fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x backport)

[samuv]

Resolves npm audit security vulnerabilities and updates dependencies to their latest compatible versions for the v1.x release branch.

This is the backport of #1381

Motivation and Context

Running npm audit on the v1.x branch was reporting multiple high-severity security vulnerabilities:

1. Hono JWT vulnerabilities (GHSA-3vhc-576x-3qv4, GHSA-f67f-6cw9-8mq4):

   • JWT algorithm confusion when JWK lacks "alg" (untrusted header.alg fallback)
   • JWT Algorithm Confusion via Unsafe Default (HS256) allowing token forgery and auth bypass
   • Affects hono <4.11.4 (transitive dependency via @hono/node-server)
   • Fixed by bumping @hono/node-server to ^1.19.9 and adding hono ^4.11.4 as a direct dependency

2. qs package vulnerability:

   • Security issue in transitive dependency qs
   • Fixed by adding npm overrides to force qs@6.14.1

This PR addresses these vulnerabilities by:

• Bumping @hono/node-server to ^1.19.9
• Adding hono ^4.11.4 as a direct dependency (resolves Hono JWT vulnerabilities)
• Adding npm overrides for qs@6.14.1 (resolves qs vulnerability)
• Bumping other dependencies to latest compatible versions
• Updating test assertions to match updated library error messages

How Has This Been Tested?

• ✅ npm audit reports 0 vulnerabilities after this change
• ✅ All existing tests pass (npm test - all 1497 tests pass)
• ✅ npm run build completes successfully
• ✅ Test assertions updated to match jose library's updated error message format

Breaking Changes

None. This is a patch release with security fixes and dependency updates only.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

Security fixes:

• Hono JWT vulnerabilities (GHSA-3vhc-576x-3qv4, GHSA-f67f-6cw9-8mq4):
  • @hono/node-server (^1.19.7 → ^1.19.9)
  • hono (added as direct dependency at ^4.11.4 to ensure secure version)
• qs vulnerability: npm overrides for qs@6.14.1

Dependency updates:

• express (^5.0.1 → ^5.2.1)
• express-rate-limit (^7.5.0 → ^8.2.1)
• jose (^6.1.1 → ^6.1.3)
• zod-to-json-schema (^3.23.2 → ^3.25.1)

Test fixes:

• Updated error message regex in packages/client/test/client/auth-extensions.test.ts to match jose library's updated error output (changed from /Invalid character/ to /cannot be part of a valid base64/)

Implementation notes:

• hono was added as a direct dependency instead of using npm overrides to ensure the secure version (4.11.4) is always installed, even as @hono/node-server updates its transitive dependencies
• All changes maintain backward compatibility with the v1.x branch

[changeset-bot]

⚠️ No Changeset found

Latest commit: dc70765

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/sdk@1382

commit: dc70765

[KKonstantinov]

Hi, thank you for this. Since the qs issue is coming from express, and express is updated here, is there a real need for the qs override anymore?

[samuv]

Hi, thank you for this. Since the qs issue is coming from express, and express is updated here, is there a real need for the qs override anymore?

Hi @KKonstantinov 👋🏼, happy to help if I can
yeah, unfortunately the qs version is still the old one from the last release, but I saw they recently pushed a commit to main with the bump. It should be fixed in the next release

[felixweinberger]

Thanks for this!