fix: Upgrade @modelcontextprotocol/sdk to ^1.24.0 (#7817)

## What? Upgrades @modelcontextprotocol/sdk from ^1.20.2 to ^1.24.0 in the TypeScript SDK's devDependencies. ## Why? Related to #7737 - keeping development dependencies up to date with the latest MCP SDK version that includes the fix for CVE-2025-66414. Note: This change does not address the CVE for Codex users, as the MCP SDK is only in devDependencies here. The actual MCP integration that would be affected by the CVE is in the Rust codebase. ## How? • Updated dependency version in sdk/typescript/package.json • Ran pnpm install to update lockfile • Fixed formatting (added missing newline in package.json) ## Related Issue Related to #7737 ## Test Status ⚠️ After this upgrade, 2 additional tests timeout (1 test was already failing on main): • tests/run.test.ts: "sends previous items when run is called twice" • tests/run.test.ts: "resumes thread by id" • tests/runStreamed.test.ts: "sends previous items when runStreamed is called twice" Marking as draft to investigate test timeouts. Maintainer guidance would be appreciated. Co-authored-by: HalfonA <amit@miggo.io>
2026-02-01 22:47:52 +00:00 · 2025-12-10 20:17:00 +02:00
parent f677d05871
commit bd51d1b103
2 changed files with 68 additions and 8 deletions
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -20,8 +20,8 @@ importers:
  sdk/typescript:
    devDependencies:
      '@modelcontextprotocol/sdk':
-        specifier: ^1.20.2
-        version: 1.20.2
+        specifier: ^1.24.0
+        version: 1.24.3(zod@3.25.76)
      '@types/jest':
        specifier: ^29.5.14
        version: 29.5.14
@@ -573,9 +573,15 @@ packages:
  '@jridgewell/trace-mapping@0.3.9':
    resolution: {integrity: sha512-3Belt6tdc8bPgAtbcmdtNJlirVoTmEb5e2gC94PnkwEW9jI6CAHUeoG85tjWP5WquqfavoMtMwiG4P926ZKKuQ==}

-  '@modelcontextprotocol/sdk@1.20.2':
-    resolution: {integrity: sha512-6rqTdFt67AAAzln3NOKsXRmv5ZzPkgbfaebKBqUbts7vK1GZudqnrun5a8d3M/h955cam9RHZ6Jb4Y1XhnmFPg==}
+  '@modelcontextprotocol/sdk@1.24.3':
+    resolution: {integrity: sha512-YgSHW29fuzKKAHTGe9zjNoo+yF8KaQPzDC2W9Pv41E7/57IfY+AMGJ/aDFlgTLcVVELoggKE4syABCE75u3NCw==}
    engines: {node: '>=18'}
+    peerDependencies:
+      '@cfworker/json-schema': ^4.1.1
+      zod: ^3.25 || ^4.0
+    peerDependenciesMeta:
+      '@cfworker/json-schema':
+        optional: true

  '@nodelib/fs.scandir@2.1.5':
    resolution: {integrity: sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==}
@@ -846,9 +852,20 @@ packages:
    engines: {node: '>=0.4.0'}
    hasBin: true

+  ajv-formats@3.0.1:
+    resolution: {integrity: sha512-8iUql50EUR+uUcdRQ3HDqa6EVyo3docL8g5WJ3FNcWmu62IbkGUue/pEyLBW8VGKKucTPgqeks4fIU1DA4yowQ==}
+    peerDependencies:
+      ajv: ^8.0.0
+    peerDependenciesMeta:
+      ajv:
+        optional: true
+
  ajv@6.12.6:
    resolution: {integrity: sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==}

+  ajv@8.17.1:
+    resolution: {integrity: sha512-B/gBuNg5SiMTrPkC+A2+cW0RszwxYmn6VYxB/inlBStS5nx6xHIt/ehKRhIMhqusl7a8LjQoZnjCs5vhwxOQ1g==}
+
  ansi-escapes@4.3.2:
    resolution: {integrity: sha512-gKXj5ALrKWQLsYG9jlTRmR/xKluxHV+Z9QEwNIgCfM1/uwPMCuzVVnh5mwTd+OuBZcwSIMbqssNWRm1lE51QaQ==}
    engines: {node: '>=8'}
@@ -1294,6 +1311,9 @@ packages:
  fast-levenshtein@2.0.6:
    resolution: {integrity: sha512-DCXu6Ifhqcks7TZKY3Hxp3y6qphY5SJZmrWMDrKcERSOXWQdMhU9Ig/PYrzyw/ul9jOIyh0N4M0tbC5hodg8dw==}

+  fast-uri@3.1.0:
+    resolution: {integrity: sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA==}
+
  fastq@1.19.1:
    resolution: {integrity: sha512-GwLTyxkCXjXbxqIhTsMI2Nui8huMPtnxg7krajPJAjnEG/iiOS7i+zCtWGZR9G0NBKbXKh6X9m9UIsYX/N6vvQ==}

@@ -1677,6 +1697,9 @@ packages:
      node-notifier:
        optional: true

+  jose@6.1.3:
+    resolution: {integrity: sha512-0TpaTfihd4QMNwrz/ob2Bp7X04yuxJkjRGi4aKmOqwhov54i6u79oCv7T+C7lo70MKH6BesI3vscD1yb/yzKXQ==}
+
  joycon@3.1.1:
    resolution: {integrity: sha512-34wB/Y7MW7bzjKRjUKTa46I2Z7eV62Rkhva+KkopW7Qvv/OSWBqvkSY7vusOPrNuZcUG3tApvdVgNB8POj3SPw==}
    engines: {node: '>=10'}
@@ -1706,6 +1729,9 @@ packages:
  json-schema-traverse@0.4.1:
    resolution: {integrity: sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==}

+  json-schema-traverse@1.0.0:
+    resolution: {integrity: sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug==}
+
  json-stable-stringify-without-jsonify@1.0.1:
    resolution: {integrity: sha512-Bdboy+l7tA3OGW6FjyFHWkP5LuByj1Tk33Ljyq0axyzdk9//JSi2u3fP1QSmd1KNwq6VOKYGlAu87CisVir6Pw==}

@@ -2053,6 +2079,10 @@ packages:
    resolution: {integrity: sha512-fGxEI7+wsG9xrvdjsrlmL22OMTTiHRwAMroiEeMgq8gzoLC/PQr7RsRDSTLUg/bZAZtF+TVIkHc6/4RIKrui+Q==}
    engines: {node: '>=0.10.0'}

+  require-from-string@2.0.2:
+    resolution: {integrity: sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==}
+    engines: {node: '>=0.10.0'}
+
  resolve-cwd@3.0.0:
    resolution: {integrity: sha512-OrZaX2Mb+rJCpH/6CpSqt9xFVpN++x01XnN2ie9g6P5/3xelLAkXWVADpdz1IHD/KFfEXyE6V0U01OQ3UO2rEg==}
    engines: {node: '>=8'}
@@ -2476,6 +2506,11 @@ packages:
    peerDependencies:
      zod: ^3.24.1

+  zod-to-json-schema@3.25.0:
+    resolution: {integrity: sha512-HvWtU2UG41LALjajJrML6uQejQhNJx+JBO9IflpSja4R03iNWfKXrj6W2h7ljuLyc1nKS+9yDyL/9tD1U/yBnQ==}
+    peerDependencies:
+      zod: ^3.25 || ^4
+
  zod@3.25.76:
    resolution: {integrity: sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ==}

@@ -3012,9 +3047,10 @@ snapshots:
      '@jridgewell/resolve-uri': 3.1.2
      '@jridgewell/sourcemap-codec': 1.5.5

-  '@modelcontextprotocol/sdk@1.20.2':
+  '@modelcontextprotocol/sdk@1.24.3(zod@3.25.76)':
    dependencies:
-      ajv: 6.12.6
+      ajv: 8.17.1
+      ajv-formats: 3.0.1(ajv@8.17.1)
      content-type: 1.0.5
      cors: 2.8.5
      cross-spawn: 7.0.6
@@ -3022,10 +3058,11 @@ snapshots:
      eventsource-parser: 3.0.6
      express: 5.1.0
      express-rate-limit: 7.5.1(express@5.1.0)
+      jose: 6.1.3
      pkce-challenge: 5.0.0
      raw-body: 3.0.1
      zod: 3.25.76
-      zod-to-json-schema: 3.24.6(zod@3.25.76)
+      zod-to-json-schema: 3.25.0(zod@3.25.76)
    transitivePeerDependencies:
      - supports-color

@@ -3292,6 +3329,10 @@ snapshots:

  acorn@8.15.0: {}

+  ajv-formats@3.0.1(ajv@8.17.1):
+    optionalDependencies:
+      ajv: 8.17.1
+
  ajv@6.12.6:
    dependencies:
      fast-deep-equal: 3.1.3
@@ -3299,6 +3340,13 @@ snapshots:
      json-schema-traverse: 0.4.1
      uri-js: 4.4.1

+  ajv@8.17.1:
+    dependencies:
+      fast-deep-equal: 3.1.3
+      fast-uri: 3.1.0
+      json-schema-traverse: 1.0.0
+      require-from-string: 2.0.2
+
  ansi-escapes@4.3.2:
    dependencies:
      type-fest: 0.21.3
@@ -3795,6 +3843,8 @@ snapshots:

  fast-levenshtein@2.0.6: {}

+  fast-uri@3.1.0: {}
+
  fastq@1.19.1:
    dependencies:
      reusify: 1.1.0
@@ -4367,6 +4417,8 @@ snapshots:
      - supports-color
      - ts-node

+  jose@6.1.3: {}
+
  joycon@3.1.1: {}

  js-tokens@4.0.0: {}
@@ -4388,6 +4440,8 @@ snapshots:

  json-schema-traverse@0.4.1: {}

+  json-schema-traverse@1.0.0: {}
+
  json-stable-stringify-without-jsonify@1.0.1: {}

  json5@2.2.3: {}
@@ -4670,6 +4724,8 @@ snapshots:

  require-directory@2.1.1: {}

+  require-from-string@2.0.2: {}
+
  resolve-cwd@3.0.0:
    dependencies:
      resolve-from: 5.0.0
@@ -5116,4 +5172,8 @@ snapshots:
    dependencies:
      zod: 3.25.76

+  zod-to-json-schema@3.25.0(zod@3.25.76):
+    dependencies:
+      zod: 3.25.76
+
  zod@3.25.76: {}
--- a/sdk/typescript/package.json
+++ b/sdk/typescript/package.json
@@ -45,7 +45,7 @@
    "prepare": "pnpm run build"
  },
  "devDependencies": {
-    "@modelcontextprotocol/sdk": "^1.20.2",
+    "@modelcontextprotocol/sdk": "^1.24.0",
    "@types/jest": "^29.5.14",
    "@types/node": "^20.19.18",
    "eslint": "^9.36.0",