[Snyk] Security upgrade @modelcontextprotocol/sdk from 1.15.0 to 1.26.0

[Krosebrook]

Snyk has created this PR to fix 1 vulnerabilities in the pnpm dependencies of this project.

Snyk changed the following file(s):

• js/plugins/mcp/package.json

⚠️ Warning

Failed to update the pnpm-lock.yaml, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Race Condition SNYK-JS-MODELCONTEXTPROTOCOLSDK-15208843	641

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Race Condition

---

Note

Low Risk
Dependency-only change; main risk is subtle runtime/typing differences in @modelcontextprotocol/sdk without an updated lockfile to ensure consistent installs.

Overview
Updates the js/plugins/mcp plugin to use a newer @modelcontextprotocol/sdk version to address a reported race-condition vulnerability.

The PR does not include an updated pnpm-lock.yaml (per the PR note), so reviewers should ensure the lockfile is regenerated/validated before merge to keep dependency resolution consistent.

^{Written by Cursor Bugbot for commit eb677d6. This will update automatically on new commits. Configure here.}

---

Summary by cubic

Upgraded @modelcontextprotocol/sdk from 1.15.0 to 1.26.0 in js/plugins/mcp/package.json to fix a high‑severity race condition. Dependency-only change; no source code edits.

• Dependencies

  • Bump @modelcontextprotocol/sdk: 1.15.0 → 1.26.0 (fixes SNYK-JS-MODELCONTEXTPROTOCOLSDK-15208843)

• Migration

  • Regenerate pnpm-lock.yaml (pnpm install) and smoke test the MCP plugin before merging.

^{Written for commit 09277ab. Summary will update on new commits.}

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[Copilot]

Copilot wasn't able to review any files in this pull request.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Important

Review skipped

Ignore keyword(s) in the title.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch snyk-fix-9849df553dc4bc31cb6e2f8bf42bb823

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}