Skip to content

fix(deps): resolve pnpm audit vulnerabilities and bump dependencies #1381

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
samuv wants to merge 3 commits into
base: main
Choose a base branch
from
Open

fix(deps): resolve pnpm audit vulnerabilities and bump dependencies #1381

samuv wants to merge 3 commits into from
+195 −191

Conversation

@samuv
Copy link

@samuv samuv commented Jan 14, 2026

Fixes pnpm audit security vulnerabilities and updates dependencies to their latest compatible versions.

Motivation and Context

Running pnpm audit was reporting multiple security vulnerabilities:

  1. Hono JWT vulnerabilities (GHSA-3vhc-576x-3qv4, GHSA-f67f-6cw9-8mq4):

    • JWT algorithm confusion when JWK lacks "alg" (untrusted header.alg fallback)
    • JWT Algorithm Confusion via Unsafe Default (HS256) allowing token forgery and auth bypass
    • Affects hono <4.11.4 (via @hono/node-server)
    • Fixed by bumping @hono/node-server to ^1.19.9 and hono to ^4.11.4

  2. qs package vulnerability:

    • Security issue in transitive dependency qs
    • Fixed by adding pnpm overrides to force [email protected]

This PR addresses these vulnerabilities and updates dependencies to their latest compatible versions.

How Has This Been Tested?

  • pnpm audit now reports 0 vulnerabilities
  • pnpm lint:all passes
  • pnpm test:all passes (all 245 tests in client package pass)
  • ✅ Test assertions updated to match jose library's updated error message format

Breaking Changes

None. All changes are backward compatible.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

  • Security fixes:
  • Runtime dependencies bumped: express (^5.0.1 → ^5.2.1), express-rate-limit (^7.5.0 → ^8.2.1), jose (^6.1.1 → ^6.1.3)
  • Dev dependencies bumped: eslint (^9.8.0 → ^9.39.2), @eslint/js (^9.39.1 → ^9.39.2), @types/express (^5.0.0 → ^5.0.6)
  • Test fix: Updated error message regex in auth-extensions.test.ts to match jose library's updated error output
  • Style: Fixed import ordering in taskResumability.test.ts

@samuv samuv requested a review from a team as a code owner January 14, 2026 10:48
@changeset-bot
Copy link

changeset-bot bot commented Jan 14, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: 0e0db6c

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@pkg-pr-new
Copy link

pkg-pr-new bot commented Jan 14, 2026
edited
Loading

Open in StackBlitz

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@1381

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@1381

commit: 0e0db6c

@samuv samuv mentioned this pull request Jan 14, 2026
Open
9 tasks
@samuv samuv mentioned this pull request Jan 14, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@samuv