[Snyk] Security upgrade @modelcontextprotocol/sdk from 1.3.1 to 1.24.0 #16
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-MODELCONTEXTPROTOCOLSDK-14171914
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR is being reviewed by Cursor Bugbot
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| "license": "MIT", | ||
| "dependencies": { | ||
| "@modelcontextprotocol/sdk": "latest", | ||
| "@modelcontextprotocol/sdk": "^1.24.0", |
There was a problem hiding this comment.
Bug: Version specifier mismatch between package files
The package.json specifies an exact version "@modelcontextprotocol/sdk": "1.24.0" (no caret), while package-lock.json records "@modelcontextprotocol/sdk": "^1.24.0" (with caret) in the root package definition. This inconsistency means the lock file doesn't accurately reflect the version constraint in package.json. Fresh installs without the lock file would pin to exactly 1.24.0, but the lock file suggests a semver range was intended.
Additional Locations (1)
There was a problem hiding this comment.
Pull request overview
This PR addresses a high-severity security vulnerability (SNYK-JS-MODELCONTEXTPROTOCOLSDK-14171914, score 666) by upgrading @modelcontextprotocol/sdk from version 1.3.1 to 1.24.0. The upgrade replaces the problematic "latest" version specifier with a pinned version to ensure consistent and secure dependency resolution.
Key changes:
- Pins
@modelcontextprotocol/sdkto version 1.24.0, addressing an "Insecure Default Initialization of Resource" vulnerability - Upgrades Zod from 3.x to 4.x (major version change)
- Introduces numerous transitive dependencies including Express v5, CORS, authentication libraries (jose), and rate limiting
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Pins @modelcontextprotocol/sdk to exact version 1.24.0 (replacing "latest") |
| package-lock.json | Updates lockfile with SDK 1.24.0, bumps project version to 0.2.1, and pulls in new transitive dependencies including Zod 4.x and Express 5.x |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| }, | ||
| "dependencies": { | ||
| "@modelcontextprotocol/sdk": "latest", | ||
| "@modelcontextprotocol/sdk": "1.24.0", |
There was a problem hiding this comment.
The version in package.json is pinned to exactly "1.24.0" (without a caret ^), but in package-lock.json line 12 it's recorded as "^1.24.0" (with a caret). This inconsistency means that npm install could potentially install a newer 1.x version instead of the exact pinned version.
For a security fix, it's generally better to use the exact version without the caret to ensure the specific patched version is installed. Consider changing this to "^1.24.0" in package.json to match the lock file, or ensure the lock file reflects the exact version.
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonpackage-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-MODELCONTEXTPROTOCOLSDK-14171914
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.
Note
Upgrade @modelcontextprotocol/sdk to 1.24.0 and refresh package-lock with new transitive dependencies and version bumps.
@modelcontextprotocol/sdkto1.24.0inpackage.json.package-lock.json:0.2.1.ajv,express@5,cors,eventsource,express-rate-limit,jose,pkce-challenge).zodto4.x,zod-to-json-schema3.25.0,raw-body3.0.2).Written by Cursor Bugbot for commit f7bef76. This will update automatically on new commits. Configure here.