Skip to content

chore(deps): bump github.com/modelcontextprotocol/go-sdk from 1.3.1 to 1.6.1#84

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/modelcontextprotocol/go-sdk-1.6.1
Closed

chore(deps): bump github.com/modelcontextprotocol/go-sdk from 1.3.1 to 1.6.1#84
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/modelcontextprotocol/go-sdk-1.6.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 25, 2026

Copy link
Copy Markdown

Bumps github.com/modelcontextprotocol/go-sdk from 1.3.1 to 1.6.1.

Release notes

Sourced from github.com/modelcontextprotocol/go-sdk's releases.

v1.6.1

This release adds an MCPGODEBUG flag to opt out of the Content-Type check on POST requests.

Behavior Changes

Prior to v1.6.0 (v1.4.0...v1.5.0), the Content-Type check on POST requests was gated by the same disablecrossoriginprotection MCPGODEBUG flag as the cross-origin protection. In v1.6.0, the cross-origin protection was disabled by default (replaced by the opt-in enableoriginverification flag), but the Content-Type check was kept on unconditionally, leaving no way to disable it. This release restores an escape hatch for both the Streamable HTTP and SSE transports: setting MCPGODEBUG=disablecontenttypecheck=1 skips the Content-Type: application/json validation on POST requests. See #957.

What's Changed

Full Changelog: modelcontextprotocol/go-sdk@v1.6.0...v1.6.1

v1.6.0

This release is equivalent to v1.6.0-pre.1. Thank you to those who tested the pre-release.

In this release we introduce several smaller fixes and improvements, and we started working for release 2026-06-30. The main new feature is the introduction of ClientCredentialsHandler for OAuth client credentials grant.

Add ClientCredentialsHandler for OAuth client credentials grant

Added ClientCredentialsHandler implementing auth.OAuthHandler using the OAuth 2.0 Client Credentials grant (RFC 6749 Section 4.4) for service-to-service authentication with pre-registered credentials.

2026-06-30 Release related PRs

  • feat: add automatic application_type inference by @​guglielmo-san in modelcontextprotocol/go-sdk#904

    New application_type field is added to the ClientRegistrationMetadata for DynamicClientRegistration. If not specified, the application_type will be inferred from the RedirectURIs. This implements SEP-837.

  • feat: HTTP Header Standardization for method and name by @​guglielmo-san in modelcontextprotocol/go-sdk#907

    By mirroring key fields from the JSON-RPC payload into HTTP headers, network intermediaries such as load balancers, proxies, and observability tools can route and process MCP traffic without deep packet inspection, reducing latency and computational overhead. This partially implements SEP-2243.

Behavior Changes

SetError Behavior Change

Previously the SetError method on CallToolResult always overwrote the Content field with the error text. Now SetError preserves the existing value if it has already been populated. You can restore the previous behavior by setting the environment variable seterroroverwrite=1.

Cross-Origin Protection Default Change

Previously (v1.4.1-v1.5.0) default (zero-value) cross-origin protection was applied when CrossOriginProtection in StreamableHTTPOptions was nil. Now cross-origin protection is not enabled by default when CrossOriginProtection is nil. You can restore the previous behavior (enable by default) by setting enableoriginverification=1.

... (truncated)

Commits
  • d454bba mcp: add MCPGPDEBUG for opt-in Content-Type check (#972)
  • f5f2015 MCPGODEBUG update for 1.6.0 (#893)
  • e01639a feat: HTTP Header Standardization for method and name (#907)
  • 93a41b2 internal/jsonrpc2: remove unused code (#910)
  • 446beae mcp: Upgrade jsonschema-go (#912)
  • 2e21834 extauth: add ClientCredentialsHandler for OAuth client credentials grant (#895)
  • 2643b22 feat: add automatic application_type inference (#904)
  • db50910 mcp: do not re-prompt OAuth after cancelled Authorize (#885)
  • 5f2cd8f mcp: preserve transport errors in Write error chain (#888)
  • 0edc597 Update README.md (#896)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [github.com/modelcontextprotocol/go-sdk](https://github.com/modelcontextprotocol/go-sdk) from 1.3.1 to 1.6.1.
- [Release notes](https://github.com/modelcontextprotocol/go-sdk/releases)
- [Commits](modelcontextprotocol/go-sdk@v1.3.1...v1.6.1)

---
updated-dependencies:
- dependency-name: github.com/modelcontextprotocol/go-sdk
  dependency-version: 1.6.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels May 25, 2026
blue4209211 added a commit that referenced this pull request Jun 7, 2026
Supersedes Dependabot PRs #72, #78, and #84:
- go-sdk: 1.4.1 -> 1.6.1 (matches #84; still patches the three open
  high-severity alerts plus subsequent fixes)
- actions/setup-go: v5 -> v6 (matches #78)

Transitive bumps from go mod tidy:
- github.com/google/jsonschema-go v0.4.2 -> v0.4.3
- golang.org/x/oauth2 v0.34.0 -> v0.35.0
- golang.org/x/sys v0.40.0 -> v0.41.0

Verified locally: full test suite green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@blue4209211

Copy link
Copy Markdown
Contributor

Folded into #94 — go-sdk 1.6.1 is included in that PR alongside CI hygiene fixes.

@blue4209211 blue4209211 closed this Jun 7, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 7, 2026

Copy link
Copy Markdown
Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/go_modules/github.com/modelcontextprotocol/go-sdk-1.6.1 branch June 7, 2026 10:14
blue4209211 added a commit that referenced this pull request Jun 7, 2026
Bundled CI hygiene + dependency security fix.

Workflow tightening:
- Release: restrict tag trigger from '*' to 'v*' so accidental
  non-version tags don't kick off a release.
- Release: run `make test` before building so a broken main can't
  ship binaries.
- CI: also run on push to main, catching anything that lands via
  direct push or stale-branch merge.
- actions/setup-go: v4 -> v6 in both workflows (matches Dependabot's
  recommendation).

Dependabot alerts closed:
- go-sdk: v1.3.1 -> v1.6.1, resolving 3 high-severity alerts on
  github.com/modelcontextprotocol/go-sdk (null Unicode JSON parsing,
  cross-site tool execution without auth, DNS rebinding protection
  disabled by default on localhost).

Transitive bumps from go mod tidy:
- github.com/google/jsonschema-go v0.4.2 -> v0.4.3
- github.com/segmentio/encoding v0.5.3 -> v0.5.4
- golang.org/x/oauth2 v0.30.0 -> v0.35.0
- golang.org/x/sys v0.36.0 -> v0.41.0

Supersedes (closed): #72, #78, #84.

Verified locally: full test suite green, `nbctl mcp` registers all
44 tools and reports "MCP server started, waiting for requests..."

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
blue4209211 added a commit that referenced this pull request Jun 7, 2026
Bundled CI hygiene + dependency security fix.

Workflow tightening:
- Release: restrict tag trigger from '*' to 'v*' so accidental
  non-version tags don't kick off a release.
- Release: run `make test` before building so a broken main can't
  ship binaries.
- CI: also run on push to main, catching anything that lands via
  direct push or stale-branch merge.
- actions/setup-go: v4 -> v6 in both workflows (matches Dependabot's
  recommendation).

Dependabot alerts closed:
- go-sdk: v1.3.1 -> v1.6.1, resolving 3 high-severity alerts on
  github.com/modelcontextprotocol/go-sdk (null Unicode JSON parsing,
  cross-site tool execution without auth, DNS rebinding protection
  disabled by default on localhost).

Transitive bumps from go mod tidy:
- github.com/google/jsonschema-go v0.4.2 -> v0.4.3
- github.com/segmentio/encoding v0.5.3 -> v0.5.4
- golang.org/x/oauth2 v0.30.0 -> v0.35.0
- golang.org/x/sys v0.36.0 -> v0.41.0

Supersedes (closed): #72, #78, #84.

Verified locally: full test suite green, `nbctl mcp` registers all
44 tools and reports "MCP server started, waiting for requests..."

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant