deps: bump mcp lower bound to 1.23.0 for GHSA-9h52-p55h-vw2f (#927)

joaquinhuigomez · web-flow · commit fd8213bbc27b · 2026-05-14T16:33:46.000-07:00
`mcp` versions `>=1.19.0,<1.23.0` are affected by [GHSA-9h52-p55h-vw2f](https://osv.dev/vulnerability/GHSA-9h52-p55h-vw2f) (CVE-2025-66416), which disables DNS rebinding protection by default for HTTP-based localhost MCP servers. `mcp 1.23.0` enables that protection, so requiring `>=1.23.0` prevents new `claude-agent-sdk` installs from resolving to a vulnerable `mcp` version. Fixes #921 Co-authored-by: Joaquin Hui Gomez <joaquinhuigomez@users.noreply.github.com>
diff --git a/pyproject.toml b/pyproject.toml
@@ -28,7 +28,7 @@ dependencies = [
     "anyio>=4.0.0",
     "sniffio>=1.0.0",
     "typing_extensions>=4.0.0; python_version<'3.11'",
-    "mcp>=1.19.0",
+    "mcp>=1.23.0",
 ]
 
 [project.optional-dependencies]

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ dependencies = [`
`28`	`28`	`"anyio>=4.0.0",`
`29`	`29`	`"sniffio>=1.0.0",`
`30`	`30`	`"typing_extensions>=4.0.0; python_version<'3.11'",`
`31`		`- "mcp>=1.19.0",`
	`31`	`+ "mcp>=1.23.0",`
`32`	`32`	`]`
`33`	`33`
`34`	`34`	`[project.optional-dependencies]`