chore(deps): update dependency @modelcontextprotocol/sdk to v1.29.0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
@modelcontextprotocol/sdk (source)	dependencies	minor	1.25.1 → 1.29.0

---

Release Notes

modelcontextprotocol/typescript-sdk (@​modelcontextprotocol/sdk)

v1.29.0

Compare Source

What's Changed

• fix: treat v1.x as primary branch for npm latest tag (backport #​1577) by @​felixweinberger in #​1749
• [v1.x] fix: disallow null (infinite) requested TTL by @​LucaButBoring in #​1339
• [v1.x] fix: add missing size field to ResourceSchema by @​olaservo in #​1575
• Add typings exports by @​tdraier in #​1623
• v1.x npm audit fix by @​KKonstantinov in #​1780
• v1.x #​1623 follow up -add missing types to package.json by @​KKonstantinov in #​1773
• [v1.x backport] Allow servers / clients to advertise extensions in the capability object by @​localden in #​1811
• fix(stdio): always set windowsHide on Windows, not just in Electron by @​jnMetaCode in #​1640
• chore: bump version to 1.29.0 by @​felixweinberger in #​1820

New Contributors

• @​tdraier made their first contribution in #​1623
• @​jnMetaCode made their first contribution in #​1640

Full Changelog: modelcontextprotocol/typescript-sdk@v1.28.0...v1.29.0

v1.28.0

Compare Source

What's Changed

• feat: use scopes_supported from resource metadata by default (fixes #​580) by @​antogyn in #​757
• [v1.x backport] Default to client_secret_basic when server omits token_endpoint_auth_methods_supported by @​pcarleton in #​1611
• fix: reject plain JSON Schema objects passed as inputSchema by @​tiluckdave in #​1596
• fix: clear _timeoutInfo in _onclose() and scope .finally() abort controller cleanup by @​pcarleton in #​1462
• fix(server/auth): RFC 8252 loopback port relaxation by @​poteat in #​1738
• chore: bump version to 1.28.0 by @​felixweinberger in #​1746

New Contributors

• @​antogyn made their first contribution in #​757
• @​tiluckdave made their first contribution in #​1596
• @​poteat made their first contribution in #​1738

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.1...v1.28.0

v1.27.1

Compare Source

What's Changed

• feat: implement auth/pre-registration conformance scenario by @​felixweinberger in #​1545
• docs: add governance documentation for SEP-1730 by @​felixweinberger in #​1547
• docs: comprehensive feature documentation for SEP-1730 Tier 1 by @​felixweinberger in #​1548
• fix: prevent command injection in example URL opening (v1.x backport) by @​maxisbey in #​1579
• fix: call onerror for silently swallowed transport errors by @​qing-ant in #​1580
• chore: bump version to 1.27.1 by @​felixweinberger in #​1581

New Contributors

• @​qing-ant made their first contribution in #​1580

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.0...v1.27.1

v1.27.0

Compare Source

What's Changed

• feat: add conformance test infrastructure for v1.x by @​felixweinberger in #​1518
• feat: backport discoverOAuthServerInfo() and discovery caching to v1.x by @​felixweinberger in #​1533
• feat: add url property to RequestInfo interface by @​valentinbeggi in #​1353
• [v1.x] feat(tasks): add streaming methods for elicitation and sampling by @​LucaButBoring in #​1528
• chore: bump version for v1.27.0 by @​felixweinberger in #​1541

New Contributors

• @​valentinbeggi made their first contribution in #​1353

Full Changelog: modelcontextprotocol/typescript-sdk@v1.26.0...v1.27.0

v1.26.0

Compare Source

Addresses "Sharing server/transport instances can leak cross-client response data" in this GHSA GHSA-345p-7cg4-v4c7

What's Changed

• chore: bump v1.25.3 for backport fixes by @​pcarleton in #​1412
• fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x backport) by @​samuv in #​1382
• Fix #​1430: Client Credentials providers scopes support (backported) by @​NSeydoux in #​1442
• chore: bump version to 1.26.0 by @​pcarleton in #​1479

New Contributors

• @​samuv made their first contribution in #​1382
• @​NSeydoux made their first contribution in #​1442

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.3...v1.26.0

v1.25.3

Compare Source

What's Changed

• [v1.x backport] Use correct schema for client sampling validation when tools are present by @​olaservo in #​1407
• fix: prevent Hono from overriding global Response object (v1.x) by @​mattzcarey in #​1411

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.2...v1.25.3

v1.25.2

Compare Source

What's Changed

• ci: trigger workflow on v1.x branch by @​felixweinberger in #​1319
• fix: README badges links destinations by @​antonpk1 in #​907
• fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport) by @​pcarleton in #​1365

New Contributors

• @​antonpk1 made their first contribution in #​907

Full Changelog: modelcontextprotocol/typescript-sdk@1.25.1...v1.25.2

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cubic-dev-ai]

No issues found across 2 files

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	zod-to-json-schema@​3.25.2
	@​modelcontextprotocol/​sdk@​1.25.1 ⏵ 1.29.0		+22		+1

View full report

[baz-reviewer]

Commit 727db84 addressed this comment by upgrading @modelcontextprotocol/sdk (to 1.27.1) and updating the lockfile so the resolved SDK dependency now pulls zod-to-json-schema at a compatible version (^3.25.1, per bun.lock). This removes the previously flagged mismatch risk between the MCP SDK and zod@^4 during server startup initialization.