deps(nuget): Bump ModelContextProtocol and ModelContextProtocol.AspNetCore#2402
Open
dependabot[bot] wants to merge 1 commit intomainfrom
Open
deps(nuget): Bump ModelContextProtocol and ModelContextProtocol.AspNetCore#2402dependabot[bot] wants to merge 1 commit intomainfrom
dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
…tCore Bumps ModelContextProtocol from 1.1.0 to 1.2.0 Bumps ModelContextProtocol.AspNetCore from 1.1.0 to 1.2.0 --- updated-dependencies: - dependency-name: ModelContextProtocol dependency-version: 1.2.0 dependency-type: direct:production update-type: version-update:semver-minor - dependency-name: ModelContextProtocol.AspNetCore dependency-version: 1.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Snapshot WarningsEnsure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice. Scanned FilesNone |
Contributor
🔍 Copilot Code Review — Six-Lens Analysis
📋 Summary
📁 Changed files (0)(none) No findings — all changed files passed the six-lens review. ℹ️ About this reviewThis review applies the six-lens framework from code-review-agent.md:
Severity scale: 🔴 CRITICAL (must fix before merge) · 🟡 WARNING (should address) · 🔵 INFO (minor) |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updated ModelContextProtocol from 1.1.0 to 1.2.0.
Release notes
Sourced from ModelContextProtocol's releases.
1.2.0
This release improves stateless HTTP transport defaults and documentation with a breaking behavioral change that we are considering as a server reliability fix and therefore not bumping the major version with this release. Legacy SSE endpoints are now disabled by default with a new
HttpServerTransportOptions.EnableLegacySseproperty available to opt back into responding to the SSE endpoints; the property is marked as an[Obsolete]warning as we expect to remove this property in a future major version.A warning-level
[Obsolete]attribute is also applied to theRequestContext(McpServer, JsonRpcRequest)constructor, and theRequestContext(McpServer, JsonRpcRequest, TParams)overload should be used instead. This change contributes to fixes including DI scope lifetime in task-augmented tools, meta/progress combination failures, and outgoing message filter routing. We plan to remove the obsolete overload in a future major version.Breaking Changes
Refer to the C# SDK Versioning documentation for details on versioning and breaking change policies.
1. Disable legacy SSE by default #1468
MapMcp()no longer maps/sseand/messageendpoints by default. Servers whose clients connect via SSE will find those endpoints removed.Migrating from legacy SSE
If your clients connect to a
/sseendpoint (e.g.,https://my-server.example.com/sse), they were using the legacy SSE transport--if not running inStatelessmode. The/sseand/messageendpoints are now disabled by default (EnableLegacySseisfalseand marked[Obsolete]with diagnosticMCP9004). Upgrading the server SDK without updating clients will break SSE connections.Client-side migration. Change the client
Endpointfrom the/ssepath to the root MCP endpoint — the same URL your server passes toMapMcp(). For example:With the default
HttpTransportMode.AutoDetecttransport mode, the client automatically tries Streamable HTTP first. You can also setTransportMode = HttpTransportMode.StreamableHttpexplicitly if you know the server supports it.Server-side migration. If you previously relied on
/ssebeing mapped automatically, you now needEnableLegacySse = true(suppressing theMCP9004warning) to keep serving those endpoints. The recommended path is to migrate all clients to Streamable HTTP and then removeEnableLegacySse.Transition period. If some clients still need SSE while others have already migrated to Streamable HTTP, set
EnableLegacySse = truewithStateless = false. Both transports are served simultaneously byMapMcp()— Streamable HTTP on the root endpoint and SSE on/sseand/message. Once all clients have migrated, removeEnableLegacySseand optionally switch toStateless = true.SSE (legacy — opt-in only)
Legacy SSE endpoints are now disabled by default and must be explicitly enabled via
HttpServerTransportOptions.EnableLegacySse. This is the primary reason they are disabled — the SSE transport has no built-in HTTP-level backpressure.The legacy SSE transport separates the request and response channels: clients POST JSON-RPC messages to
/messageand receive responses through a long-lived GET SSE stream on/sse. The POST endpoint returns 202 Accepted immediately after queuing the message — it does not wait for the handler to complete. This means there is no HTTP-level backpressure on handler concurrency, because each POST frees its connection immediately regardless of how long the handler runs.Internally, handlers are dispatched with a fire-and-forget pattern. A client can send unlimited POST requests to
/messagewhile keeping the GET stream open, and each one spawns a concurrent handler with no built-in limit.The GET stream does provide session lifetime bounds: handler cancellation tokens are linked to the GET request's
HttpContext.RequestAborted, so when the client disconnects the SSE stream, all in-flight handlers are cancelled. This is similar to SignalR's connection-bound lifetime model — but unlike SignalR, there is no per-client concurrency limit likeMaximumParallelInvocationsPerClient. The GET stream provides cleanup on disconnect, not rate-limiting during the connection.2. Obsolete 2-arg RequestContext constructor #1462
The
RequestContext(McpServer, JsonRpcRequest)constructor is now[Obsolete]with diagnosticMCP9003, producing build warnings. TheParamsproperty is also changed fromTParams?toTParams.Migration: Use the new 3-arg constructor:
new RequestContext(server, request, parameters).What's Changed
... (truncated)
Commits viewable in compare view.
Updated ModelContextProtocol.AspNetCore from 1.1.0 to 1.2.0.
Release notes
Sourced from ModelContextProtocol.AspNetCore's releases.
1.2.0
This release improves stateless HTTP transport defaults and documentation with a breaking behavioral change that we are considering as a server reliability fix and therefore not bumping the major version with this release. Legacy SSE endpoints are now disabled by default with a new
HttpServerTransportOptions.EnableLegacySseproperty available to opt back into responding to the SSE endpoints; the property is marked as an[Obsolete]warning as we expect to remove this property in a future major version.A warning-level
[Obsolete]attribute is also applied to theRequestContext(McpServer, JsonRpcRequest)constructor, and theRequestContext(McpServer, JsonRpcRequest, TParams)overload should be used instead. This change contributes to fixes including DI scope lifetime in task-augmented tools, meta/progress combination failures, and outgoing message filter routing. We plan to remove the obsolete overload in a future major version.Breaking Changes
Refer to the C# SDK Versioning documentation for details on versioning and breaking change policies.
1. Disable legacy SSE by default #1468
MapMcp()no longer maps/sseand/messageendpoints by default. Servers whose clients connect via SSE will find those endpoints removed.Migrating from legacy SSE
If your clients connect to a
/sseendpoint (e.g.,https://my-server.example.com/sse), they were using the legacy SSE transport--if not running inStatelessmode. The/sseand/messageendpoints are now disabled by default (EnableLegacySseisfalseand marked[Obsolete]with diagnosticMCP9004). Upgrading the server SDK without updating clients will break SSE connections.Client-side migration. Change the client
Endpointfrom the/ssepath to the root MCP endpoint — the same URL your server passes toMapMcp(). For example:With the default
HttpTransportMode.AutoDetecttransport mode, the client automatically tries Streamable HTTP first. You can also setTransportMode = HttpTransportMode.StreamableHttpexplicitly if you know the server supports it.Server-side migration. If you previously relied on
/ssebeing mapped automatically, you now needEnableLegacySse = true(suppressing theMCP9004warning) to keep serving those endpoints. The recommended path is to migrate all clients to Streamable HTTP and then removeEnableLegacySse.Transition period. If some clients still need SSE while others have already migrated to Streamable HTTP, set
EnableLegacySse = truewithStateless = false. Both transports are served simultaneously byMapMcp()— Streamable HTTP on the root endpoint and SSE on/sseand/message. Once all clients have migrated, removeEnableLegacySseand optionally switch toStateless = true.SSE (legacy — opt-in only)
Legacy SSE endpoints are now disabled by default and must be explicitly enabled via
HttpServerTransportOptions.EnableLegacySse. This is the primary reason they are disabled — the SSE transport has no built-in HTTP-level backpressure.The legacy SSE transport separates the request and response channels: clients POST JSON-RPC messages to
/messageand receive responses through a long-lived GET SSE stream on/sse. The POST endpoint returns 202 Accepted immediately after queuing the message — it does not wait for the handler to complete. This means there is no HTTP-level backpressure on handler concurrency, because each POST frees its connection immediately regardless of how long the handler runs.Internally, handlers are dispatched with a fire-and-forget pattern. A client can send unlimited POST requests to
/messagewhile keeping the GET stream open, and each one spawns a concurrent handler with no built-in limit.The GET stream does provide session lifetime bounds: handler cancellation tokens are linked to the GET request's
HttpContext.RequestAborted, so when the client disconnects the SSE stream, all in-flight handlers are cancelled. This is similar to SignalR's connection-bound lifetime model — but unlike SignalR, there is no per-client concurrency limit likeMaximumParallelInvocationsPerClient. The GET stream provides cleanup on disconnect, not rate-limiting during the connection.2. Obsolete 2-arg RequestContext constructor #1462
The
RequestContext(McpServer, JsonRpcRequest)constructor is now[Obsolete]with diagnosticMCP9003, producing build warnings. TheParamsproperty is also changed fromTParams?toTParams.Migration: Use the new 3-arg constructor:
new RequestContext(server, request, parameters).What's Changed
... (truncated)
Commits viewable in compare view.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)