[deps] Update github.com/modelcontextprotocol/go-sdk from v1.4.0 to v1.4.1 (security patch)

[github-actions]

Summary

Update github.com/modelcontextprotocol/go-sdk from v1.4.0 to v1.4.1. This is a security patch release that includes important security improvements alongside behavior changes.

Current State

• Package: github.com/modelcontextprotocol/go-sdk
• Current Version: v1.4.0
• Proposed Version: v1.4.1
• Update Type: Patch (security)

Why Separate Issue

⚠️ Patch update with security fixes AND behavior changes

• Explicitly a security release ("cherry-picks for several security improvements")
• Contains behavior changes despite being a patch version
• Increases required Go version to 1.25 (already met by this repo)
• Introduces new request validation that may affect MCP server interactions
• Security advisories for this release were pending at release time

Safety Assessment

⚠️ Security-motivated patch with behavior changes — requires testing

• Security fix: JSON parsing library (segmentio/encoding) updated to fix an attack vector
• Behavior change: HTTP JSON-RPC POST requests now require Content-Type: application/json
• Behavior change: New http.CrossOriginProtection validates request origins
• A compatibility parameter disablecrossoriginprotection is available temporarily if needed
• No API signature changes in the public Go API

Changes

• Update segmentio/encoding dependency to fix a JSON parsing security issue
• Add cross-origin request protection for HTTP Streamable MCP servers (Content-Type + Origin header checks)
• Allow customization of http.Client for client-side OAuth (AuthorizationCodeHandlerConfig)
• Fix Unicode zero character handling

Links

• v1.4.1 Release Notes
• Package Repository
• [Go Package]((pkg.go.dev/redacted)
• Behavior Change Docs

Recommended Action

go get -u github.com/modelcontextprotocol/go-sdk@v1.4.1
go mod tidy

Testing Notes

• Run all unit tests: make test-unit
• Test MCP server initialization and tool calls
• Verify HTTP-based MCP server interactions (if applicable)
• Test that existing Copilot/Claude/Codex engine workflows still compile and run
• Check that MCP tool proxying still works as expected (gh aw mcp list, gh aw mcp inspect)

Generated by Dependabot Dependency Checker · ◷

Warning

⚠️ Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• proxy.golang.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "proxy.golang.org"

See Network Configuration for more information.

• expires on Mar 18, 2026, 9:35 AM UTC