[Snyk] Upgrade @modelcontextprotocol/sdk from 1.12.3 to 1.17.0

[snyk-io]

Snyk has created this PR to upgrade @modelcontextprotocol/sdk from 1.12.3 to 1.17.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 9 versions ahead of your current version.

• The recommended version was released 22 days ago.

Release notes

Package name: @modelcontextprotocol/sdk

• 1.17.0 - 2025-07-24
  

  What's Changed

  • Add CODEOWNERS file for sdk by @ ihrpr in #781
  • Add more robust base64 check by @ cliffhall in #786
  • update codeowners by @ ihrpr in #803
  • Fix indent by @ jiec-msft in #807
  • fix: Explicitly declare accpet type to json when exchanging oauth token by @ JoJoJoJoJoJoJo in #801
  • feat: support oidc discovery in client sdk by @ xiaoyijun in #652
  • fix: remove extraneous code block in README.md by @ sd0ric4 in #791
  • Bump form-data from 4.0.2 to 4.0.4 in the npm_and_yarn group across 1 directory by @ dependabot[bot] in #798
  • Bump version 1.17.0 by @ ihrpr in #810

  New Contributors 🙏

  • @ jiec-msft made their first contribution in #807
  • @ sd0ric4 made their first contribution in #791

  Full Changelog: 1.16.0...1.17.0

• 1.16.0 - 2025-07-17
  

  What's Changed

  • Add type compatibility test between SDK and spec types by @ ochafik in #729
  • Add OIDC ID token support by @ dankelleher in #680
  • Add prompt=consent for OIDC offline_access scope by @ dankelleher in #681
  • Non-critical: Readme syntax and typographical error fixes by @ freakynit in #765
  • make client side client_id generation configurable in the oauth router by @ cdaguerre in #734
  • Adding invalidateCredentials() to OAuthClientProvider by @ geelen in #570
  • fix: use authorization_server_url as issuer when fetching metadata by @ JoJoJoJoJoJoJo in #763
  • feat(protocol): Debounce notifications to improve network efficiancy by @ jneums in #746
  • fix(731): StreamableHTTPClientTransport Fails to Reconnect on Non-Resumable Streams by @ jneums in #732
  • fix: consistently use consumer-provided fetch function by @ LucaButBoring in #767
  • fix client id issuance date should only be sent when generated by @ cdaguerre in #775
  • 1.16.0 by @ ihrpr in #779

  New Contributors 🙏

  • @ dankelleher made their first contribution in #680
  • @ freakynit made their first contribution in #765
  • @ cdaguerre made their first contribution in #734
  • @ JoJoJoJoJoJoJo made their first contribution in #763
  • @ jneums made their first contribution in #746
  • @ LucaButBoring made their first contribution in #767

  Full Changelog: 1.15.1...1.16.0

• 1.15.1 - 2025-07-10
  

  What's Changed

  • fix(client): Some mcp server need default env(#393, #196) by @ sunrabbit123 in #394
  • feat: Add CORS configuration for browser-based MCP clients by @ jerome3o-anthropic in #713
  • Add onsessionclosed hook to StreamableHTTPServerTransport by @ jerome3o-anthropic in #743
  • add custom headers on initial _startOrAuth call by @ anthonjn in #318
  • Improve stdio test Windows compatibility and refactor command logic by @ HoberMin in #284
  • Add missing app.listen error handling to server examples by @ ochafik in #749
  • fix(server): validate expiresAt token value for non existence by @ christian-bromann in #446
  • [auth]: support oauth client_secret_basic / none / custom methods by @ jaredhanson, @ SightStudio, @ ochafik in #720
  • feat: support async callbacks for onsessioninitialized and onsessionclosed by @ jerome3o-anthropic in #751
  • Fix oauth well-known paths to retain path and query by @ ihrpr in #756
  • auth: fetch AS metadata in well-known subpath from serverUrl even when PRM returns external AS by @ ochafik in #752

  New Contributors

  • @ sunrabbit123 made their first contribution in #394
  • @ anthonjn made their first contribution in #318
  • @ HoberMin made their first contribution in #284

  Full Changelog: 1.15.0...1.15.1

• 1.15.0 - 2025-07-03
  

  What's Changed

  Note

  This release reverts a breaking change introduced in version 1.13.3.

  • Allow custom fetch in SSEClientTransport and StreamableHTTPClientTransport by @ cliffhall in #721
  • Revert "fix: add type safety for tool output schemas in ToolCallback" by @ sushichan044 in #725
  • bump version to 1.15.0 by @ bhosmer-ant in #730

  Full Changelog: 1.14.0...1.15.0

• 1.14.0 - 2025-07-03
  

  What's Changed

  Warning

  This introduces breaking changes, which are required to comply with the spec - more details

  • Rename reject to decline by @ ihrpr in #727
  • 1.14.0 by @ ihrpr in #728

  Full Changelog: 1.13.3...1.14.0

• 1.13.3 - 2025-07-01
  

  What's Changed

  • Implement DNS Rebinding Protections per spec by @ ddworken in #565
  • fix lint by @ ihrpr in #704
  • fix: add missing eventsource-parser dependency by @ domnit in #424
  • fix: add windows env PROGRAMFILES, avoid some exe can not be found by @ muzea in #386
  • add overloads for registerResource method in McpServer class by @ kentcdodds in #661
  • fix: extra headers when they are a Headers object by @ garciasdos in #571
  • fix: missing "properties" property in empty schema by @ sinedied in #598
  • fix: Expose the MCP child process PID as an accessible property in StdioClientTransport by @ XiaofuHuang in #455
  • fix: add type safety for tool output schemas in ToolCallback by @ sushichan044 in #670
  • doc minimum node version requirment by @ marcopeg in #463
  • docs: add error handling when it fails to start HTTP server by @ formulahendry in #371
  • Added Sampling Example to README by @ RishiNandha in #698
  • Returning undefined from discoverOAuthMetadata for CORS errors by @ geelen in #717
  • Bump version to 1.13.3 by @ ihrpr in #719

  New Contributors 🙏

  • @ ddworken made their first contribution in #565
  • @ domnit made their first contribution in #424
  • @ muzea made their first contribution in #386
  • @ kentcdodds made their first contribution in #661
  • @ garciasdos made their first contribution in #571
  • @ sinedied made their first contribution in #598
  • @ XiaofuHuang made their first contribution in #455
  • @ sushichan044 made their first contribution in #670
  • @ marcopeg made their first contribution in #463
  • @ formulahendry made their first contribution in #371
  • @ RishiNandha made their first contribution in #698

  Full Changelog: 1.13.2...1.13.3

• 1.13.2 - 2025-06-26
• 1.13.1 - 2025-06-23
• 1.13.0 - 2025-06-18
• 1.12.3 - 2025-06-13

from @modelcontextprotocol/sdk GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[coderabbitai]

Important

Review skipped

Ignore keyword(s) in the title.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Join our Discord community for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[snyk-io]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)