[deps] Update github.com/modelcontextprotocol/go-sdk from v1.3.1 to v1.4.0

[github-actions]

Summary

Update github.com/modelcontextprotocol/go-sdk dependency from v1.3.1 to v1.4.0

Current State

• Package: github.com/modelcontextprotocol/go-sdk
• Current Version: v1.3.1
• Proposed Version: v1.4.0
• Update Type: Minor version update with behavior changes

Why Separate Issue

⚠️ Minor version update with notable behavior changes

• Two intentional behavior changes that may require testing:
  1. DNS rebinding protection: Requests to localhost with non-localhost Host header are now rejected by default
  2. JSON escaping change: HTML escaping in JSON marshaling is now disabled by default
• New features added (Sampling with Tools, experimental client-side OAuth)
• Full MCP 2025-11-25 specification implementation completed

Safety Assessment

⚠️ Requires careful review

• DNS rebinding protection (new default behavior): Any MCP server running on localhost that receives requests with non-localhost Host headers will now return errors. This could affect local development setups or proxy configurations.
• JSON escaping change: If downstream systems expected HTML-escaped JSON (e.g., \u003c for <), they will now receive unescaped output. Review all MCP message consumers.
• Both behaviors can be temporarily disabled via MCPGODEBUG environment variable (will be removed in v1.6.0)
• Security fix for case-sensitive JSON unmarshaling was cherry-picked into v1.3.1 (already included in current version)

Changes

• feat: implement sampling with tools (CreateMessageWithTools)
• feat: add automatic DNS rebinding protection for localhost servers (MCPGODEBUG=disablelocalhostprotection=1 to disable)
• feat: update JSON marshaling to not HTML-escape messages (MCPGODEBUG=jsonescaping=1 to restore old behavior)
• feat: add Extensions field to capabilities (SEP-2133)
• feat: experimental client-side OAuth support (build tag mcp_go_client_oauth)
• fix: validation only for accept action
• fix: allow SSE messages with empty data
• fix: Content-Length header parsing to be case-insensitive
• fix: multi-select enum elicitation
• fix: return 400 instead of 500 when body read fails in stateless mode

Links

• v1.4.0 Release
• Package Repository
• [Go Package]((pkg.go.dev/redacted)

Recommended Action

go get github.com/modelcontextprotocol/go-sdk@v1.4.0
go mod tidy

Testing Notes

• Run all tests: make test
• Test MCP server functionality: gh aw mcp list and gh aw mcp inspect
• Verify MCP tool execution in workflows still works correctly
• Check localhost MCP server connections are not broken by DNS rebinding protection
• Review any code that parses MCP JSON messages for HTML-escape sensitivity
• Test with DEBUG=workflow:* gh aw compile to check for any MCP-related compilation issues

Generated by Dependabot Dependency Checker

• expires on Mar 4, 2026, 9:25 AM UTC