chore(deps): bump @modelcontextprotocol/sdk from 1.25.2 to 1.26.0 in the npm_and_yarn group across 1 directory

[dependabot]

Bumps the npm_and_yarn group with 1 update in the / directory: @modelcontextprotocol/sdk.

Updates @modelcontextprotocol/sdk from 1.25.2 to 1.26.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

v1.26.0

Addresses "Sharing server/transport instances can leak cross-client response data" in this GHSA GHSA-345p-7cg4-v4c7

What's Changed

• chore: bump v1.25.3 for backport fixes by @​pcarleton in modelcontextprotocol/typescript-sdk#1412
• fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x backport) by @​samuv in modelcontextprotocol/typescript-sdk#1382
• Fix #1430: Client Credentials providers scopes support (backported) by @​NSeydoux in modelcontextprotocol/typescript-sdk#1442
• chore: bump version to 1.26.0 by @​pcarleton in modelcontextprotocol/typescript-sdk#1479

New Contributors

• @​samuv made their first contribution in modelcontextprotocol/typescript-sdk#1382
• @​NSeydoux made their first contribution in modelcontextprotocol/typescript-sdk#1442

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.3...v1.26.0

v1.25.3

What's Changed

• [v1.x backport] Use correct schema for client sampling validation when tools are present by @​olaservo in modelcontextprotocol/typescript-sdk#1407
• fix: prevent Hono from overriding global Response object (v1.x) by @​mattzcarey in modelcontextprotocol/typescript-sdk#1411

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.2...v1.25.3

Commits

• fe9c07b chore: bump version to 1.26.0 (#1479)
• 4f01e7e fix: add non-null assertions for optional setupServer fields in stateful test
• a05be17 Merge commit from fork
• 50d9fa3 Fix #1430: Client Credentials providers scopes support (backported) (#1442)
• aa81a66 fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x back...
• 6aba065 chore: bump v1.25.3 for backport fixes (#1412)
• 6e8f7e1 fix: prevent Hono from overriding global Response object (v1.x) (#1411)
• 12ae856 [v1.x backport] Use correct schema for client sampling validation when tools ...
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Summary by cubic

Upgrade @modelcontextprotocol/sdk to 1.26.0 to patch a security issue that could leak cross-client response data. No app code changes.

• Dependencies
  • @modelcontextprotocol/sdk: 1.25.2 → 1.26.0 (fixes GHSA-345p-7cg4-v4c7; updates transitive deps, e.g., express-rate-limit to 8.2.1)

^{Written for commit 15492dd. Summary will update on new commits. Review in cubic}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
domainstack	Ready	Preview, Comment	Mar 2, 2026 5:13pm

[cubic-dev-ai]

No issues found across 2 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

Architecture diagram

sequenceDiagram
    participant Web as Web App (Client)
    participant SDK as MCP SDK (v1.26.0)
    participant Auth as Credentials Provider
    participant Transport as Transport (SSE/Stdio)
    participant Server as MCP Server

    Note over Web, Server: MCP Connection Lifecycle (Security Hardened)

    Web->>Auth: Request connection
    Auth-->>Web: Credentials
    
    Web->>SDK: connect(credentials)
    opt NEW: Client Credentials Scopes
        SDK->>Auth: CHANGED: Validate with extended scopes
    end

    Note over SDK, Transport: Security Fix: GHSA-345p-7cg4-v4c7
    SDK->>Transport: NEW: Initialize unique transport instance
    Transport->>Server: Establish session

    Web->>SDK: callTool() / getResource()
    SDK->>Transport: Send JSON-RPC Request
    Transport->>Server: Forward request

    Server-->>Transport: Response Data
    
    Note over Transport, SDK: CHANGED: Strict instance-to-response mapping
    Transport-->>SDK: Return isolated data
    
    alt Successful Validation
        SDK-->>Web: Data Result
    else Invalid Response Schema
        Note right of SDK: v1.25.3 Backport Fix
        SDK-->>Web: Validation Error (Corrected Schema)
    end

    Note over SDK, Transport: Cleanup
    SDK->>Transport: Close connection
    Note over Transport: Ensure no state leakage to next client

Loading