[Snyk] Security upgrade agents from 0.0.43 to 0.3.10

[omercnet]

Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• examples/remote-mcp-server-hono-cloudflare/package.json
• examples/remote-mcp-server-hono-cloudflare/package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Cross-site Scripting (XSS) SNYK-JS-AGENTS-15279200	596
	Cross-site Scripting (XSS) SNYK-JS-AGENTS-15282793	596

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cross-site Scripting (XSS)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
ai	Ready	Preview, Comment	Feb 17, 2026 2:36pm
nextjs-descope-mcp-server	Ready	Preview, Comment	Feb 17, 2026 2:36pm

[netlify]

✅ Deploy Preview for express-mcp-server canceled.

Name	Link
🔨 Latest commit	b72e6f4
🔍 Latest deploy log	https://app.netlify.com/projects/express-mcp-server/deploys/69947cba064a9900085206c2

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
🔵 In progress View logs	brave-search-mcp-server	b72e6f4	Feb 17 2026, 02:35 PM

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
🔵 In progress View logs	remote-mcp-server-bearer-auth	b72e6f4	Feb 17 2026, 02:35 PM

[netlify]

✅ Deploy Preview for mcp-example-oauth canceled.

Name	Link
🔨 Latest commit	b72e6f4
🔍 Latest deploy log	https://app.netlify.com/projects/mcp-example-oauth/deploys/69947cba88af67000821a7f7

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	remote-mcp-server-bearer-auth	b72e6f4	Feb 17 2026, 02:36 PM

[Copilot]

Pull request overview

This Snyk-generated PR upgrades the agents dependency in the Cloudflare Workers (Hono) remote MCP server example to address reported XSS vulnerabilities in that package.

Changes:

• Bump agents from ^0.0.43 to ^0.3.10 in the example’s package.json.
• Regenerate package-lock.json to reflect the new agents version and its updated dependency graph.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 3 comments.

File	Description
examples/remote-mcp-server-hono-cloudflare/package.json	Updates agents dependency version to the fixed release.
examples/remote-mcp-server-hono-cloudflare/package-lock.json	Updates resolved versions / adds new transitive deps introduced by agents@0.3.10.

Files not reviewed (1)

• examples/remote-mcp-server-hono-cloudflare/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Upgrading agents to ^0.3.10 pulls in transitive dependencies that declare Node >=20 (e.g. cron-schedule@6, yargs@18 in the lockfile). This example currently doesn’t declare an engine constraint in package.json, so users on Node 18 (which the README currently allows) can hit engine warnings/errors during install. Consider adding an explicit engines.node (>=20) here, or choosing an agents version that remains compatible with Node 18 if that’s a requirement.

[Copilot]

cron-schedule@6.0.0 declares engines.node: >=20, which is newly introduced via the agents upgrade. If this example is intended to work on Node 18, the dependency graph now conflicts with that; otherwise, the project should declare the higher Node requirement (e.g., via package.json#engines) to avoid install/runtime surprises.

Suggested change

	"node": ">=20"
	"node": ">=18"

[Copilot]

yargs@18.0.0 (and yargs-parser@22) now require Node ^20.19.0 || ^22.12.0 || >=23. Since this comes in through agents@0.3.10, installs on Node 18 will be incompatible (or at least produce engine warnings). Align the example’s declared Node support with this dependency graph (either raise the Node requirement, or pin/replace to a compatible agents/yargs chain).

Suggested change

	"version": "18.0.0",
	"resolved": "https://registry.npmjs.org/yargs/-/yargs-18.0.0.tgz",
	"integrity": "sha512-4UEqdc2RYGHZc7Doyqkrqiln3p9X2DZVxaGbwhn2pi7MrRagKaOcIKe8L3OxYcbhXLgLFUS3zAYuQjKBQgmuNg==",
	"license": "MIT",
	"dependencies": {
	"cliui": "^9.0.1",
	"escalade": "^3.1.1",
	"get-caller-file": "^2.0.5",
	"string-width": "^7.2.0",
	"y18n": "^5.0.5",
	"yargs-parser": "^22.0.0"
	},
	"engines": {
	"node": "^20.19.0 || ^22.12.0 || >=23"
	}
	},
	"node_modules/yargs-parser": {
	"version": "22.0.0",
	"resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-22.0.0.tgz",
	"integrity": "sha512-rwu/ClNdSMpkSrUb+d6BRsSkLUq1fmfsY6TOpYzTwvwkg1/NRG85KBy3kq++A8LKQwX6lsu+aWad+2khvuXrqw==",
	"license": "ISC",
	"engines": {
	"node": "^20.19.0 || ^22.12.0 || >=23"
	"version": "17.7.2",
	"resolved": "https://registry.npmjs.org/yargs/-/yargs-17.7.2.tgz",
	"integrity": "sha512-7dSzzRQ++CKnNI/krKnYRV7JKKPUXMEh61soaHKg9mrWEhzFWhFnxPxGl+69cD1Ou63C13NUPCnmIcrvqCuM6w==",
	"license": "MIT",
	"dependencies": {
	"cliui": "^8.0.1",
	"escalade": "^3.1.1",
	"get-caller-file": "^2.0.5",
	"require-directory": "^2.1.1",
	"string-width": "^4.2.3",
	"y18n": "^5.0.5",
	"yargs-parser": "^21.1.1"
	},
	"engines": {
	"node": ">=12"
	}
	},
	"node_modules/yargs-parser": {
	"version": "21.1.1",
	"resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-21.1.1.tgz",
	"integrity": "sha512-tVpsJW7DdjecAiFpbIB1e3qxIQYFdE0Ue9GqiayctRTkL/WqT02lthfFJj17UlvzDGCA1pPr0LC9QUiE6e2O8w==",
	"license": "ISC",
	"engines": {
	"node": ">=12"