Skip to content

Bump the minor-dependencies group across 1 directory with 4 updates#429

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/minor-dependencies-b24e16df0f
Open

Bump the minor-dependencies group across 1 directory with 4 updates#429
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/minor-dependencies-b24e16df0f

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 16, 2026
edited
Loading

Bumps the minor-dependencies group with 3 updates in the / directory: github.com/modelcontextprotocol/go-sdk, golang.org/x/crypto and github.com/spf13/pflag.

Updates github.com/modelcontextprotocol/go-sdk from 1.4.0 to 1.4.1

Release notes

Sourced from github.com/modelcontextprotocol/go-sdk's releases.

v1.4.1

This release is a patch release for v1.4.0.

It contains cherry-picks for several security improvements. Security advisories will follow.

Fixes

Update of the segmentio/encoding module version

The JSON parsing library that was adopted to avoid attacks taking advantage of the Go's standard parser being case insensitive turned out to contain an issue itself. We have submitted the fix upstream and this release updates the dependency to the patched version.

Cross-origin requests protection

We have added additional protection against cross origin requests. From now on, we verify that Content-Type for JSON-RPC POST requests is set to application/json and use the new http.CrossOriginProtection functionality to verify the origin of the request. Usage of this functionality required increasing the required Go version to 1.25, which is in line with our Go version policy of supporting two newest Go versions. The behavior can be customized by passing a configured http.CrossOriginProtection object to StreamableHTTPOptions.

Since this is a behavior change, we introduced a compatibility parameter disablecrossoriginprotection that will allow to temporarily disable it. It will be removed in v1.6.0 version of the SDK. See here for more details about behavior changes and a history of compatibility parameters across SDK versions.

Allowing customization of http.Client for client-side OAuth

We have introduced an optional http.Client parameter to AuthorizationCodeHandlerConfig. This allows customization of the transport, for example implementing environment specific protection against Server-Side Request Forgery.

Pull requests

Full Changelog: modelcontextprotocol/go-sdk@v1.4.0...v1.4.1

Commits
  • 580f2a0 mcp: verify 'Origin' and 'Content-Type' headers (#842)
  • 421ddf1 auth: allow passing custom http.Client to AuthorizationCodeHandler (#840)
  • 515f11b internal: fix Unicode zero character handling (#841)
  • See full diff in compare view

Updates golang.org/x/crypto from 0.48.0 to 0.49.0

Commits
  • 982eaa6 go.mod: update golang.org/x dependencies
  • 159944f ssh,acme: clean up tautological/impossible nil conditions
  • a408498 acme: only require prompt if server has terms of service
  • cab0f71 all: upgrade go directive to at least 1.25.0 [generated]
  • 2f26647 x509roots/fallback: update bundle
  • See full diff in compare view

Updates golang.org/x/term from 0.40.0 to 0.41.0

Commits
  • 9d2dc07 go.mod: update golang.org/x dependencies
  • d954e03 all: upgrade go directive to at least 1.25.0 [generated]
  • See full diff in compare view

Updates github.com/spf13/pflag from 1.0.9 to 1.0.10

Release notes

Sourced from github.com/spf13/pflag's releases.

v1.0.10

What's Changed

New Contributors

Full Changelog: spf13/pflag@v1.0.9...v1.0.10

Commits
  • 0491e57 Merge pull request #448 from thaJeztah/fix_go_version
  • 72abab1 Merge pull request #447 from thaJeztah/fix_deprecation_comment
  • 7e4dfb1 Test on Go 1.12
  • 18a9d17 move Func, BoolFunc, tests as they require go1.21
  • c5b9e98 remove uses of errors.Is, which requires go1.13
  • 45a4873 fix deprecation comment for (FlagSet.)ParseErrorsWhitelist
  • See full diff in compare view

@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Mar 16, 2026
@dependabot dependabot bot force-pushed the dependabot/go_modules/minor-dependencies-b24e16df0f branch from 681478b to c63f994 Compare March 23, 2026 20:08
@dependabot dependabot bot changed the title Bump the minor-dependencies group with 4 updates Bump the minor-dependencies group across 1 directory with 4 updates Mar 30, 2026
@dependabot dependabot bot force-pushed the dependabot/go_modules/minor-dependencies-b24e16df0f branch from c63f994 to 6c3f296 Compare March 30, 2026 21:13
@dependabot
Bump the minor-dependencies group with 4 updates
4389f66 
Bumps the minor-dependencies group with 4 updates: [github.com/modelcontextprotocol/go-sdk](https://github.com/modelcontextprotocol/go-sdk), [golang.org/x/crypto](https://github.com/golang/crypto), [golang.org/x/term](https://github.com/golang/term) and [github.com/spf13/pflag](https://github.com/spf13/pflag).


Updates `github.com/modelcontextprotocol/go-sdk` from 1.4.0 to 1.4.1
- [Release notes](https://github.com/modelcontextprotocol/go-sdk/releases)
- [Commits](modelcontextprotocol/go-sdk@v1.4.0...v1.4.1)

Updates `golang.org/x/crypto` from 0.48.0 to 0.49.0
- [Commits](golang/crypto@v0.48.0...v0.49.0)

Updates `golang.org/x/term` from 0.40.0 to 0.41.0
- [Commits](golang/term@v0.40.0...v0.41.0)

Updates `github.com/spf13/pflag` from 1.0.9 to 1.0.10
- [Release notes](https://github.com/spf13/pflag/releases)
- [Commits](spf13/pflag@v1.0.9...v1.0.10)

---
updated-dependencies:
- dependency-name: github.com/modelcontextprotocol/go-sdk
  dependency-version: 1.4.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-dependencies
- dependency-name: golang.org/x/crypto
  dependency-version: 0.49.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-dependencies
- dependency-name: golang.org/x/term
  dependency-version: 0.41.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-dependencies
- dependency-name: github.com/spf13/pflag
  dependency-version: 1.0.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/go_modules/minor-dependencies-b24e16df0f branch from 6c3f296 to 4389f66 Compare April 6, 2026 20:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants