sim icon indicating copy to clipboard operation
sim copied to clipboard
Published 1 month ago verified publisher icon simstudioai

build(deps): bump the npm_and_yarn group across 3 directories with 4 updates

Open dependabot[bot] opened this issue 1 month ago • 2 comments

Bumps the npm_and_yarn group with 3 updates in the / directory: @modelcontextprotocol/sdk, better-auth and js-yaml. Bumps the npm_and_yarn group with 3 updates in the /apps/sim directory: @modelcontextprotocol/sdk, better-auth and js-yaml. Bumps the npm_and_yarn group with 1 update in the /scripts directory: glob.

Updates @modelcontextprotocol/sdk from 1.20.2 to 1.24.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

1.24.0

Summary

This release brings us up to speed with the latest MCP spec 2025-11-25. Take a look at the latest spec as well as the release blog post.

What's Changed

New Contributors

Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/1.23.0...1.24.0

1.23.1

Fixed:

... (truncated)

Commits
  • 356b7e6 chore: bump version for release (#1215)
  • 09623e2 Merge commit from fork
  • cf51343 feat: backwards-compatible createMessage overloads for SEP-1577 (#1212)
  • 8204126 fix: allow zod 4 transformations (#1213)
  • 6083600 Modify Origin header validation in validateRequestHeaders (streamableHttp.ts ...
  • a6ee2cb fix: normalize null to undefined in ElicitResultSchema content field (#1204)
  • 4b651b8 feat: add closeStandaloneSSEStream for GET stream polling (#1203)
  • 5ceabfb fix: normalize headers in sse transport (#856)
  • f67fc2f fix: improve SSE reconnection behavior (#1191)
  • fab7e1e feat: add closeSSEStream callback to RequestHandlerExtra (#1166)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by pcarleton, a new releaser for @​modelcontextprotocol/sdk since your current version.


Updates better-auth from 1.3.12 to 1.4.5

Release notes

Sourced from better-auth's releases.

v1.4.5-beta.2

   🐞 Bug Fixes

    View changes on GitHub

v1.4.4

   🚀 Features

   🐞 Bug Fixes

    View changes on GitHub

v1.4.4-beta.3

   🚀 Features

   🐞 Bug Fixes

... (truncated)

Commits
  • 2000fd6 chore: release v1.4.5
  • fcab5a8 fix: add helper types to exports (#6479)
  • c666670 chore: release v1.4.5-beta.1
  • fd72560 fix(db-adapter): string[] and number[] fieldTypes incorrectly parsed for plug...
  • 189dedd chore: release v1.4.4-beta.3
  • 6269a33 chore: release v1.4.4-beta.2
  • 52c15d4 chore: fix validation errors in unit tests (#6466)
  • a25fb65 fix: preserve user ID in cookie cache during stateless sessions (#6452)
  • 5cbe0a5 chore: enforce imports to use node: protocol (#6461)
  • fbe51c8 chore: add spell checker (#6319)
  • Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

Updates @modelcontextprotocol/sdk from 1.20.2 to 1.24.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

1.24.0

Summary

This release brings us up to speed with the latest MCP spec 2025-11-25. Take a look at the latest spec as well as the release blog post.

What's Changed

New Contributors

Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/1.23.0...1.24.0

1.23.1

Fixed:

... (truncated)

Commits
  • 356b7e6 chore: bump version for release (#1215)
  • 09623e2 Merge commit from fork
  • cf51343 feat: backwards-compatible createMessage overloads for SEP-1577 (#1212)
  • 8204126 fix: allow zod 4 transformations (#1213)
  • 6083600 Modify Origin header validation in validateRequestHeaders (streamableHttp.ts ...
  • a6ee2cb fix: normalize null to undefined in ElicitResultSchema content field (#1204)
  • 4b651b8 feat: add closeStandaloneSSEStream for GET stream polling (#1203)
  • 5ceabfb fix: normalize headers in sse transport (#856)
  • f67fc2f fix: improve SSE reconnection behavior (#1191)
  • fab7e1e feat: add closeSSEStream callback to RequestHandlerExtra (#1166)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by pcarleton, a new releaser for @​modelcontextprotocol/sdk since your current version.


Updates better-auth from 1.3.12 to 1.4.5

Release notes

Sourced from better-auth's releases.

v1.4.5-beta.2

   🐞 Bug Fixes

    View changes on GitHub

v1.4.4

   🚀 Features

   🐞 Bug Fixes

    View changes on GitHub

v1.4.4-beta.3

   🚀 Features

   🐞 Bug Fixes

... (truncated)

Commits
  • 2000fd6 chore: release v1.4.5
  • fcab5a8 fix: add helper types to exports (#6479)
  • c666670 chore: release v1.4.5-beta.1
  • fd72560 fix(db-adapter): string[] and number[] fieldTypes incorrectly parsed for plug...
  • 189dedd chore: release v1.4.4-beta.3
  • 6269a33 chore: release v1.4.4-beta.2
  • 52c15d4 chore: fix validation errors in unit tests (#6466)
  • a25fb65 fix: preserve user ID in cookie cache during stateless sessions (#6452)
  • 5cbe0a5 chore: enforce imports to use node: protocol (#6461)
  • fbe51c8 chore: add spell checker (#6319)
  • Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

Updates @modelcontextprotocol/sdk from 1.20.2 to 1.24.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

1.24.0

Summary

This release brings us up to speed with the latest MCP spec 2025-11-25. Take a look at the latest spec as well as the release blog post.

What's Changed

dependabot[bot] avatar Dec 29 '25 10:12 dependabot[bot]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
docs Error Error Dec 29, 2025 10:20am

vercel[bot] avatar Dec 29 '25 10:12 vercel[bot]

Greptile Summary

This PR updates four npm dependencies across the monorepo, automatically generated by Dependabot:

Security Updates:

  • js-yaml 4.1.0 → 4.1.1 - Fixes a prototype pollution vulnerability in the YAML merge operator (<<). This is a critical security patch that should be merged.

Feature Updates:

  • @modelcontextprotocol/sdk 1.20.2 → 1.24.0 - Updates to MCP spec 2025-11-25 with new Tasks API, improved SSE reconnection behavior, OAuth enhancements (client credentials flow, HTTP issuer URLs in dev mode), Zod 4 compatibility fixes, and bug fixes for JSON parsing and header normalization
  • better-auth 1.3.12 → 1.4.5 - Includes bug fixes for cookie chunking when exceeding limits, multi-session endpoint handling with invalid signatures, additional fields default values during session creation, user-agent handling, and adds SCIM custom media type support
  • glob 11.0.3 → 11.1.0 (scripts directory only) - Minor version bump with no breaking changes

All updates appear to be non-breaking and include improvements and bug fixes. The js-yaml security fix makes this PR important to merge promptly.

Confidence Score: 5/5

  • This PR is safe to merge with minimal risk - it contains automated dependency updates with important security fixes
  • Score of 5 reflects: (1) automated Dependabot PR with clear dependency updates, (2) includes critical security fix for js-yaml prototype pollution, (3) all updates are minor/patch versions with no breaking changes documented, (4) updates include bug fixes and improvements to existing functionality, (5) no custom code changes that could introduce bugs
  • No files require special attention - all changes are straightforward dependency version bumps in package.json files

Important Files Changed

Filename Overview
apps/sim/package.json Updates MCP SDK (1.20.2→1.24.0), better-auth (1.3.12→1.4.5), and js-yaml (4.1.0→4.1.1 security fix)
scripts/package.json Updates glob from 11.0.3 to 11.1.0 - minor version bump with no breaking changes
scripts/package-lock.json Lock file updated to reflect glob and transitive dependency updates, adds yaml 2.8.1

Sequence Diagram

sequenceDiagram
    participant Dependabot
    participant npm_registry as NPM Registry
    participant root as Root package.json
    participant sim as apps/sim/package.json
    participant scripts as scripts/package.json
    participant lock as scripts/package-lock.json
    
    Dependabot->>npm_registry: Check for updates in npm_and_yarn group
    npm_registry-->>Dependabot: Return available updates
    
    Note over Dependabot: Found 4 updates:<br/>@modelcontextprotocol/sdk 1.24.0<br/>better-auth 1.4.5<br/>js-yaml 4.1.1<br/>glob 11.1.0
    
    Dependabot->>sim: Update @modelcontextprotocol/sdk: 1.20.2 → 1.24.0
    Note right of sim: Adds MCP spec 2025-11-25<br/>Tasks API, SSE improvements
    
    Dependabot->>sim: Update better-auth: 1.3.12 → 1.4.5
    Note right of sim: Cookie chunking fixes<br/>Multi-session improvements
    
    Dependabot->>sim: Update js-yaml: 4.1.0 → 4.1.1
    Note right of sim: SECURITY FIX:<br/>Prototype pollution patch
    
    Dependabot->>scripts: Update glob: 11.0.3 → 11.1.0
    Note right of scripts: Minor version bump
    
    Dependabot->>lock: Regenerate package-lock.json
    Note right of lock: Update transitive dependencies<br/>Add yaml 2.8.1
    
    Dependabot->>Dependabot: Create PR #2625
    Note over Dependabot: All updates non-breaking<br/>Ready for review

greptile-apps[bot] avatar Dec 29 '25 10:12 greptile-apps[bot]