[Snyk] Fix for 2 vulnerabilities

[omercnet]

Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• examples/remote-mcp-server-express-fly/package.json
• examples/remote-mcp-server-express-fly/package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Allocation of Resources Without Limits or Throttling SNYK-JS-QS-15268416	708
	Race Condition SNYK-JS-MODELCONTEXTPROTOCOLSDK-15208843	641

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Race Condition
🦉 Allocation of Resources Without Limits or Throttling

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
ai	Ready	Preview, Comment	Feb 16, 2026 2:32pm
nextjs-descope-mcp-server	Ready	Preview, Comment	Feb 16, 2026 2:32pm

[netlify]

✅ Deploy Preview for express-mcp-server canceled.

Name	Link
🔨 Latest commit	0233d66
🔍 Latest deploy log	https://app.netlify.com/projects/express-mcp-server/deploys/69932a5af489730008b3704b

[netlify]

✅ Deploy Preview for mcp-example-oauth canceled.

Name	Link
🔨 Latest commit	0233d66
🔍 Latest deploy log	https://app.netlify.com/projects/mcp-example-oauth/deploys/69932a5a08638900083e9578

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
🔵 In progress View logs	brave-search-mcp-server	0233d66	Feb 16 2026, 02:32 PM

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	brave-search-mcp-server	0233d66	Feb 16 2026, 02:32 PM

[Copilot]

Pull request overview

This Snyk-generated PR updates npm dependencies for the examples/remote-mcp-server-express-fly example to remediate reported vulnerabilities by bumping @modelcontextprotocol/sdk and express, with corresponding lockfile updates.

Changes:

• Bump @modelcontextprotocol/sdk from ^1.24.0 to ^1.26.0
• Bump express from ^4.21.2 to ^4.22.0
• Regenerate package-lock.json, pulling in updated transitive dependency versions

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

File	Description
examples/remote-mcp-server-express-fly/package.json	Updates direct dependency versions for the example service.
examples/remote-mcp-server-express-fly/package-lock.json	Updates resolved versions and transitive dependency tree to match the upgrades.

Files not reviewed (1)

• examples/remote-mcp-server-express-fly/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

@descope/mcp-express pulls in its own express@4.21.2, which pins qs@6.13.0 (see this dependency list). Since this PR is meant to remediate a qs vulnerability, leaving qs@6.13.0 in the tree likely means the vulnerability is still present. Consider upgrading @descope/mcp-express to a version that allows a patched qs, or add an npm overrides entry to force qs to a non-vulnerable version and regenerate the lockfile so no vulnerable qs versions remain.

Suggested change

	"dependencies": {
	"accepts": "~1.3.8",
	"array-flatten": "1.1.1",
	"body-parser": "1.20.3",
	"content-disposition": "0.5.4",
	"content-type": "~1.0.4",
	"cookie": "0.7.1",
	"cookie-signature": "1.0.6",
	"debug": "2.6.9",
	"depd": "2.0.0",
	"encodeurl": "~2.0.0",
	"escape-html": "~1.0.3",
	"etag": "~1.8.1",
	"finalhandler": "1.3.1",
	"fresh": "0.5.2",
	"http-errors": "2.0.0",
	"merge-descriptors": "1.0.3",
	"methods": "~1.1.2",
	"on-finished": "2.4.1",
	"parseurl": "~1.3.3",
	"path-to-regexp": "0.1.12",
	"proxy-addr": "~2.0.7",
	"qs": "6.13.0",
	"range-parser": "~1.2.1",
	"safe-buffer": "5.2.1",
	"send": "0.19.0",
	"serve-static": "1.16.2",
	"setprototypeof": "1.2.0",
	"statuses": "2.0.1",
	"type-is": "~1.6.18",
	"utils-merge": "1.0.1",
	"vary": "~1.1.2"
	},
	"dependencies": {
	"accepts": "~1.3.8",
	"array-flatten": "1.1.1",
	"body-parser": "1.20.3",
	"content-disposition": "0.5.4",
	"content-type": "~1.0.4",
	"cookie": "0.7.1",
	"cookie-signature": "1.0.6",
	"debug": "2.6.9",
	"depd": "2.0.0",
	"encodeurl": "~2.0.0",
	"escape-html": "~1.0.3",
	"etag": "~1.8.1",
	"finalhandler": "1.3.1",
	"fresh": "0.5.2",
	"http-errors": "2.0.0",
	"merge-descriptors": "1.0.3",
	"methods": "~1.1.2",
	"on-finished": "2.4.1",
	"parseurl": "~1.3.3",
	"path-to-regexp": "0.1.12",
	"proxy-addr": "~2.0.7",
	"qs": "6.14.0",
	"range-parser": "~1.2.1",
	"safe-buffer": "5.2.1",
	"send": "0.19.0",
	"serve-static": "1.16.2",
	"setprototypeof": "1.2.0",
	"statuses": "2.0.1",
	"type-is": "~1.6.18",
	"utils-merge": "1.0.1",
	"vary": "~1.1.2"
	},

[Copilot]

Upgrading @modelcontextprotocol/sdk to ^1.26.0 adds a transitive dependency (@hono/node-server) that requires Node >=18.14.1 (per the lockfile). This example package doesn’t declare an engines.node requirement, so deployments running an older Node 18.x may start failing after this bump. Consider adding an engines field (or otherwise pinning/documenting the Node version used by this example) to match the new minimum runtime.