[Snyk] Security upgrade @modelcontextprotocol/sdk from 1.15.1 to 1.25.2#145
[Snyk] Security upgrade @modelcontextprotocol/sdk from 1.15.1 to 1.25.2#145
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-MODELCONTEXTPROTOCOLSDK-14871802
There was a problem hiding this comment.
Pull request overview
This PR upgrades the @modelcontextprotocol/sdk dependency from version 1.15.1 to 1.25.2 to fix a high-severity Regular Expression Denial of Service (ReDoS) vulnerability (SNYK-JS-MODELCONTEXTPROTOCOLSDK-14871802) with a severity score of 828/1000.
Changes:
- Updated @modelcontextprotocol/sdk from ^1.15.1 to ^1.25.2 in package.json
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "dependencies": { | ||
| "@descope/node-sdk": "^1.7.11", | ||
| "@modelcontextprotocol/sdk": "^1.15.1", | ||
| "@modelcontextprotocol/sdk": "^1.25.2", |
There was a problem hiding this comment.
The package.json specifies version ^1.25.2 but the pnpm-lock.yaml file has not been updated and still references version 1.15.1. This mismatch will cause dependency resolution issues. The lockfile must be regenerated by running pnpm install to ensure the correct version is locked and installed consistently across environments.
| "@modelcontextprotocol/sdk": "^1.25.2", | |
| "@modelcontextprotocol/sdk": "^1.15.1", |
Snyk has created this PR to fix 1 vulnerabilities in the pnpm dependencies of this project.
Snyk changed the following file(s):
package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-MODELCONTEXTPROTOCOLSDK-14871802
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)