fix: upgrade @modelcontextprotocol/sdk to 1.29.0 to fix CVE-2026-4926#169
Merged
mattpodwysocki merged 14 commits intomainfrom Apr 1, 2026
Merged
fix: upgrade @modelcontextprotocol/sdk to 1.29.0 to fix CVE-2026-4926#169mattpodwysocki merged 14 commits intomainfrom
mattpodwysocki merged 14 commits intomainfrom
Conversation
Implements MCP server icons at the correct architectural level (server initialization) instead of at the tool level. Adds both light and dark theme variants of the Mapbox logo using base64-encoded SVG data URIs. - Add mapbox-logo-black.svg for light theme backgrounds - Add mapbox-logo-white.svg for dark theme backgrounds - Update server initialization to include icons array with theme property - Use 800x180 SVG logos embedded as base64 data URIs This replaces the previous incorrect approach of adding icons to individual tools, which was not aligned with the MCP specification. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Updates the MCP SDK from 1.25.1 to 1.25.2 and recreates the output validation patch for the new version. The patch continues to convert strict output schema validation errors to warnings, allowing tools to gracefully handle schema mismatches. Changes: - Update @modelcontextprotocol/sdk from ^1.25.1 to ^1.25.2 - Recreate SDK patch for version 1.25.2 - Remove obsolete 1.25.1 patch file - All 397 tests pass with new SDK version Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Upgrades @modelcontextprotocol/sdk from ^1.27.1 to ^1.29.0, which resolves path-to-regexp to 8.4.1 and fixes the ReDoS vulnerability GHSA-j3q9-mxjg-w52f (CVE-2026-4926). Regenerates the patch for SDK 1.29.0 (replaces patches for 1.25.2 and 1.27.1) to maintain the warn-instead-of-throw behavior for output schema validation. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ianshward
approved these changes
Apr 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
@modelcontextprotocol/sdkfrom^1.27.1to^1.29.0path-to-regexpto8.4.1, fixing ReDoS vulnerability GHSA-j3q9-mxjg-w52f (CVE-2026-4926)Test plan
npm testpassesnpm run buildsucceedsnpm ls path-to-regexpshows8.4.1🤖 Generated with Claude Code