Skip to content

chore(deps): bump github.com/modelcontextprotocol/go-sdk from 1.4.0 to 1.4.1 in the go_modules group across 1 directory#2149

Merged
lpcox merged 1 commit intomainfrom
dependabot/go_modules/go_modules-b913a45371
Mar 19, 2026
Merged

chore(deps): bump github.com/modelcontextprotocol/go-sdk from 1.4.0 to 1.4.1 in the go_modules group across 1 directory#2149
lpcox merged 1 commit intomainfrom
dependabot/go_modules/go_modules-b913a45371

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 19, 2026

Bumps the go_modules group with 1 update in the / directory: github.com/modelcontextprotocol/go-sdk.

Updates github.com/modelcontextprotocol/go-sdk from 1.4.0 to 1.4.1

Release notes

Sourced from github.com/modelcontextprotocol/go-sdk's releases.

v1.4.1

This release is a patch release for v1.4.0.

It contains cherry-picks for several security improvements. Security advisories will follow.

Fixes

Update of the segmentio/encoding module version

The JSON parsing library that was adopted to avoid attacks taking advantage of the Go's standard parser being case insensitive turned out to contain an issue itself. We have submitted the fix upstream and this release updates the dependency to the patched version.

Cross-origin requests protection

We have added additional protection against cross origin requests. From now on, we verify that Content-Type for JSON-RPC POST requests is set to application/json and use the new http.CrossOriginProtection functionality to verify the origin of the request. Usage of this functionality required increasing the required Go version to 1.25, which is in line with our Go version policy of supporting two newest Go versions. The behavior can be customized by passing a configured http.CrossOriginProtection object to StreamableHTTPOptions.

Since this is a behavior change, we introduced a compatibility parameter disablecrossoriginprotection that will allow to temporarily disable it. It will be removed in v1.6.0 version of the SDK. See here for more details about behavior changes and a history of compatibility parameters across SDK versions.

Allowing customization of http.Client for client-side OAuth

We have introduced an optional http.Client parameter to AuthorizationCodeHandlerConfig. This allows customization of the transport, for example implementing environment specific protection against Server-Side Request Forgery.

Pull requests

Full Changelog: modelcontextprotocol/go-sdk@v1.4.0...v1.4.1

Commits
  • 580f2a0 mcp: verify 'Origin' and 'Content-Type' headers (#842)
  • 421ddf1 auth: allow passing custom http.Client to AuthorizationCodeHandler (#840)
  • 515f11b internal: fix Unicode zero character handling (#841)
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump github.com/modelcontextprotocol/go-sdk
1d21f26 
Bumps the go_modules group with 1 update in the / directory: [github.com/modelcontextprotocol/go-sdk](https://github.com/modelcontextprotocol/go-sdk).


Updates `github.com/modelcontextprotocol/go-sdk` from 1.4.0 to 1.4.1
- [Release notes](https://github.com/modelcontextprotocol/go-sdk/releases)
- [Commits](modelcontextprotocol/go-sdk@v1.4.0...v1.4.1)

---
updated-dependencies:
- dependency-name: github.com/modelcontextprotocol/go-sdk
  dependency-version: 1.4.1
  dependency-type: direct:production
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
@lpcox lpcox merged commit c9ac184 into main Mar 19, 2026
36 of 44 checks passed
@lpcox lpcox deleted the dependabot/go_modules/go_modules-b913a45371 branch March 19, 2026 15:05
This was referenced Mar 19, 2026
Closed
Closed
Closed
Copilot AI mentioned this pull request Mar 20, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies go

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lpcox