Skip to content

Fix: upgrade @modelcontextprotocol/sdk to ^1.26.0#241

Open
ajmfehr wants to merge 7 commits intomainfrom
fix/upgrade-mcp-sdk-cve
Open

Fix: upgrade @modelcontextprotocol/sdk to ^1.26.0#241
ajmfehr wants to merge 7 commits intomainfrom
fix/upgrade-mcp-sdk-cve

Conversation

@ajmfehr
Copy link
Copy Markdown

@ajmfehr ajmfehr commented Apr 27, 2026

Upgrades @modelcontextprotocol/sdk from ^1.25.2 to ^1.26.0 (resolved 1.27.1) to address a cross-client data leak vulnerability caused by transport and server/protocol instance reuse in stateless deployments.

@alfehr
fix: upgrade @modelcontextprotocol/sdk to ^1.26.0 to fix cross-client…
af85e0a 
… data leak CVE

Upgrades @modelcontextprotocol/sdk from ^1.25.2 to ^1.26.0 (resolved 1.27.1)
to address a cross-client data leak vulnerability caused by transport and
server/protocol instance reuse in stateless deployments.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 27, 2026 19:59
@ajmfehr ajmfehr requested a review from a team as a code owner April 27, 2026 19:59
Copilot AI reviewed Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the workspace’s Model Context Protocol (MCP) SDK dependency to a newer minor release in order to pick up fixes for a reported cross-client data leak vulnerability related to transport/server/protocol instance reuse.

Changes:

  • Bump @modelcontextprotocol/sdk in the workspace catalog from ^1.25.2 to ^1.26.0.
  • Refresh pnpm-lock.yaml to resolve the SDK to 1.27.1 and update related transitive dependencies.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
pnpm-workspace.yaml Updates the workspace catalog version range for @modelcontextprotocol/sdk.
pnpm-lock.yaml Updates the resolved MCP SDK version (to 1.27.1) and adjusts transitive dependency graph accordingly.
Files not reviewed (1)
  • pnpm-lock.yaml: Language not supported

Comment thread pnpm-lock.yaml Outdated
gwharris7
gwharris7 previously approved these changes Apr 27, 2026
View reviewed changes
gwharris7 and others added 2 commits April 27, 2026 13:36
@gwharris7
Merge branch 'main' into fix/upgrade-mcp-sdk-cve
d740b74
@gwharris7
Update pnpm-lock.yaml
b8108c0 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 27, 2026 20:37
gwharris7
gwharris7 previously approved these changes Apr 27, 2026
View reviewed changes
Copilot AI reviewed Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

Files not reviewed (1)
  • pnpm-lock.yaml: Language not supported

Comment thread pnpm-lock.yaml
Comment thread pnpm-workspace.yaml
@ajmfehr ajmfehr enabled auto-merge (squash) April 28, 2026 00:15
Copilot AI review requested due to automatic review settings April 28, 2026 02:21
Copilot AI reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

Comment thread pnpm-workspace.yaml

# Model Context Protocol SDK
"@modelcontextprotocol/sdk": "^1.25.2"
"@modelcontextprotocol/sdk": "^1.26.0"
Copy link

Copilot AI Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR description says the upgrade resolves to 1.27.1, but with the catalog specifier set to ^1.26.0 (and resolutionMode: "highest" in this workspace), the actual resolved version will float to the highest compatible release (currently 1.29.0 per the lockfile). Please update the PR description to match what will be installed, or pin the catalog entry to the intended tested version if you need to control the exact patch/minor used for the security fix.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@gwharris7 gwharris7 gwharris7 approved these changes

@sellakumaran sellakumaran sellakumaran approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ajmfehr @gwharris7 @sellakumaran @alfehr