Skip to content

VULN UPGRADE: minor upgrades — 22 packages (minor: 13 · patch: 9) [src/order-mcp]#602

Open
campaigner-prod[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/minorpatch/npm/order-mcp/0-1770982426
Open

VULN UPGRADE: minor upgrades — 22 packages (minor: 13 · patch: 9) [src/order-mcp]#602
campaigner-prod[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/minorpatch/npm/order-mcp/0-1770982426

Conversation

@campaigner-prod
Copy link
Contributor

@campaigner-prod campaigner-prod bot commented Feb 13, 2026

Summary: High-severity security update — 23 packages upgraded (MINOR changes included)

Manifests changed:

  • src/order-mcp (npm)

Updates

Package From To Type Vulnerabilities Fixed
@modelcontextprotocol/sdk 1.11.0 1.26.0 minor 6 HIGH
@modelcontextprotocol/sdk 1.13.1 1.26.0 minor 6 HIGH
@aws-sdk/client-cloudformation 3.835.0 3.984.0 minor -
@aws-sdk/client-dynamodb 3.835.0 3.984.0 minor -
@aws-sdk/client-eventbridge 3.835.0 3.984.0 minor -
@aws-sdk/client-sfn 3.835.0 3.984.0 minor -
@aws-sdk/client-sqs 3.835.0 3.984.0 minor -
@aws-sdk/client-ssm 3.835.0 3.984.0 minor -
aws-cdk-lib 2.202.0 2.237.1 minor -
datadog-cdk-constructs-v2 2.6.0 2.8.0 minor -
dd-trace 5.56.0 5.85.0 minor -
express 5.1.0 5.2.1 minor -
serverless-plugin-datadog 5.98.0 5.121.3 minor -
typescript 5.8.3 5.9.3 minor -
@types/aws-lambda 8.10.150 8.10.160 patch -
@types/express 5.0.3 5.0.6 patch -
aws-cdk 2.1019.1 2.1019.2 patch -
constructs 10.4.2 10.4.5 patch -
jsonwebtoken 9.0.2 9.0.3 patch -
serverless-step-functions 3.23.1 3.23.4 patch -
sst 2.47.2 2.47.3 patch -
ts-jest 29.4.0 29.4.6 patch -
tsx 4.20.3 4.20.6 patch -

Packages marked with "-" are updated due to dependency constraints.

Security Details

🚨 Critical & High Severity (12 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
@modelcontextprotocol/sdk GHSA-345p-7cg4-v4c7 HIGH @modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse 1.13.1 1.26.0
@modelcontextprotocol/sdk CVE-2026-25536 HIGH @modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse 1.13.1 -
@modelcontextprotocol/sdk GHSA-w48q-cv73-mx4w HIGH Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default 1.13.1 1.24.0
@modelcontextprotocol/sdk CVE-2025-66414 HIGH DNS Rebinding Protection Disabled by Default in Model Context Protocol TypeScript SDK for Servers Running on Localhost 1.13.1 -
@modelcontextprotocol/sdk GHSA-8r9q-7v3j-jr4g HIGH Anthropic's MCP TypeScript SDK has a ReDoS vulnerability 1.13.1 1.25.2
@modelcontextprotocol/sdk CVE-2026-0621 HIGH - 1.13.1 -
@modelcontextprotocol/sdk GHSA-8r9q-7v3j-jr4g HIGH Anthropic's MCP TypeScript SDK has a ReDoS vulnerability 1.11.0 1.25.2
@modelcontextprotocol/sdk CVE-2026-0621 HIGH - 1.11.0 -
@modelcontextprotocol/sdk GHSA-345p-7cg4-v4c7 HIGH @modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse 1.11.0 1.26.0
@modelcontextprotocol/sdk CVE-2026-25536 HIGH @modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse 1.11.0 -
@modelcontextprotocol/sdk GHSA-w48q-cv73-mx4w HIGH Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default 1.11.0 1.24.0
@modelcontextprotocol/sdk CVE-2025-66414 HIGH DNS Rebinding Protection Disabled by Default in Model Context Protocol TypeScript SDK for Servers Running on Localhost 1.11.0 -

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

@dd-prapprover
Copy link

dd-prapprover bot commented Feb 13, 2026
edited
Loading

PRApprover will approve and merge this PR, FAQ, #dx-source-code-management

🛠️ PRApproval Status

🔗 Workflow Link

  • ✅ PR is eligible for auto-approval by rule dependency-management-version-updater - 2026-02-13T11:35:56Z
  • ✅ CI tests passed - 2026-02-13T11:53:17Z
  • ✅ Approved (commit: 9c31e0c) - 2026-02-13T11:53:19Z
  • ✅ Merge Started
  • ⬜ Merged

➡️ Current phase: merge in progress...

dd-prapprover[bot]
dd-prapprover bot approved these changes Feb 13, 2026
View reviewed changes
Copy link

@dd-prapprover dd-prapprover bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR has been automatically approved by the DD PR Approver bot.

@dd-prapprover
Copy link

dd-prapprover bot commented Feb 13, 2026

/merge

@gh-worker-devflow-routing-ef8351
Copy link

gh-worker-devflow-routing-ef8351 bot commented Feb 13, 2026
edited
Loading

View all feedbacks in Devflow UI.

2026-02-13 11:53:26 UTC ℹ️ Start processing command /merge

2026-02-13 11:53:30 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in main is approximately 0s (p90).

2026-02-13 13:53:38 UTC ℹ️ MergeQueue: Readding this merge request to the queue because another merge request processed with yours failed. No action is needed from your side.

2026-02-13 15:53:53 UTCMergeQueue: The build pipeline has timeout

The merge request has been interrupted because the build 0 took longer than expected. The current limit for the base branch 'main' is 120 minutes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dd-prapprover dd-prapprover[bot] dd-prapprover[bot] approved these changes

@jeastham1993 jeastham1993 Awaiting requested review from jeastham1993 jeastham1993 is a code owner

Assignees

No one assigned

Labels

adms-dependency-update campaigner-automated-change mergequeue-status: rejected

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants