chore(deps): bump @modelcontextprotocol/ext-apps from 1.6.0 to 1.7.1 in the production-minor group

[dependabot]

Bumps the production-minor group with 1 update: @modelcontextprotocol/ext-apps.

Updates @modelcontextprotocol/ext-apps from 1.6.0 to 1.7.1

Release notes

Sourced from @​modelcontextprotocol/ext-apps's releases.

1.7.1

Changes since 1.7.0

No SDK API changes in this release.

Examples

• pdf-server: lazy form extraction via range transport + incremental viewer scans (#639)
• pdf-server: share cache across server instances and dedupe form parsing (#637)
• qr-server: pass host/port to FastMCP for Docker compatibility (#372)

Tests

• Unit tests for buildAllowAttribute (#541)
• Unit coverage for PostMessageTransport source validation (#536)

Docs

• Update contributing guide on package preview (#601)

Test Plan

• Pre-commit hook ran npm run build:all successfully

1.7.0

Changes since 1.6.0

Features

• App.registerTool() / sendToolListChanged() — Views can expose tools for the Host to call (WebMCP-style) (#72)
• App.createSamplingMessage() — sampling support via stock SDK types (#530)
• Handshake-ordering guards (console.warn, or throw with AppOptions.strict): App host-bound methods warn when called before connect() completes; one-shot event handlers (ontoolinput/ontoolresult/etc.) warn when first registered after connect(); AppBridge warns when it receives requests before ui/notifications/initialized (#623, #629, #625, #630, #631)
• AppOptions.allowUnsafeEval (default false) — App constructor sets z.config({ jitless: true }) so Views run under strict CSP without unsafe-eval; opt out for the faster JIT path (#618)
• useApp() forwards autoResize and strict to the underlying App (#622)

Fixes

• useApp effect cleanup now closes the App, so React StrictMode's dev double-invoke doesn't leave a zombie PostMessageTransport listener receiving every host message alongside the live instance (#631)
• csp / permissions typed ?: never on McpUiToolMeta so misplaced declarations fail at compile time (#624)
• Drop stale resourceUri JSDoc that referenced the deprecated flat _meta["ui/resourceUri"] key (#626)

Chore

• npm run bump script for version bumps across root + workspaces; npm-publish jobs now approve in a single click; prereleases publish under --tag beta (#568)
• Pre-commit hook: skip link-self when target is a symlink; --diff-filter=d so re-stage doesn't fail on deletions (#621)
• Bump vite / hono / @​hono/node-server to patched versions (#616)
• Examples policy added to CONTRIBUTING.md (#550)

Commits

• 0008d3b chore: bump ext-apps to 1.7.1 (#643)
• ba31be1 perf(pdf-server): lazy form extraction via range transport + incremental view...
• 30a78b6 perf(pdf-server): share cache across server instances and dedupe form parsing...
• 7344d4c fix(docs): update contributing guide on package preview (#601)
• 0f6d653 test: add unit tests for buildAllowAttribute (#541)
• 0b83679 fix(qr-server): pass host/port to FastMCP for Docker compatibility (#372)
• 77b8daa test: add unit coverage for PostMessageTransport source validation (#536)
• 64b4fa1 chore: bump ext-apps to 1.7.0 (#628)
• 3e99500 build: add npm run bump; parallel npm-publish approval (#568)
• cc02e17 fix(react): StrictMode cleanup + relax late-handler guard for re-reg (#631)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions