Security Follow-up for v0.8.1
The @modelcontextprotocol/sdk@1.13.0 dependency (pinned in apps/mcp/package.json) has three high-severity advisories:
| Advisory |
Severity |
Description |
| GHSA-8r9q-7v3j-jr4g |
High |
ReDoS vulnerability |
| GHSA-345p-7cg4-v4c7 |
High |
Cross-client data leak via shared server/transport instance reuse |
| GHSA-w48q-cv73-mv4x |
High |
DNS rebinding protection not enabled by default |
Fix available in @modelcontextprotocol/sdk@1.29.0 (via npm audit fix --force).
Acceptance Criteria
Notes
- Version was pinned at
1.13.0 for stability during v0.8.1 development
- The high audit level was downgraded to
--audit-level=critical in CI (.github/workflows/ci.yml) to unblock the release — this should be restored to --audit-level=high after the upgrade
Security Follow-up for v0.8.1
The
@modelcontextprotocol/sdk@1.13.0dependency (pinned inapps/mcp/package.json) has three high-severity advisories:Fix available in
@modelcontextprotocol/sdk@1.29.0(vianpm audit fix --force).Acceptance Criteria
@modelcontextprotocol/sdkfrom1.13.0to latest patched version^prefix)Notes
1.13.0for stability during v0.8.1 development--audit-level=criticalin CI (.github/workflows/ci.yml) to unblock the release — this should be restored to--audit-level=highafter the upgrade