Skip to content

chore: upgrade MCP SDK to v1.27.1 (security fix)#29

Merged
cablate merged 3 commits into
mainfrom
chore/upgrade-mcp-sdk-v1.27
Mar 12, 2026
Merged

chore: upgrade MCP SDK to v1.27.1 (security fix)#29
cablate merged 3 commits into
mainfrom
chore/upgrade-mcp-sdk-v1.27

Conversation

@cablate
Copy link
Copy Markdown
Owner

@cablate cablate commented Mar 12, 2026

Summary

  • Upgrade @modelcontextprotocol/sdk from ^1.11.0 to ^1.27.1 (16 versions behind)
  • Security: fixes GHSA-345p-7cg4-v4c7 — cross-client response data leakage between concurrent sessions (CVSS 7.1)
  • Upgrade zod to ^3.25.0 (now a peer dependency of SDK v1.23+)
  • Pin @types/express to v4 (compatible with our express v4 dependency)
  • Add smoke test suite for pre-release validation

Depends on

Smoke test suite

npx tsx tests/smoke.test.ts [--port 13579] [--apikey "AIza..."]

Test Coverage
Initialize session Server responds, session ID assigned
List tools All 7 tools registered
Geocode call Tool execution with real API (when key provided)
Multi-session 3 concurrent sessions, independent tool calls

Test plan

  • tsc --noEmit passes
  • npm run build succeeds
  • Smoke test 15/15 passed
  • Manual test with Google Maps API key (geocode + multi-session geocode)

🤖 Generated with Claude Code

cablate and others added 2 commits March 12, 2026 20:39
@cablate @claude
fix: create per-session McpServer instance in HTTP mode
ae1a7fd 
The singleton McpServer was shared across all HTTP sessions, causing
"Already connected to a transport" crash on the second connection.
Each session now gets its own McpServer instance with tools replayed
from stored config. Stdio mode unchanged (1:1 by nature).

Closes #27

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@cablate @claude
chore: upgrade MCP SDK to v1.27.1 and add smoke tests
0df5ef7 
- Upgrade @modelcontextprotocol/sdk ^1.11.0 → ^1.27.1
  - Fixes GHSA-345p-7cg4-v4c7 (cross-client response data leakage)
  - Protocol.connect() now enforces single-transport-per-instance
- Upgrade zod ^3.24.2 → ^3.25.0 (now a peer dep of SDK v1.23+)
- Pin @types/express to v4 (compatible with our express v4 dep)
- Add smoke test suite (tests/smoke.test.ts):
  - Session initialization
  - Tool listing (all 7 tools)
  - Geocode tool call (when API key provided)
  - Multi-session concurrency (3 parallel sessions)
  - Run: npx tsx tests/smoke.test.ts

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@cablate cablate force-pushed the fix/multi-session-crash branch from 7c930a6 to ae1a7fd Compare March 12, 2026 12:42
@cablate cablate force-pushed the chore/upgrade-mcp-sdk-v1.27 branch from 0acc51a to 0df5ef7 Compare March 12, 2026 12:42
@cablate cablate changed the base branch from fix/multi-session-crash to main March 12, 2026 12:44
@cablate @claude
chore: add CI/CD workflows, ESLint, Prettier and npm scripts
89e8a2b 
- Add GitHub Actions CI workflow (build/lint/test on PR)
- Add GitHub Actions release workflow (E2E test + auto bump + npm publish on merge to main)
- Add ESLint 9 flat config with TypeScript and Prettier integration
- Add Prettier config matching existing code style
- Add npm scripts: test, test:e2e, lint, format, format:check
- Format all source files with Prettier
- Fix prefer-const and no-empty lint errors

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@cablate cablate mentioned this pull request Mar 12, 2026
Closed
5 tasks
@cablate cablate merged commit 70a8257 into main Mar 12, 2026
1 check passed
@cablate cablate mentioned this pull request Mar 12, 2026
Closed
@cablate cablate deleted the chore/upgrade-mcp-sdk-v1.27 branch March 14, 2026 05:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cablate