Issue
There's a security advisory on @modelcontextprotocol/sdk < 1.24.0: GHSA-w48q-cv73-mx4w
This package has a version range ">=1.5.0 <1.10.0" which does not allow for upgrading to a fixed version.
A workaround for consumers is to override the version in resolutions in package.json, although this might well break some behaviour (I haven't checked).
Note that the vulnerability may not be exploitable in practice for many people (see linked description), but it creates automated security scanning noise / violations.
Fix
Change version range in this package if possible.
Thank you!
Issue
There's a security advisory on
@modelcontextprotocol/sdk< 1.24.0: GHSA-w48q-cv73-mx4wThis package has a version range
">=1.5.0 <1.10.0"which does not allow for upgrading to a fixed version.A workaround for consumers is to override the version in
resolutionsinpackage.json, although this might well break some behaviour (I haven't checked).Note that the vulnerability may not be exploitable in practice for many people (see linked description), but it creates automated security scanning noise / violations.
Fix
Change version range in this package if possible.
Thank you!