deps: update github.com/modelcontextprotocol/go-sdk v1.4.0 → v1.4.1 (security patch)

[Copilot]

Security patch release for go-sdk that fixes a JSON parsing attack vector via segmentio/encoding and adds cross-origin request protection for HTTP Streamable MCP servers.

Changes

• github.com/modelcontextprotocol/go-sdk v1.4.0 → v1.4.1
• github.com/segmentio/encoding v0.5.3 → v0.5.4 (transitive; the actual security fix)

Notable behavior changes in v1.4.1

• HTTP JSON-RPC POST requests now require Content-Type: application/json
• New http.CrossOriginProtection validates request origins on HTTP Streamable servers
• A disablecrossoriginprotection debug knob is available if compatibility issues arise

---

---

✨ PR Review Safe Output Test - Run 23144223396

💥 [THE END] — Illustrated by Smoke Claude · ◷

---

---

✨ PR Review Safe Output Test - Run 23144378045

💥 [THE END] — Illustrated by Smoke Claude · ◷

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready.

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[Copilot]

Pull request overview

Updates the MCP Go SDK dependency to pick up upstream security fixes (including the transitive segmentio/encoding patch) and associated HTTP transport hardening.

Changes:

• Bump github.com/modelcontextprotocol/go-sdk from v1.4.0 to v1.4.1
• Bump transitive github.com/segmentio/encoding from v0.5.3 to v0.5.4
• Refresh go.sum checksums accordingly

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File	Description
go.mod	Updates required module versions for the MCP Go SDK and its transitive security-fix dependency.
go.sum	Updates dependency checksums to match the new versions.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[github-actions]

Noted! The origin validation change is worth testing specifically with the MCP inspector flow. Good catch on the Streamable HTTP behavior changes.

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Agent Container Tool Check

Tool	Status	Version
bash	✅	5.2.21
sh	✅	available
git	✅	2.53.0
jq	✅	1.7
yq	✅	v4.52.4
curl	✅	8.5.0
gh	✅	2.87.3
node	✅	v20.20.0
python3	✅	3.12.3
go	✅	1.24.13
java	✅	10.0.102
dotnet	✅	10.0.102

Result: 12/12 tools available ✅

Overall Status: PASS

🔧 Tool validation by Agent Container Smoke Test · ◷

[github-actions]

Commit pushed: 5411e15

Generated by Changeset Generator

[github-actions]

Smoke Test: Codex Engine Validation

• PRs: fix: wire call_workflow into consolidated safe_outputs handler-manager path #21218 fix: wire call_workflow into consolidated safe_outputs handler-manager path; fix: apply configured reviewers when creating pull request via safe output #21217 fix: apply configured reviewers when creating pull request via safe output
• GitHub MCP (2 merged PR titles): ✅
• Serena MCP (activate_project + >=3 symbols): ✅
• Playwright (github.com title contains GitHub): ✅
• Web Fetch (github.com response contains GitHub): ✅
• File write/read (/tmp/gh-aw/agent/smoke-test-codex-23144378014.txt): ✅
• Bash validation (cat readback): ✅
• Build (GOCACHE=/tmp/go-cache GOMODCACHE=/tmp/go-mod make build): ✅
• Overall status: PASS

References: §23144378014

🔮 The oracle has spoken through Smoke Codex · ◷

Warning

⚠️ Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• ab.chatgpt.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "ab.chatgpt.com"

See Network Configuration for more information.

[github-actions]

Smoke Test §23144377962 — @pelikhan

Test
GitHub MCP	✅
GH CLI (mcpscripts)	✅
Playwright	✅
Web Fetch	✅
File Writing	✅
Bash Tool	✅
Discussion Interaction	✅
Build gh-aw	✅
PR Review	✅
Workflow Dispatch	✅
Discussion Creation	✅

Overall: ✅ PASS

📰 BREAKING: Report filed by Smoke Copilot · ◷

[github-actions]

Dependency update looks clean. Two deps updated (go-sdk v1.4.1 security patch + transitive segmentio/encoding v0.5.4). LGTM.

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Good security patch update for go-sdk v1.4.0 → v1.4.1. Keeping MCP dependencies up-to-date is important given this is a security patch.

[github-actions]

Transitive dependency segmentio/encoding also bumped (v0.5.3 → v0.5.4) as a result of this update — looks like an expected cascade.

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

Smoke test results — Run §23144378045

Test	Result
1 GitHub MCP	✅
2 GH CLI	✅
3 Serena MCP	✅
4 Make Build	✅
5 Playwright	✅
6 Tavily Search	✅
7 File Write	✅
8 Bash	✅
9 Discussion comment	✅
10 AW MCP Status	✅
11 Update PR	✅
12 Review comments	✅
13 Submit review	✅
14 Resolve thread	⚠️
15 Add reviewer	✅
16 Push to branch	✅
17 Close test PR	⚠️

Overall: PARTIAL (15 ✅, 2 ⚠️ skipped)

💥 [THE END] — Illustrated by Smoke Claude · ◷

[github-actions]

💥 Automated smoke test review - all systems nominal!

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

The segmentio/encoding bump (v0.5.3 → v0.5.4) is a transitive dependency update alongside the MCP SDK upgrade. Good to see indirect dependencies kept in sync.

[github-actions]

Hash verified for github.com/modelcontextprotocol/go-sdk v1.4.1. Security patch looks clean.