deps(deps): bump the production-dependencies group across 1 directory with 5 updates

[dependabot]

Bumps the production-dependencies group with 5 updates in the / directory:

Package	From	To
@modelcontextprotocol/sdk	1.27.1	1.28.0
axios	1.13.6	1.14.0
fast-xml-parser	5.5.5	5.5.9
jose	6.2.1	6.2.2
zod-to-json-schema	3.25.1	3.25.2

Updates @modelcontextprotocol/sdk from 1.27.1 to 1.28.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

v1.28.0

What's Changed

• feat: use scopes_supported from resource metadata by default (fixes #580) by @​antogyn in modelcontextprotocol/typescript-sdk#757
• [v1.x backport] Default to client_secret_basic when server omits token_endpoint_auth_methods_supported by @​pcarleton in modelcontextprotocol/typescript-sdk#1611
• fix: reject plain JSON Schema objects passed as inputSchema by @​tiluckdave in modelcontextprotocol/typescript-sdk#1596
• fix: clear _timeoutInfo in _onclose() and scope .finally() abort controller cleanup by @​pcarleton in modelcontextprotocol/typescript-sdk#1462
• fix(server/auth): RFC 8252 loopback port relaxation by @​poteat in modelcontextprotocol/typescript-sdk#1738
• chore: bump version to 1.28.0 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1746

New Contributors

• @​antogyn made their first contribution in modelcontextprotocol/typescript-sdk#757
• @​tiluckdave made their first contribution in modelcontextprotocol/typescript-sdk#1596
• @​poteat made their first contribution in modelcontextprotocol/typescript-sdk#1738

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.1...v1.28.0

Commits

• a056569 chore: bump version to 1.28.0 (#1746)
• 897bc25 fix(server/auth): RFC 8252 loopback port relaxation (#1738)
• 398dc70 fix: clear _timeoutInfo in _onclose() and scope .finally() abort controller c...
• 93640d3 fix: reject plain JSON Schema objects passed as inputSchema (#1596)
• 4cbcec0 [v1.x backport] Default to client_secret_basic when server omits token_endpoi...
• c9b58d1 feat: use scopes_supported from resource metadata by default (fixes #580) (#757)
• 351e124 docs: add links to hosted V1 and V2 API reference docs
• See full diff in compare view

Updates axios from 1.13.6 to 1.14.0

Release notes

Sourced from axios's releases.

v1.14.0

This release focuses on compatibility fixes, adapter stability improvements, and test/tooling modernisation.

⚠️ Important Changes

• Breaking Changes: None identified in this release.
• Action Required: If you rely on env-based proxy behaviour or CJS resolution edge-cases, validate your integration after upgrade (notably proxy-from-env v2 alignment and main entry compatibility fix).

🚀 New Features

• Runtime Features: No new end-user features were introduced in this release.
• Test Coverage Expansion: Added broader smoke/module test coverage for CJS and ESM package usage. (#7510)

🐛 Bug Fixes

• Headers: Trim trailing CRLF in normalised header values. (#7456)
• HTTP/2: Close detached HTTP/2 sessions on timeout to avoid lingering sessions. (#7457)
• Fetch Adapter: Cancel ReadableStream created during request-stream capability probing to prevent async resource leaks. (#7515)
• Proxy Handling: Fixed env proxy behavior with proxy-from-env v2 usage. (#7499)
• CommonJS Compatibility: Fixed package main entry regression affecting CJS consumers. (#7532)

🔧 Maintenance & Chores

• Security/Dependencies: Updated formidable and refreshed package set to newer versions. (#7533, #10556)
• Tooling: Continued migration to Vitest and modernised CI/test harnesses. (#7484, #7489, #7498)
• Build/Lint Stack: Rollup, ESLint, TypeScript, and related dev-dependency updates. (#7508, #7509, #7522)
• Documentation: Clarified JSON parsing and adapter-related docs/comments. (#7398, #7460, #7478)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve Axios:

• @​aviu16 (#7456)
• @​NETIZEN-11 (#7460)
• @​fedotov (#7457)
• @​nthbotast (#7478)
• @​veeceey (#7398)
• @​penkzhou (#7515)

Full Changelog: v1.13.6...v1.14.0

Commits

• 46bee3d chore(release): prepare release 1.14.0 (#10563)
• 518aff5 chore: add AI Moderator workflow for spam detection (#10551)
• b7dfda3 chore(sponsor): update sponsor block (#10557)
• 9aa34d5 fix: updated release flow to match the current flows (#10562)
• e9e5ebe Update packages to latest version (#10556)
• 4d8931c fix: formidable dependency vulnerable to arbitrary (#7533)
• 3a6f5c1 chore(deps-dev): bump @​babel/preset-env (#7531)
• bcfd299 fix: bug axios breaks commonjs compatibility main entry (#7532)
• d6dcbfd fix: dependabot uses the correct labels (#7530)
• 5dd7ba7 chore: upgrade to latest ts (#7522)
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates fast-xml-parser from 5.5.5 to 5.5.9

Release notes

Sourced from fast-xml-parser's releases.

fix typins and matcher instance in callbacks

combine typings file to avoid configuration changes pass readonly instance of matcher to the call backs to avoid accidental push/pop call

fix bugs of entity parsing and value parsing

fix: entity expansion limits update strnum package to 2.2.0

fix entity expansion and incorrect replacement and performance

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.5...v5.5.6

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

5.5.9 / 2026-03-23

• combine typing files

4.5.5 / 2026-03-22

apply fixes from v5 (legacy maintenance branch v4-maintenance)

• support maxEntityCount
• support onDangerousProperty
• support maxNestedTags
• handle prototype pollution
• fix incorrect entity name replacement
• fix incorrect condition for entity expansion

5.5.8 / 2026-03-20

• pass read only matcher in callback

5.5.7 / 2026-03-19

• fix: entity expansion limits
• update strnum package to 2.2.0

5.5.6 / 2026-03-16

• update builder dependency
• fix incorrect regex to replace . in entity name
• fix check for entitiy expansion for lastEntities and html entities too

5.5.5 / 2026-03-13

• sanitize dangerous tag or attribute name
• error on critical property name
• support onDangerousProperty option

5.5.4 / 2026-03-13

• declare Matcher & Expression as unknown so user is not forced to install path-expression-matcher

5.5.3 / 2026-03-11

• upgrade builder

5.5.2 / 2026-03-11

• update dependency to fix typings

5.5.1 / 2026-03-10

• fix dependency

... (truncated)

Commits

• a8934f9 upgrade strnum
• 23d13e4 combine typing files
• 0c0a7dc update maintenance docs
• a92a665 pass read only matcher in call back
• a21c441 update package detail
• 239b64a check for min value for entity exapantion options
• 61cb666 restrict more properties to be unsafe
• 41abd66 performance improvement of reading DOCTYPE
• 3dfcd20 refactor: performance improvement
• 870043e update release info
• Additional commits viewable in compare view

Updates jose from 6.2.1 to 6.2.2

Release notes

Sourced from jose's releases.

v6.2.2

Fixes

• reject failed decompression with JWEInvalid error (043b181)

Changelog

Sourced from jose's changelog.

6.2.2 (2026-03-18)

Fixes

• reject failed decompression with JWEInvalid error (043b181)

Commits

• 9c86586 chore(release): 6.2.2
• 4984b5c chore(deps): bump the actions group with 4 updates
• 043b181 fix: reject failed decompression with JWEInvalid error
• 867cc2c chore(deps-dev): bump undici
• f4e20e7 chore(deps-dev): bump tar in the npm_and_yarn group across 1 directory
• d0505bf chore: cleanup after release
• See full diff in compare view

Updates zod-to-json-schema from 3.25.1 to 3.25.2

Changelog

Sourced from zod-to-json-schema's changelog.

Changelog

Version	Change
3.25.2	Bumps the peer dependency of Zod 3 to 3.25.28 - Versions before patch 13 caused OOM issues and versions between that and 28 removed the /v3 import alias.
3.25.1	Fixes large install size due to accidental inclusion of test files. Thanks, Felix Mosheev!
3.25.0	Adds support for v3.25 and v3 through v4 (import { z } from "zod/v3"). Big thank you to both Andrey Gubanovs and especially to Faïz Hernawan Abdillah, whose more minimal implementation was merged. This will likely be the final release of zod-to-json-schema, as v4 now supports JSON schema natively.
3.24.6	Removed use of instanceOf to check for optional properties as differing package versions could produce intermittent bugs. Added OpenAiAnyType to work around their schema restrictions.
3.24.5	Update .npmignore to drop 2 mb of test files. Thanks Misha Kaletsky!
3.24.4	Added options to set the value of additionalProperties in objects and record
3.24.3	Adds postProcess callback option
3.24.2	Restructured internals to remove circular dependencies which apparently might cause some build systems to whine a bit. Big thanks to Víctor Hernández for the fix.
3.24.1	Adds OpenAI target
3.24.0	Implements new string checks (jwt, base64url, cidr ipv4/v6), matching the new Zod version
3.23.5	Module import hotfix by Enzo Monjardín. Thanks!
3.23.4	Fixes branded regex property names and a weird edgecase in arrays. Thanks to Isaiah Marc Sanchez and Mitchell Merry!
3.23.3	More tests (Thanks Brett Zamir!), removed dead code
3.23.2	Lazily loads Emoji regex to avoid incompatibility with some environments. Thanks Jacob Lee!
3.23.1	Best-effort RegEx flag support by Spappz! Some minor fixes and additions, such as the title option.
3.23.0	Adds support for base64, date, time, duration and nanoid string validations. A warm welcome and a big thanks to Colin, the creator of Zod, joining in as a contributor :)
3.22.5	Adds new z.date() parsing options and override callback
3.22.4	Adds fix for nullable references in OpenAPI mode
3.22.3	Adjust root path from "#/" to "#" according to RFC 6901
3.22.2	Adds "output" pipe strategy
3.22.1	Fixes broken imports when using some bundlers
3.22.0	Support readonly. Export both CJS and ESM. Export everything from index. Alternative map parser. Improved pattern handling and updated sources.
3.21.4	Fixes missing support for exact array length
3.21.3	Fixes issue #77 (Reference path to nullable schemas in Open-API mode)
3.21.2	Adds "integer" type Date output to support min/max checks, markdownDescription option, fixes "none" refStrategy by adding "seen" and adds an option to use "pattern" with Zods' email enum instead of "format".
3.21.1	New target (2019-09) along with improved intersection schemas, improved mutual recursion references in definitions, descriptions respected in union parser and not removed in collapsed
3.21.0	Added new string validations (ip, emoji, etc) and BigInt checks to support Zod 3.21
3.20.5	Added uniqueItems to Set and an option to disregard pipe schemas
3.20.4	Bugfixes and improved record parsing for openApi3
3.20.3	Added Cuid2 support introduced in Zod 3.20.3
3.20.2	Reintroduced conditional simplified return-type for when target is OpenAPI 3
3.20.1	Fixed inconsistent casing in imports
3.20.0	Adds support for Zod 3.20 with catch and pipe parser as well as new string validations. Refactored Ref handling; adding definitions no longer considered experimental. Main API function refactored and simplified; output type less defined but a lot easier to maintain. Doubt anyone will miss it. Narrator: Someone did in fact miss it
3.19.4	Adds custom error message support
3.19.3	Mark definitions as experimental in the readme
3.19.2	Added definitions option
3.19.1	Strict unions fix
3.19.0	No new features added in Zod, parity bump
3.18.2	Fixes support for native enums
3.18.1	Add strictUnions options
3.18.0	Added support for branded types
3.17.2	Fix for reference paths when supplying name option string.
3.17.1	Added startsWith and endsWith string checks. Merge multiple pattern checks into allOf array.
3.17.0	Added switch case handler for new trim "check". No changes to functionality.
3.15.x - 3.16.x	Skipped: Did not change the Zod API in any way relevant for this package.
3.14.1	Dependabot security updates

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

---

Summary by cubic

Upgrade five production dependencies for stability, security, and better standards compatibility. Notable updates include @modelcontextprotocol/sdk 1.28.0 and axios 1.14.0 bug fixes.

• Dependencies
  • @modelcontextprotocol/sdk: 1.27.1 → 1.28.0 — defaults to scopes_supported and client_secret_basic; stricter inputSchema validation.
  • axios: 1.13.6 → 1.14.0 — fixes CJS main, HTTP/2 session cleanup, and env proxy handling via proxy-from-env v2. Verify env proxy settings if used.
  • fast-xml-parser: 5.5.5 → 5.5.9 — entity expansion limits and typings fixes.
  • jose: 6.2.1 → 6.2.2 — correct JWE decompression error handling.
  • zod-to-json-schema: 3.25.1 → 3.25.2 — peer dep updated to Zod 3.25.28+ or v4.

^{Written for commit 8ec28e2. Summary will update on new commits.}

[codeant-ai]

Skipping PR review because a bot author is detected.

If you want to trigger CodeAnt AI, comment @codeant-ai review to trigger a manual review.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 8ec28e2

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cubic-dev-ai]

No issues found across 2 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.