Conversation
Contributor
Author
ℹ️ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
renovate
bot
force-pushed
the
renovate/github.com-modelcontextprotocol-go-sdk-1.x
branch
from
b50f124 to
2f5fd2c
Compare
meysam81
approved these changes
Mar 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.3.1→v1.4.0Release Notes
modelcontextprotocol/go-sdk (github.com/modelcontextprotocol/go-sdk)
v1.4.0Compare Source
This release marks the completion of the full 2025-11-25 specification implementation, by introducing the support for Sampling with Tools and experimental client-side OAuth support. It also contains multiple bug fixes and improvements. Thanks to all contributors!
Client-side OAuth support
This release introduces experimental support for OAuth on the client side of the SDK. It aims to support the full scope of the current MCP specification for authorization. To use it, you need to compile the SDK with the
-tags mcp_go_client_oauthflag. Some changes may still be applied to this new API, based on developer feedback. The functionality is planned to become stable inv1.5.0release, expected by the end of March 2026. More details can be found at https://github.com/modelcontextprotocol/go-sdk/blob/main/docs/protocol.md#client.Sampling with Tools
Starting from this release, the server use the new
CreateMessageWithToolsmethod to create a sampling request to the client that contains tools that can be used by the client. On the client side,CreateMessageWithToolsHandlermay be used to handle such requests and issueToolUseresponses to the server.Behavior changes
We have two important behavior changes that were introduced to fix a bug or improve security posture. They can be temporarily turned off by specifying a special
MCPGODEBUGenvironment variable when running the SDK. Different options can be added together, separated by a comma.Introduced DNS rebinding protection
The requests arriving via a localhost address (
127.0.0.1,[::1]) that have a non-localhostHostheader will be rejected to protect against DNS rebinding attacks. The protection can be disabled by specifyingStreamableHTTPOptions.DisableLocalhostProtection, but it should be done only if security implications are understood (see documentation for the option).This protection is a behavior change, as the protection is now enabled by default. Because of that, we have introduced an
MCPGODEBUGoption to bring back the previous default behavior for users that need more time to adjust. However, if possible, we recommend specifyingDisableLocalhostProtectiondescribed above, as it is a more future-proof solution. TheMCPGODEBUGoption to remove this protection (disablelocalhostprotection=1) will be removed inv1.6.0.Removed JSON content escaping when marshaling
By default
encoding/jsonescapes the contents of the objects, which causes some servers to fail. We switched to no escaping by default, to be consistent with other SDKs. Since this is a behavior change, we introduced anMCPGODEBUGoption to bring back the previous behavior for users that need more time to adjust to it. That option (jsonescaping=1) will be removed inv1.6.0.Bug fixes
Security vulnerability caused by the case insensitive parsing behavior of
encoding/jsonhas been submitted (also release as a cherry pick inv1.3.1). Security advisory has been posted.Other fixes:
Enhancements
Notably, the SDK now supports the
extensionsfield in client and server capabilities, which should enable creation of MCP Apps.Other enhancements:
Repository organization
Some effort was put into better organization of the repository, as well as making sure it's up to date and secure. As a highlight, the repository is not integrated with OSSF Scorecard with a positive score of 8.7. Additionally, the full conformance test suite is now run on every PR and push to main.
dns-rebinding-protectionscenario as failing by @maciej-kisiel in #775New Contributors
Full Changelog: modelcontextprotocol/go-sdk@v1.3.0...v1.4.0
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.