fix: upgrade @modelcontextprotocol/sdk to 1.29.0 to fix CVE-2026-4926 (#95)

mattpodwysocki · claude · web-flow · commit 1bc01e8390f6 · 2026-04-01T14:13:42.000-04:00
Upgrades @modelcontextprotocol/sdk from ^1.27.1 to ^1.29.0, which resolves path-to-regexp to 8.4.1 and fixes the ReDoS vulnerability GHSA-j3q9-mxjg-w52f (CVE-2026-4926). Regenerates the patch for SDK 1.29.0 (replaces patch for 1.27.1) to maintain the warn-instead-of-throw behavior for output schema validation. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -51,7 +51,7 @@
   "dependencies": {
     "@mcp-ui/server": "^6.1.0",
     "@modelcontextprotocol/ext-apps": "^1.1.1",
-    "@modelcontextprotocol/sdk": "^1.27.1",
+    "@modelcontextprotocol/sdk": "^1.29.0",
     "@opentelemetry/api": "^1.9.0",
     "@opentelemetry/auto-instrumentations-node": "^0.56.0",
     "@opentelemetry/exporter-trace-otlp-http": "^0.56.0",
diff --git a/patches/@modelcontextprotocol+sdk+1.29.0.patch b/patches/@modelcontextprotocol+sdk+1.29.0.patch
@@ -1,8 +1,26 @@
-diff --git a/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js b/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js
-index 23639ce..7b8a325 100644
+--- a/node_modules/@modelcontextprotocol/sdk/dist/cjs/server/mcp.js
++++ b/node_modules/@modelcontextprotocol/sdk/dist/cjs/server/mcp.js
+@@ -197,7 +197,7 @@
+             return;
+         }
+         if (!result.structuredContent) {
+-            throw new types_js_1.McpError(types_js_1.ErrorCode.InvalidParams, `Output validation error: Tool ${toolName} has an output schema but no structured content was provided`);
++            console.warn(`[MCP SDK Patch] Output validation warning: Tool ${toolName} has an output schema but no structured content was provided`);
+         }
+         // if the tool has an output schema, validate structured content
+         const outputObj = (0, zod_compat_js_1.normalizeObjectSchema)(tool.outputSchema);
+@@ -205,7 +205,7 @@
+         if (!parseResult.success) {
+             const error = 'error' in parseResult ? parseResult.error : 'Unknown error';
+             const errorMessage = (0, zod_compat_js_1.getParseErrorMessage)(error);
+-            throw new types_js_1.McpError(types_js_1.ErrorCode.InvalidParams, `Output validation error: Invalid structured content for tool ${toolName}: ${errorMessage}`);
++            console.warn(`[MCP SDK Patch] Output validation warning: Invalid structured content for tool ${toolName}: ${errorMessage}`);
+         }
+     }
+     /**
 --- a/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js
 +++ b/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js
-@@ -194,15 +194,20 @@ export class McpServer {
+@@ -194,15 +194,20 @@
              return;
          }
          if (!result.structuredContent) {
