[Snyk] Security upgrade @modelcontextprotocol/sdk from 1.10.0 to 1.25.2#54
[Snyk] Security upgrade @modelcontextprotocol/sdk from 1.10.0 to 1.25.2#54
Conversation
…server/pnpm-lock.yaml to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-MODELCONTEXTPROTOCOLSDK-14871802
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| 🔵 In progress View logs |
weather-mcp-server | c909794 | Jan 13 2026, 10:28 AM |
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
remote-mcp-server-bearer-auth | c909794 | Jan 13 2026, 10:28 AM |
✅ Deploy Preview for express-mcp-server ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview for mcp-example-oauth canceled.
|
There was a problem hiding this comment.
Pull request overview
This PR upgrades the @modelcontextprotocol/sdk package from version 1.10.0 to 1.25.2 to address a high-severity Regular Expression Denial of Service (ReDoS) vulnerability (SNYK-JS-MODELCONTEXTPROTOCOLSDK-14871802) with a priority score of 828.
Changes:
- Upgrade @modelcontextprotocol/sdk from 1.10.0 to 1.25.2 in package.json
- Update pnpm-lock.yaml with new dependency resolutions and additional transitive dependencies
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| examples/express-mcp-server/package.json | Updates the @modelcontextprotocol/sdk version specifier from ^1.10.0 to ^1.25.2 |
| examples/express-mcp-server/pnpm-lock.yaml | Updates lock file with new SDK version, adds new transitive dependencies (hono, ajv, jose v6, etc.), and updates zod-to-json-schema peer dependency requirements |
Files not reviewed (1)
- examples/express-mcp-server/pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@descope/mcp-express": "^1.0.4", | ||
| "@descope/node-sdk": "^1.6.13", | ||
| "@modelcontextprotocol/sdk": "^1.10.0", | ||
| "@modelcontextprotocol/sdk": "^1.25.2", |
There was a problem hiding this comment.
The upgraded @modelcontextprotocol/sdk@1.25.2 has a peer dependency requirement of "zod: ^3.25 || ^4.0", but the project currently uses zod@3.24.2 (resolves to 3.24.3). This version mismatch could lead to runtime errors or unexpected behavior. The zod dependency should be upgraded to at least version 3.25.0 to satisfy the peer dependency requirement.
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the pnpm dependencies of this project.
Snyk changed the following file(s):
examples/express-mcp-server/package.jsonexamples/express-mcp-server/pnpm-lock.yamlVulnerabilities that will be fixed with an upgrade:
SNYK-JS-MODELCONTEXTPROTOCOLSDK-14871802
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)