[Snyk] Security upgrade @modelcontextprotocol/sdk from 1.9.0 to 1.25.2#51
[Snyk] Security upgrade @modelcontextprotocol/sdk from 1.9.0 to 1.25.2#51
Conversation
…server/pnpm-lock.yaml to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-MODELCONTEXTPROTOCOLSDK-14871802
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| 🔵 In progress View logs |
brave-search-mcp-server | 3c10bc6 | Jan 12 2026, 09:56 AM |
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| 🔵 In progress View logs |
remote-mcp-server-bearer-auth | 3c10bc6 | Jan 12 2026, 09:56 AM |
✅ Deploy Preview for mcp-example-oauth canceled.
|
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
remote-mcp-server-bearer-auth | 3c10bc6 | Jan 12 2026, 09:57 AM |
✅ Deploy Preview for express-mcp-server canceled.
|
There was a problem hiding this comment.
Pull request overview
This PR upgrades the @modelcontextprotocol/sdk dependency from version 1.9.0 to 1.25.2 to address a high-severity Regular Expression Denial of Service (ReDoS) vulnerability (SNYK-JS-MODELCONTEXTPROTOCOLSDK-14871802) with a priority score of 828.
Changes:
- Upgraded
@modelcontextprotocol/sdkfrom ^1.7.0 to ^1.25.2 in package.json - Updated pnpm-lock.yaml with new dependency tree including additional transitive dependencies
- Added new dependencies: ajv, ajv-formats, @hono/node-server, jose 6.1.3, and others required by the upgraded SDK
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| examples/weather-mcp-server/package.json | Updated SDK version specifier to ^1.25.2 to address security vulnerability |
| examples/weather-mcp-server/pnpm-lock.yaml | Updated lock file with new SDK version, additional transitive dependencies, and updated zod-to-json-schema to 3.25.1 |
Files not reviewed (1)
- examples/weather-mcp-server/pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "dependencies": { | ||
| "@cloudflare/workers-oauth-provider": "^0.0.2", | ||
| "@modelcontextprotocol/sdk": "^1.7.0", | ||
| "@modelcontextprotocol/sdk": "^1.25.2", |
There was a problem hiding this comment.
The upgraded @modelcontextprotocol/sdk version 1.25.2 requires zod version ^3.25 or ^4.0 as a peer dependency, but the project is currently using zod version ^3.24.2. This version mismatch may cause runtime errors or unexpected behavior. The zod dependency in package.json should be upgraded to at least ^3.25.0 to satisfy the peer dependency requirement of the SDK.
Snyk has created this PR to fix 1 vulnerabilities in the pnpm dependencies of this project.
Snyk changed the following file(s):
examples/weather-mcp-server/package.jsonexamples/weather-mcp-server/pnpm-lock.yamlVulnerabilities that will be fixed with an upgrade:
SNYK-JS-MODELCONTEXTPROTOCOLSDK-14871802
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)