Skip to content

chore: upgrade dependencies for MCP SDK and Google Cloud Storage#537

Merged
jamespepper81 merged 1 commit into
devfrom
claude/review-dependabot-alert-29-I5OOw
Feb 5, 2026
Merged

chore: upgrade dependencies for MCP SDK and Google Cloud Storage#537
jamespepper81 merged 1 commit into
devfrom
claude/review-dependabot-alert-29-I5OOw

Conversation

@jamespepper81
Copy link
Copy Markdown
Contributor

@jamespepper81 jamespepper81 commented Feb 5, 2026

Description

This PR updates several key dependencies to their latest versions, including the Model Context Protocol SDK, Google Cloud Storage client, and related packages. These updates bring bug fixes, performance improvements, and new features.

Type of Change

  • 🐛 Bug fix (non-breaking change which fixes an issue)
  • ✨ New feature (non-breaking change which adds functionality)
  • 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • 📚 Documentation update
  • 🎨 UI/UX improvement
  • ♻️ Code refactoring (no functional changes)
  • ⚡ Performance improvement
  • 🔒 Security improvement
  • 🧪 Test coverage improvement
  • 🔧 Build/CI improvement

Changes Made

Dependency Updates

  • @modelcontextprotocol/sdk: 1.25.31.26.0

    • express: ^5.0.1^5.2.1
    • express-rate-limit: ^7.5.0^8.2.1
    • jose: ^6.1.1^6.1.3
    • zod-to-json-schema: ^3.25.0^3.25.1
    • NEW: hono: ^4.11.4 (added as dependency)

  • @google-cloud/storage: 7.18.07.19.0

    • fast-xml-parser: ^4.4.1^5.3.4

  • express-rate-limit: 7.5.18.2.1 (standalone)

    • NEW: ip-address: 10.0.1 (added as dependency)

  • fast-xml-parser: 4.5.35.3.4

    • strnum: ^1.1.1^2.1.0

  • strnum: 1.1.22.1.2

  • hono: Removed peer dependency flag from 4.11.7

Breaking Changes

The following updates may introduce breaking changes:

  1. express-rate-limit v8.2.1: Major version bump with potential API changes
  2. fast-xml-parser v5.3.4: Major version bump (v4 → v5) with potential breaking changes in XML parsing behavior
  3. strnum v2.1.2: Major version bump with potential API changes

These changes should be tested thoroughly to ensure compatibility with existing code.

Testing Performed

  • Linting passes (npm run lint)
  • All existing tests pass
  • Verified dependency resolution with npm install
  • Checked for peer dependency conflicts

Security Considerations

  • No sensitive data is logged or exposed
  • No new security vulnerabilities introduced
  • Dependencies updated to latest stable versions with security patches

Additional Notes

The addition of hono as a new dependency in the MCP SDK suggests expanded framework support. The removal of the peer dependency flag on hono indicates it's now a direct dependency rather than optional.

All updates are to development dependencies (dev: true), so they do not affect production bundle size.

https://claude.ai/code/session_017a8kL4Q5uJy38aFbjovXGJ

@claude
fix(deps): resolve high-severity vulnerabilities via npm audit fix
95991e7 
Update @modelcontextprotocol/sdk 1.25.3→1.26.0 (GHSA-345p-7cg4-v4c7),
fast-xml-parser 4.5.3→5.3.4 (GHSA-37qj-frw5-hhjh), and
@google-cloud/storage 7.18.0→7.19.0 to address all high-severity alerts.

https://claude.ai/code/session_017a8kL4Q5uJy38aFbjovXGJ
@jamespepper81 jamespepper81 merged commit 7ebf64e into dev Feb 5, 2026
3 checks passed
@jamespepper81 jamespepper81 deleted the claude/review-dependabot-alert-29-I5OOw branch February 5, 2026 22:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jamespepper81 @claude