sim icon indicating copy to clipboard operation
sim copied to clipboard
Published 1 month ago verified publisher icon simstudioai

chore(deps): bump the npm_and_yarn group across 3 directories with 4 updates

Open dependabot[bot] opened this issue 2 months ago • 2 comments

Bumps the npm_and_yarn group with 3 updates in the / directory: @modelcontextprotocol/sdk, better-auth and js-yaml. Bumps the npm_and_yarn group with 2 updates in the /apps/sim directory: better-auth and js-yaml. Bumps the npm_and_yarn group with 1 update in the /scripts directory: glob.

Updates @modelcontextprotocol/sdk from 1.20.2 to 1.24.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

1.24.0

Summary

This release brings us up to speed with the latest MCP spec 2025-11-25. Take a look at the latest spec as well as the release blog post.

What's Changed

New Contributors

Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/1.23.0...1.24.0

1.23.1

Fixed:

... (truncated)

Commits
  • 356b7e6 chore: bump version for release (#1215)
  • 09623e2 Merge commit from fork
  • cf51343 feat: backwards-compatible createMessage overloads for SEP-1577 (#1212)
  • 8204126 fix: allow zod 4 transformations (#1213)
  • 6083600 Modify Origin header validation in validateRequestHeaders (streamableHttp.ts ...
  • a6ee2cb fix: normalize null to undefined in ElicitResultSchema content field (#1204)
  • 4b651b8 feat: add closeStandaloneSSEStream for GET stream polling (#1203)
  • 5ceabfb fix: normalize headers in sse transport (#856)
  • f67fc2f fix: improve SSE reconnection behavior (#1191)
  • fab7e1e feat: add closeSSEStream callback to RequestHandlerExtra (#1166)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by pcarleton, a new releaser for @​modelcontextprotocol/sdk since your current version.


Updates better-auth from 1.3.12 to 1.4.2

Release notes

Sourced from better-auth's releases.

v1.4.2

   🚀 Features

   🐞 Bug Fixes

    View changes on GitHub

v1.4.2-beta.5

   🚀 Features

   🐞 Bug Fixes

    View changes on GitHub

v1.4.2-beta.4

No significant changes

    View changes on GitHub

v1.4.2-beta.3

No significant changes

    View changes on GitHub

... (truncated)

Commits
  • f2c28dd chore: release v1.4.2
  • 7e7a4ca chore: release v1.4.2-beta.2
  • a2e6a8a Revert "chore: lint (#6290)"
  • 5ea36ab fix: signIn/signUp API returns user additional field (#6287)
  • 205c294 chore(email-otp): unit tests for sign-in with capitalizations (#6238)
  • 201a7c2 fix(oidc-provider): session shouldn't be required (#6282)
  • 1c1c913 chore: more join tests for missing data scenarios (#6166)
  • 1c45f37 feat(jwt): allow custom jwks endpoint (#6269)
  • fc662c5 chore: remove incorrect auth cli (#6242)
  • fabf8dc docs: updated og image and add merch link to community section (#6251)
  • Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

Updates better-auth from 1.3.12 to 1.4.2

Release notes

Sourced from better-auth's releases.

v1.4.2

   🚀 Features

   🐞 Bug Fixes

    View changes on GitHub

v1.4.2-beta.5

   🚀 Features

   🐞 Bug Fixes

    View changes on GitHub

v1.4.2-beta.4

No significant changes

    View changes on GitHub

v1.4.2-beta.3

No significant changes

    View changes on GitHub

... (truncated)

Commits
  • f2c28dd chore: release v1.4.2
  • 7e7a4ca chore: release v1.4.2-beta.2
  • a2e6a8a Revert "chore: lint (#6290)"
  • 5ea36ab fix: signIn/signUp API returns user additional field (#6287)
  • 205c294 chore(email-otp): unit tests for sign-in with capitalizations (#6238)
  • 201a7c2 fix(oidc-provider): session shouldn't be required (#6282)
  • 1c1c913 chore: more join tests for missing data scenarios (#6166)
  • 1c45f37 feat(jwt): allow custom jwks endpoint (#6269)
  • fc662c5 chore: remove incorrect auth cli (#6242)
  • fabf8dc docs: updated og image and add merch link to community section (#6251)
  • Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

Updates better-auth from 1.3.12 to 1.4.2

Release notes

Sourced from better-auth's releases.

v1.4.2

   🚀 Features

   🐞 Bug Fixes

    View changes on GitHub

v1.4.2-beta.5

   🚀 Features

   🐞 Bug Fixes

    View changes on GitHub

v1.4.2-beta.4

No significant changes

    View changes on GitHub

v1.4.2-beta.3

No significant changes

    View changes on GitHub

... (truncated)

Commits
  • f2c28dd chore: release v1.4.2
  • 7e7a4ca chore: release v1.4.2-beta.2
  • a2e6a8a Revert "chore: lint (#6290)"
  • 5ea36ab fix: signIn/signUp API returns user additional field (#6287)
  • 205c294 chore(email-otp): unit tests for sign-in with capitalizations (#6238)
  • 201a7c2 fix(oidc-provider): session shouldn't be required (#6282)
  • 1c1c913 chore: more join tests for missing data scenarios (#6166)
  • 1c45f37 feat(jwt): allow custom jwks endpoint (#6269)
  • fc662c5 chore: remove incorrect auth cli (#6242)
  • fabf8dc docs: updated og image and add merch link to community section (#6251)
  • Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

Updates better-auth from 1.3.12 to 1.4.2

Release notes

Sourced from better-auth's releases.

v1.4.2

   🚀 Features

   🐞 Bug Fixes

    View changes on GitHub

v1.4.2-beta.5

   🚀 Features

   🐞 Bug Fixes

    View changes on GitHub

v1.4.2-beta.4

No significant changes

    View changes on GitHub

v1.4.2-beta.3

No significant changes

    View changes on GitHub

... (truncated)

Commits
  • f2c28dd chore: release v1.4.2
  • 7e7a4ca chore: release v1.4.2-beta.2
  • a2e6a8a Revert "chore: lint (#6290)"
  • 5ea36ab fix: signIn/signUp API returns user additional field (#6287)
  • 205c294 chore(email-otp): unit tests for sign-in with capitalizations (#6238)
  • 201a7c2 fix(oidc-provider): session shouldn't be required (#6282)
  • 1c1c913 chore: more join tests for missing data scenarios (#6166)
  • 1c45f37 feat(jwt): allow custom jwks endpoint (#6269)
  • fc662c5 chore: remove incorrect auth cli (#6242)
  • fabf8dc docs: updated og image and add merch link to community section (#6251)
  • Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

Updates glob from 11.0.2 to 11.1.0

Changelog

Sourced from glob's changelog.

changeglob

13

  • Move the CLI program out to a separate package, glob-bin. Install that if you'd like to continue using glob from the command line.

12

  • Remove the unsafe --shell option. The --shell option is now ONLY supported on known shells where the behavior can be implemented safely.

11.1

GHSA-5j98-mcp5-4vw2

  • Add the --shell option for the command line, with a warning that this is unsafe. (It will be removed in v12.)
  • Add th...

    Description has been truncated

dependabot[bot] avatar Dec 04 '25 21:12 dependabot[bot]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
docs Ready Ready Preview, Comment Dec 16, 2025 4:43am

vercel[bot] avatar Dec 04 '25 21:12 vercel[bot]

Greptile Overview

Greptile Summary

Dependabot updated 4 packages across the monorepo, but there's a critical version conflict that will prevent the intended upgrades from taking effect.

Key Changes:

  • @modelcontextprotocol/sdk: 1.20.2 → 1.24.0 (MCP spec 2025-11-25, Tasks support)
  • better-auth: 1.3.12 → 1.4.2 (PKCE for GitHub, JWKS customization, bug fixes)
  • js-yaml: 4.1.0 → 4.1.1 (security fix for prototype pollution CVE)
  • next: 15.4.8 → 16.0.7 (attempted upgrade)
  • glob: 11.0.2 → 11.1.0 (minor bump)

Critical Issue: The root package.json and apps/sim/package.json both have overrides sections that pin Next.js to 15.4.8, but Dependabot updated the dependency declarations to 16.0.7. Package manager overrides take precedence, so the application will actually run Next.js 15.4.8 despite the dependency declarations indicating 16.0.7. This creates confusion and prevents the Next.js upgrade from taking effect.

Security Note: The js-yaml update fixes a prototype pollution vulnerability and should be merged promptly after resolving the Next.js version conflict.

Confidence Score: 0/5

  • This PR has critical version conflicts that will prevent intended upgrades from working correctly and should not be merged as-is.
  • Score of 0 (critical issues) because package.json overrides pin Next.js to 15.4.8 while dependencies declare 16.0.7, creating a fundamental version mismatch. The override will silently force 15.4.8 despite PR claiming to update to 16.0.7. This makes the PR misleading and potentially breaks expectations. While js-yaml security fix is important, the Next.js conflict must be resolved first by either updating overrides to 16.0.7 or reverting Next.js dependency changes.
  • Critical attention needed on package.json and apps/sim/package.json - both have override sections that conflict with the dependency updates

Important Files Changed

File Analysis

Filename Score Overview
package.json 1/5 Critical issue - overrides pin Next.js to 15.4.8 but dependencies updated to 16.0.7, creating version conflict. Also updates @modelcontextprotocol/sdk to 1.24.0.
apps/sim/package.json 1/5 Same critical Next.js override conflict (15.4.8 vs 16.0.7). Updates better-auth to 1.4.2 and js-yaml to 4.1.1 (security fix for prototype pollution).
apps/docs/package.json 3/5 Updates Next.js to 16.0.7 - no override conflicts at this level, should work correctly.

Sequence Diagram

sequenceDiagram
    participant Dependabot
    participant RootPackage as package.json
    participant SimApp as apps/sim/package.json
    participant DocsApp as apps/docs/package.json
    participant Scripts as scripts/package.json
    
    Dependabot->>RootPackage: Update @modelcontextprotocol/sdk<br/>1.20.2 → 1.24.0
    Note over RootPackage: ⚠️ Override conflict:<br/>next: 15.4.8 (pinned)
    
    Dependabot->>SimApp: Update better-auth<br/>1.3.12 → 1.4.2
    Dependabot->>SimApp: Update js-yaml<br/>4.1.0 → 1.4.1 (security fix)
    Dependabot->>SimApp: Update next<br/>15.4.8 → 16.0.7
    Note over SimApp: ⚠️ Override conflict:<br/>next: 15.4.8 (pinned)
    
    Dependabot->>DocsApp: Update next<br/>15.4.8 → 16.0.7
    Note over DocsApp: ✓ No override conflicts
    
    Dependabot->>Scripts: Update glob<br/>11.0.2 → 11.1.0
    Note over Scripts: ✓ Minor version bump
    
    Note over RootPackage,SimApp: Critical Issue: Dependencies<br/>updated to Next 16.0.7 but<br/>overrides pin to 15.4.8

greptile-apps[bot] avatar Dec 04 '25 21:12 greptile-apps[bot]