Skip to content

fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x backport) #1382

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
felixweinberger merged 5 commits into from
Jan 23, 2026
Merged

fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x backport) #1382

felixweinberger merged 5 commits into from
Jan 23, 2026
+52 −35

Conversation

@samuv
Copy link

@samuv samuv commented Jan 14, 2026
edited
Loading

Resolves npm audit security vulnerabilities and updates dependencies to their latest compatible versions for the v1.x release branch.

This is the backport of #1381

Motivation and Context

Running npm audit on the v1.x branch was reporting multiple high-severity security vulnerabilities:

  1. Hono JWT vulnerabilities (GHSA-3vhc-576x-3qv4, GHSA-f67f-6cw9-8mq4):

    • JWT algorithm confusion when JWK lacks "alg" (untrusted header.alg fallback)
    • JWT Algorithm Confusion via Unsafe Default (HS256) allowing token forgery and auth bypass
    • Affects hono <4.11.4 (transitive dependency via @hono/node-server)
    • Fixed by bumping @hono/node-server to ^1.19.9 and adding hono ^4.11.4 as a direct dependency

  2. qs package vulnerability:

    • Security issue in transitive dependency qs
    • Fixed by adding npm overrides to force qs@6.14.1

This PR addresses these vulnerabilities by:

  • Bumping @hono/node-server to ^1.19.9
  • Adding hono ^4.11.4 as a direct dependency (resolves Hono JWT vulnerabilities)
  • Adding npm overrides for qs@6.14.1 (resolves qs vulnerability)
  • Bumping other dependencies to latest compatible versions
  • Updating test assertions to match updated library error messages

How Has This Been Tested?

  • npm audit reports 0 vulnerabilities after this change
  • ✅ All existing tests pass (npm test - all 1497 tests pass)
  • npm run build completes successfully
  • ✅ Test assertions updated to match jose library's updated error message format

Breaking Changes

None. This is a patch release with security fixes and dependency updates only.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

Security fixes:

  • Hono JWT vulnerabilities (GHSA-3vhc-576x-3qv4, GHSA-f67f-6cw9-8mq4):
    • @hono/node-server (^1.19.7 → ^1.19.9)
    • hono (added as direct dependency at ^4.11.4 to ensure secure version)
  • qs vulnerability: npm overrides for qs@6.14.1

Dependency updates:

  • express (^5.0.1 → ^5.2.1)
  • express-rate-limit (^7.5.0 → ^8.2.1)
  • jose (^6.1.1 → ^6.1.3)
  • zod-to-json-schema (^3.23.2 → ^3.25.1)

Test fixes:

  • Updated error message regex in packages/client/test/client/auth-extensions.test.ts to match jose library's updated error output (changed from /Invalid character/ to /cannot be part of a valid base64/)

Implementation notes:

  • hono was added as a direct dependency instead of using npm overrides to ensure the secure version (4.11.4) is always installed, even as @hono/node-server updates its transitive dependencies
  • All changes maintain backward compatibility with the v1.x branch

@samuv samuv requested a review from a team as a code owner January 14, 2026 10:51
@changeset-bot
Copy link

changeset-bot bot commented Jan 14, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: dc70765

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@samuv
fix(deps): add hono v4.11.4 as direct dependency
01a8081 
Resolves GHSA-3vhc-576x-3qv4 and GHSA-f67f-6cw9-8mq4 JWT algorithm
confusion vulnerabilities by ensuring hono 4.11.4 is installed instead
of relying on transitive dependency from @hono/node-server.
@pkg-pr-new
Copy link

pkg-pr-new bot commented Jan 14, 2026
edited
Loading

Open in StackBlitz

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/sdk@1382

commit: dc70765

@samuv samuv mentioned this pull request Jan 14, 2026
Open
@KKonstantinov
Copy link
Contributor

KKonstantinov commented Jan 20, 2026

Hi, thank you for this. Since the qs issue is coming from express, and express is updated here, is there a real need for the qs override anymore?

@samuv
Copy link
Author

samuv commented Jan 20, 2026

Hi, thank you for this. Since the qs issue is coming from express, and express is updated here, is there a real need for the qs override anymore?

Hi @KKonstantinov 👋🏼, happy to help if I can
yeah, unfortunately the qs version is still the old one from the last release, but I saw they recently pushed a commit to main with the bump. It should be fixed in the next release

felixweinberger
felixweinberger approved these changes Jan 23, 2026
View reviewed changes
Copy link
Contributor

@felixweinberger felixweinberger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this!

@felixweinberger felixweinberger merged commit aa81a66 into modelcontextprotocol:v1.x Jan 23, 2026
6 of 7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@felixweinberger felixweinberger felixweinberger approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@samuv @KKonstantinov @felixweinberger