[Snyk] Security upgrade @modelcontextprotocol/sdk from 1.13.1 to 1.26.0

[Krosebrook]

Snyk has created this PR to fix 1 vulnerabilities in the pnpm dependencies of this project.

Snyk changed the following file(s):

• genkit-tools/cli/package.json

⚠️ Warning

Failed to update the pnpm-lock.yaml, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Race Condition SNYK-JS-MODELCONTEXTPROTOCOLSDK-15208843	641

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Race Condition

---

Note

Medium Risk
Dependency-only change, but it upgrades an SDK used across the CLI’s MCP integration and could introduce behavioral or compatibility changes at runtime.

Overview
Updates genkit-tools/cli/package.json to bump @modelcontextprotocol/sdk from ^1.13.1 to ^1.26.0 (Snyk fix for a high-severity race condition).

^{Written by Cursor Bugbot for commit 6c1d221. This will update automatically on new commits. Configure here.}

---

Summary by cubic

Upgrade @modelcontextprotocol/sdk to 1.26.0 in genkit-tools/cli to fix a high-severity race condition. Dependency-only change; no functional impact expected.

• Dependencies

  • @modelcontextprotocol/sdk: ^1.13.1 → ^1.26.0 (fixes SNYK-JS-MODELCONTEXTPROTOCOLSDK-15208843)

• Migration

  • Regenerate pnpm-lock.yaml: run pnpm install (or pnpm up @modelcontextprotocol/sdk).

^{Written for commit 6c1d221. Summary will update on new commits.}

[coderabbitai]

Important

Review skipped

Ignore keyword(s) in the title.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch snyk-fix-b5a705bd03e4948d1bd3e0dcf9f5a28e

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @Krosebrook, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request automates a critical security update by upgrading the @modelcontextprotocol/sdk dependency. The primary goal is to mitigate a high-severity race condition vulnerability, thereby enhancing the project's security posture. The change is contained within a single package configuration file, reflecting an efficient, automated response to a security concern.

Highlights

• Dependency Upgrade: The @modelcontextprotocol/sdk dependency has been upgraded from version 1.13.1 to 1.26.0 in genkit-tools/cli/package.json.
• Security Fix: This upgrade addresses a high-severity Race Condition vulnerability (SNYK-JS-MODELCONTEXTPROTOCOLSDK-15208843) found in the @modelcontextprotocol/sdk package.
• Automated Remediation: This pull request was automatically generated by Snyk to fix the identified security vulnerability.

Changelog

• genkit-tools/cli/package.json
  • Updated the @modelcontextprotocol/sdk dependency version from ^1.13.1 to ^1.26.0.

Activity

• This pull request was automatically created by Snyk to address a security vulnerability.
• A warning was noted indicating that the pnpm-lock.yaml file failed to update and requires manual intervention.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request upgrades @modelcontextprotocol/sdk to version 1.26.0 to address a security vulnerability. The change itself in genkit-tools/cli/package.json is correct. However, the update is incomplete. As noted in the pull request description, the pnpm-lock.yaml file was not updated, which is a critical issue that prevents the fix from being applied. This must be resolved by running pnpm install. Additionally, for consistency, the peerDependency in js/plugins/mcp/package.json should also be updated to the new version.

[gemini-code-assist]

While this version bump is correct, the change is incomplete and must be addressed before merging.

• Critical: The pnpm-lock.yaml file has not been updated. Please run pnpm install in the genkit-tools workspace to update the lockfile and ensure the security fix is applied.
• Medium: For consistency, the peerDependency on @modelcontextprotocol/sdk in js/plugins/mcp/package.json should also be updated to ^1.26.0.

[Copilot]

Pull request overview

Upgrades the Genkit CLI’s @modelcontextprotocol/sdk dependency to remediate a Snyk-reported vulnerability in the genkit-tools pnpm dependency set.

Changes:

• Bump @modelcontextprotocol/sdk in genkit-tools/cli/package.json from ^1.13.1 to ^1.26.0.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The dependency version was bumped in this package.json, but genkit-tools/pnpm-lock.yaml still pins @modelcontextprotocol/sdk to 1.13.1 for the cli importer. As-is, installs will continue to resolve the vulnerable version and the security fix won’t actually be applied. Please regenerate and commit the updated genkit-tools/pnpm-lock.yaml (e.g., run pnpm install from genkit-tools/).

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ce8e9b8dca

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Update lockfile to apply SDK security upgrade

This change only updates genkit-tools/cli/package.json, but genkit-tools/pnpm-lock.yaml still records the cli importer on @modelcontextprotocol/sdk ^1.13.1/1.13.1 (lines 44-46), so the committed dependency graph does not actually include the security-fixed version. In CI paths that run cd genkit-tools && pnpm install (for example .github/workflows/go.yml), this mismatch can either fail installation under frozen-lockfile behavior or keep builds pinned to the old vulnerable lock until someone regenerates and commits the lockfile.

Useful? React with 👍 / 👎.

[cubic-dev-ai]

No issues found across 1 file