[Snyk] Security upgrade @modelcontextprotocol/sdk from 1.9.0 to 1.25.2#50
[Snyk] Security upgrade @modelcontextprotocol/sdk from 1.9.0 to 1.25.2#50
Conversation
…earch-mcp-server/pnpm-lock.yaml to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-MODELCONTEXTPROTOCOLSDK-14871802
omercnet
requested review from
anvibanga,
gaokevin1 and
mrunankpawar
as code owners
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
✅ Deploy Preview for express-mcp-server canceled.
|
✅ Deploy Preview for mcp-example-oauth canceled.
|
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
remote-mcp-server-bearer-auth | 0d3289c | Jan 10 2026, 10:35 AM |
There was a problem hiding this comment.
Pull request overview
This PR upgrades @modelcontextprotocol/sdk from version 1.9.0 to 1.25.2 to address a high-severity Regular Expression Denial of Service (ReDoS) vulnerability (SNYK-JS-MODELCONTEXTPROTOCOLSDK-14871802) with a priority score of 828.
Changes:
- Updated
@modelcontextprotocol/sdkdependency from^1.7.0to^1.25.2in package.json - Updated pnpm lockfile with new dependency resolutions including new transitive dependencies (ajv, ajv-formats, @hono/node-server, jose 6.1.3, json-schema-typed, and others)
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| examples/brave-search-mcp-server/package.json | Updates SDK dependency specifier to fix security vulnerability |
| examples/brave-search-mcp-server/pnpm-lock.yaml | Resolves updated dependencies and adds new transitive dependencies required by SDK v1.25.2 |
Files not reviewed (1)
- examples/brave-search-mcp-server/pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "dependencies": { | ||
| "@cloudflare/workers-oauth-provider": "^0.0.2", | ||
| "@modelcontextprotocol/sdk": "^1.7.0", | ||
| "@modelcontextprotocol/sdk": "^1.25.2", |
There was a problem hiding this comment.
The upgraded @modelcontextprotocol/sdk version 1.25.2 requires zod ^3.25 or ^4.0 as a peer dependency, but the project currently has zod@3.24.2 installed. This version does not satisfy the ^3.25 requirement. While pnpm has resolved this, it will likely generate peer dependency warnings during installation. Consider updating the zod dependency to at least version 3.25.0 to ensure compatibility.
Snyk has created this PR to fix 1 vulnerabilities in the pnpm dependencies of this project.
Snyk changed the following file(s):
examples/brave-search-mcp-server/package.jsonexamples/brave-search-mcp-server/pnpm-lock.yamlVulnerabilities that will be fixed with an upgrade:
SNYK-JS-MODELCONTEXTPROTOCOLSDK-14871802
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)