Skip to content

fix: upgrade @modelcontextprotocol/sdk to 1.26.0 (patch 2 high vulns)#74

Open
phin3has wants to merge 1 commit into
Coding-Solo:mainfrom
phin3has:fix/mcp-sdk-vulnerability
Open

fix: upgrade @modelcontextprotocol/sdk to 1.26.0 (patch 2 high vulns)#74
phin3has wants to merge 1 commit into
Coding-Solo:mainfrom
phin3has:fix/mcp-sdk-vulnerability

Conversation

@phin3has
Copy link
Copy Markdown

@phin3has phin3has commented Feb 22, 2026

Summary

  • Bumps @modelcontextprotocol/sdk from 0.6.0 to ^1.26.0
  • Patches two HIGH severity vulnerabilities reported by npm audit
  • No code changes to src/index.ts — SDK API is fully backwards-compatible

Vulnerabilities fixed

Advisory Severity Description Fixed in
GHSA-8r9q-7v3j-jr4g HIGH ReDoS in MCP TypeScript SDK ≥ 1.25.2
GHSA-w48q-cv73-mx4w HIGH Missing DNS rebinding protection ≥ 1.24.0

Verification

$ npm audit
found 0 vulnerabilities

$ npm run build
Successfully copied godot_operations.gd to build/scripts
Build scripts completed successfully!

Test plan

  • npm install completes without errors
  • npm run build exits 0 (build/index.js and build/scripts/godot_operations.gd present)
  • npm audit reports found 0 vulnerabilities
  • No changes to src/index.ts — all existing tool handlers, parameter normalization, and Godot invocation logic unchanged

🤖 Generated with Claude Code

@phin3has @claude
fix: upgrade @modelcontextprotocol/sdk to 1.26.0 to patch high-severi…
e960f39 
…ty vulns

Fixes two high-severity vulnerabilities:
- GHSA-8r9q-7v3j-jr4g: ReDoS in MCP TypeScript SDK (fixed in >=1.25.2)
- GHSA-w48q-cv73-mx4w: Missing DNS rebinding protection (fixed in >=1.24.0)

No code changes required — the SDK API is fully backwards-compatible.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
60999 added a commit to 60999/godot-mcp that referenced this pull request Mar 10, 2026
@60999
Merge PR Coding-Solo#74: fix: upgrade @modelcontextprotocol/sdk to 1.…
9ab4412 
…26.0 (patch 2 high vulns)
60999 added a commit to 60999/godot-mcp that referenced this pull request Mar 10, 2026
@60999
Merge PR Coding-Solo#74: fix: upgrade @modelcontextprotocol/sdk to 1.…
8f06c2c 
…26.0 (patch 2 high vulns)
@60999 60999 mentioned this pull request Mar 10, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@phin3has