Skip to content

[plan] Upgrade github.com/modelcontextprotocol/go-sdk to v1.3.1 (security patch) #16915

New issue
New issue
Closed
#16923
Closed
[plan] Upgrade github.com/modelcontextprotocol/go-sdk to v1.3.1 (security patch)#16915
#16923
Assignees
pelikhancopilot-swe-agent
Labels
ai-generatedcookieIssue Monster Loves Cookies!plan
@github-actions

Description

@github-actions
github-actions
bot
opened on Feb 19, 2026

Objective

Upgrade the github.com/modelcontextprotocol/go-sdk dependency from v1.3.0 to v1.3.1 to apply a security fix.

Context

Discussion #16774 identified that v1.3.1 contains a security patch for issue #805. The fix switches the JSON decoder to github.com/segmentio/encoding which provides case-sensitive matching, preventing exploitation of Go's standard library JSON decoder case-insensitive struct field matching in MCP message parsing.

gh-aw is an MCP server that receives JSON-RPC messages from external MCP clients, making this upgrade important.

Steps

  1. Run: go get github.com/modelcontextprotocol/go-sdk@v1.3.1
  2. Run: go mod tidy
  3. Run make build to ensure it compiles
  4. Run make test-unit to confirm no regressions

Files to Modify

  • go.mod
  • go.sum

Acceptance Criteria

  • go.mod references github.com/modelcontextprotocol/go-sdk v1.3.1
  • go mod tidy runs cleanly
  • make build succeeds
  • make test-unit passes

Generated by Plan Command for issue #discussion #16774

  • expires on Feb 21, 2026, 9:47 PM UTC

Metadata

Metadata

Assignees

Labels

ai-generatedcookieIssue Monster Loves Cookies!plan

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions