build(@angular/cli): update @modelcontextprotocol/sdk to v1.24.1

[hlovdal]

Version 1.24.0 fixes GHSA-w48q-cv73-mx4w.

• 1.24.0 changelog
• 1.24.1 changelog

PR Checklist

Please check to confirm your PR fulfills the following requirements:

• The commit message follows our guidelines: https://github.com/angular/angular-cli/blob/main/CONTRIBUTING.md#-commit-message-guidelines
• Tests for the changes have been added (for bug fixes / features)
• Docs have been added / updated (for bug fixes / features)

PR Type

What kind of change does this PR introduce?

• Bugfix
• Feature
• Code style update (formatting, local variables)
• Refactoring (no functional changes, no api changes)
• Build related changes
• CI related changes
• Documentation content changes
• Other... Please describe:

What is the current behavior?

npm audit complains due to issue with @modelcontextprotocol/sdk dependency.

What is the new behavior?

npm audit does not complain due to issue with @modelcontextprotocol/sdk dependency.

Does this PR introduce a breaking change?

• Yes
• No

Other information

pnpm install rejects to install the new version due to minimumReleaseAge policy, so the lock file is not updated in this PR and this is not tested. So this PR is not complete but more a heads up on dependency update required. Feel free to come with updates to the branch.

[hlovdal]

In my initial angular project repository where @angular/cli is a dependency I added the following as a workaround

   "overrides": {
    "@angular/cli": {
      "@modelcontextprotocol/sdk": "1.24.0"
    }
   }

but it would be nice to have this fixed upstream.

[clydin]

Thank you for the contribution.

However, Renovate will automatically update the dependency once the minimum age threshold has been reached.

Also of note is that the linked report does not affect the Angular CLI since it uses a stdio-based MCP server. Unfortunately, there is no mechanism to mark it as such.

[jpmartins-ca]

Thank you for the contribution.

However, Renovate will automatically update the dependency once the minimum age threshold has been reached.

Also of note is that the linked report does not affect the Angular CLI since it uses a stdio-based MCP server. Unfortunately, there is no mechanism to mark it as such.

Hello. Is there any prediction on when the update will be done, and the release with the fix? Thanks.

[alan-agius4]

This will be released later today.

[hlovdal]

@jpmartins-ca This was done in commit f1a7116 ("fix(@angular/cli): update @modelcontextprotocol/sdk to v1.24.0", 2025-12-01) which was included in release 21.0.2 and commit cfbb616 ("fix(@angular/cli): update @modelcontextprotocol/sdk to v1.24.0", 2025-12-01) which was included in release 20.3.13.

[jpmartins-ca]

@jpmartins-ca This was done in commit f1a7116 ("fix(@angular/cli): update @modelcontextprotocol/sdk to v1.24.0", 2025-12-01) which was included in release 21.0.2 and commit cfbb616 ("fix(@angular/cli): update @modelcontextprotocol/sdk to v1.24.0", 2025-12-01) which was included in release 20.3.13.

Thank you for pointing this out. This change achieves the desired outcome. Well done!

However, I did notice two minor issues. Firstly, the latest version (1.24.1) was not used. Secondly, the new version was unusable for about half an hour after its release. It appeared to be synchronising with the repository. During this process, there was a brief inconsistency with a dependency that could not be found because it was still synchronising.

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}