Skip to content

Bump @modelcontextprotocol/sdk to 1.24.0 to mitigate CVE-2025-66414 #4621

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
beatlevic wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Bump @modelcontextprotocol/sdk to 1.24.0 to mitigate CVE-2025-66414 #4621

beatlevic wants to merge 1 commit into from
+39 −17

Conversation

@beatlevic
Copy link
Collaborator

@beatlevic beatlevic commented Dec 22, 2025

@changeset-bot
Copy link

changeset-bot bot commented Dec 22, 2025

⚠️ No Changeset found

Latest commit: a7e46a5

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

kiloconnect[bot]
kiloconnect bot reviewed Dec 22, 2025
View reviewed changes
Copy link
Contributor

@kiloconnect kiloconnect bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ No Issues Found

2 files reviewed | Confidence: 95% | Recommendation: Merge

Review Details

Files:

  • src/package.json (version bump only)
  • pnpm-lock.yaml (auto-generated lock file - skipped)

Change Summary:

  • Security dependency update: @modelcontextprotocol/sdk 1.13.3 → 1.24.0
  • Addresses CVE-2025-66414 per Dependabot alert

Checked: Security, breaking changes, dependency compatibility

Notes:

  • Minor version bump follows semver conventions
  • New transitive dependencies ([email protected], [email protected]) are expected for the updated SDK
  • No API breaking changes detected in the version update

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kiloconnect kiloconnect[bot] kiloconnect[bot] left review comments

@pandemicsyn pandemicsyn Awaiting requested review from pandemicsyn

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@beatlevic