in #​958
• @​TylerLeonhardt made their first contribution in #​931
• @​blustAI made their first contribution in #​858

Full Changelog: modelcontextprotocol/typescript-sdk@1.18.1...1.18.2

v1.18.1

Compare Source

What's Changed

• fix: prevent streamable http wite after end from crashing the node process by @​MQ37 in #​933
• chore: update version to 1.18.1 for weekly release by @​felixweinberger in #​950

New Contributors

• @​MQ37 made their first contribution in #​933

Full Changelog: modelcontextprotocol/typescript-sdk@1.18.0...1.18.1

v1.18.0

Compare Source

What's Changed

• mcp: update SDK for SEP 973 + add to example server by @​jesselumarie in #​904
• feat: add _meta field support to tool definitions by @​knguyen-figma in #​922
• Fix automatic log level handling for sessionless connections by @​cliffhall in #​917
• 1.17.6 by @​ihrpr in #​936
• 1.18.0 by @​ihrpr in #​937
• ignore icons for now by @​ihrpr in #​938

New Contributors

• @​jesselumarie made their first contribution in #​904
• @​knguyen-figma made their first contribution in #​922

Full Changelog: modelcontextprotocol/typescript-sdk@1.17.5...1.18.0

v1.17.5

Compare Source

What's Changed

• Automatic handling of logging level by @​cliffhall in #​882
• Fix the SDK vs Spec types test that is breaking CI by @​cliffhall in #​908

Full Changelog: modelcontextprotocol/typescript-sdk@1.17.4...1.17.5

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[claude]

Code Review for @modelcontextprotocol/sdk v1.18.2 Update

✅ Summary

This PR updates the @modelcontextprotocol/sdk dependency from v1.17.4 to v1.18.2, which is a minor version bump with bug fixes and feature additions.

🔍 Analysis

Code Quality & Best Practices

• ✅ The update follows semantic versioning conventions
• ✅ Only package-lock.json is modified, which is expected for a dependency update
• ⚠️ The diff shows several unrelated packages (@babel/core, acorn, browserslist, etc.) now marked as peer: true - this appears to be npm reorganizing the lockfile structure

Potential Issues

1. Breaking Changes: While this is a minor version update (1.17.4 → 1.18.2), the changelog shows new features that could affect behavior:

   • SEP 973 protocol updates
   • _meta field support in tool definitions
   • Automatic log level handling changes

2. Compatibility Concerns:

   • The SDK update includes fixes for "write after end" crashes in Node.js streams
   • Log level handling has been modified which could affect debugging output

Security Considerations

• ✅ No known security vulnerabilities in v1.18.2
• ✅ The update includes bug fixes that improve stability (preventing Node.js process crashes)
• ℹ️ Dependencies are from trusted sources (npm registry)

Performance Considerations

• ✅ The update includes a fix for preventing process crashes from stream errors
• ✅ No performance regressions reported in the changelog

Test Coverage

• ⚠️ Critical: The project has Jest configured but NO test files exist (per CLAUDE.md notes)
• 🚨 Cannot verify if the SDK update breaks existing functionality without tests
• Recommendation: Add integration tests for MCP protocol communication before merging

📋 Recommendations

1. Before Merging:

   • Run npm ci to ensure clean dependency installation
   • Manually test core MCP server functionality
   • Verify Go tools still work correctly with the new SDK
   • Test log level handling behavior

2. Follow-up Actions:

   • Create tests for MCP server initialization and tool registration
   • Add integration tests for SDK communication
   • Consider pinning exact versions in package.json (1.18.2 instead of ^1.0.0)

3. Documentation:

   • Update CHANGELOG.md to document this dependency update
   • Consider adding a dependency update policy to CONTRIBUTING.md

🎯 Decision

Approve with conditions: The update appears safe but should be thoroughly tested given the lack of automated test coverage. The bug fixes included (especially the stream crash prevention) make this a valuable update.

🔧 Testing Checklist

Please verify before merging:

• npm ci completes successfully
• npm run build compiles without errors
• Server starts and registers tools correctly
• Go tools execute successfully
• Make tools work as expected
• Lint tools function properly
• Test detection works correctly
• Log output appears normal

---

Review generated according to project standards in CLAUDE.md with focus on Go support priority and security-first principles.