fix(deps): update dependency @modelcontextprotocol/sdk to v1.24.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@modelcontextprotocol/sdk (source)	1.20.2 -> 1.24.0

GitHub Vulnerability Alerts

CVE-2025-66414

The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with StreamableHTTPServerTransport or SSEServerTransport and has not enabled enableDnsRebindingProtection, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances.

Note that running HTTP-based MCP servers locally without authentication is not recommended per MCP security best practices. This issue does not affect servers using stdio transport.

Servers created via createMcpExpressApp() now have this protection enabled by default when binding to localhost. Users with custom Express configurations are advised to update to version 1.24.0 and apply the exported hostHeaderValidation() middleware when running an unauthenticated server on localhost.

---

Release Notes

modelcontextprotocol/typescript-sdk (@​modelcontextprotocol/sdk)

v1.24.0

Compare Source

v1.23.0

Compare Source

What's Changed

• Migrate to vitest from jest by @​mattzcarey in #​1074
• ci: add workflow_dispatch trigger for manual CI runs by @​felixweinberger in #​1114
• Fix: @​types/node incompatibility with vite warnings on npm install by @​KKonstantinov in #​1121
• Fix: clean up accidental spec.types.ts by @​KKonstantinov in #​1122
• fix: Pass RequestInit options to auth requests by @​dsp-ant in #​1066
• SEP-1036: URL Elicitation by @​nbarbettini in #​1105
• add none to test and the router. by @​m-henderson in #​1116
• [auth] Adjust scope management to line up with SEP-835 by @​pcarleton in #​1133
• chore: add .idea/ to .gitignore by @​maxisbey in #​1134
• chore: remove unused @​types/eslint__js dependency by @​mattzcarey in #​1128
• feat: url based client metadata registration (SEP 991) by @​mattzcarey in #​1127
• feat: zod v4 with backwards compatibility for v3.25+ by @​dclark27 in #​1040
• fix: remove pnpm lock and regenerate package-lock by @​mattzcarey in #​1138
• docs: update installation instructions for zod peer dependency by @​mattzcarey in #​1139
• Implement SEP-1577 - Sampling With Tools by @​ochafik in #​1101
• Follow up: unify v3 and v4 zod types via describe matrix and a test helper by @​KKonstantinov in #​1141
• chore: Add deprecated marker to old elicitInput overload by @​nbarbettini in #​1142
• fix: Connect error in URL elicitation example by @​nbarbettini in #​1136
• Support upscoping on insufficient_scope 403 by @​Nayana-Parameswarappa in #​1115
• Support beta releases by publishing with --tag beta by @​felixweinberger in #​1146
• Bump version to 1.23.0-beta.0 by @​felixweinberger in #​1147
• SEP-1613: use.catchall() on inputSchema/outputSchema to support JSON Schema 2020-12 by @​felixweinberger in #​1135
• sampling: validate tools, tool_use, tool_result constraints by @​ochafik in #​1156
• fix: React to upstream RC schema changes for form mode elicitation requests by @​felixweinberger in #​1164
• feat: implement SEP-1699 SSE polling via server-side disconnect by @​felixweinberger in #​1129
• chore: bump package number for release by @​felixweinberger in #​1170

New Contributors

• @​nbarbettini made their first contribution in #​1105
• @​m-henderson made their first contribution in #​1116
• @​maxisbey made their first contribution in #​1134
• @​dclark27 made their first contribution in #​1040
• @​Nayana-Parameswarappa made their first contribution in #​1115

Full Changelog: modelcontextprotocol/typescript-sdk@1.22.0...1.23.0

v1.22.0

Compare Source

What's Changed

• registerTool: accept ZodType for input and output schema by @​ksinder in #​816
• SEP-1319: Decouple Request Payloads, Remove passthrough iteration, Typecheck fixes by @​KKonstantinov in #​1086
• add pkg-pr-new bot by @​pcarleton in #​1088
• Upgrade to Node LTS by @​mattzcarey in #​1072
• change step name by @​pcarleton in #​1089
• SEP-1034: Default values for Elicitation Schemas by @​KKonstantinov in #​1096
• SEP-1330: Compatibility with SEP-1034 by @​KKonstantinov in #​1100
• Implementation of SEP-986: Specify Format for Tool Names by @​kentcdodds in #​900
• [auth] Fix march spec fallback for metadata discovery by @​pcarleton in #​1108
• chore: bump version for release by @​felixweinberger in #​1110

New Contributors

• @​ksinder made their first contribution in #​816

Full Changelog: modelcontextprotocol/typescript-sdk@1.21.1...1.22.0

v1.21.2

Compare Source

What's changed

This is a patch release for a regression highlighted by #​1103

This patch contains only the cherry picked fix in #​1108

Full Changelog: modelcontextprotocol/typescript-sdk@1.21.1...1.21.2

v1.21.1

Compare Source

What's Changed

• Only use path-based discovery URLs from the authorization server to discover metadata by @​roadmapper in #​1070
• Add @​deprecated annotations to legacy APIs by @​domdomegg in #​1018
• fix: Support WWW-Authenticate scope param for SEP-835 by @​chipgpt in #​983
• move CLI script to dedicated scripts directory by @​mattzcarey in #​1073
• Check script which typechecks using Typescripts new Go port by @​mattzcarey in #​1075
• FIX: use a nightly spec.types.ts by @​mattzcarey in #​1087
• chore: bump version for release by @​felixweinberger in #​1085

New Contributors

• @​roadmapper made their first contribution in #​1070

Full Changelog: modelcontextprotocol/typescript-sdk@1.21.0...1.21.1

v1.21.0

Compare Source

What's Changed

• feat: pluggable JSON schema validator providers by @​mattzcarey in #​1012
• Update metadata.ts by @​pcarleton in #​1010
• fix: Prefer the token_endpoint_auth_method response from DCR registration by @​chipgpt in #​1022
• Fix: Non-existent tool, disabled tool and inputSchema validation return MCP protocol level instead of CallToolResult with isError: true by @​KKonstantinov in #​1044
• chore: bump version to 1.21.0 for release by @​felixweinberger in #​1062

New Contributors

• @​chipgpt made their first contribution in #​1022

Full Changelog: modelcontextprotocol/typescript-sdk@1.20.2...1.21.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Scope: all 21 workspace projects
Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 21, reused 0, downloaded 0, added 0
Progress: resolved 36, reused 0, downloaded 0, added 0
Progress: resolved 47, reused 0, downloaded 0, added 0
Progress: resolved 55, reused 0, downloaded 0, added 0
Progress: resolved 66, reused 0, downloaded 0, added 0
Progress: resolved 75, reused 0, downloaded 0, added 0
/tmp/renovate/repos/github/liam-hq/liam/frontend/internal-packages/mcp-server:
 ERR_PNPM_NO_MATCHING_VERSION  No matching version found for @modelcontextprotocol/[email protected] published by Tue Dec 02 2025 05:41:37 GMT+0000 (Coordinated Universal Time) while fetching it from https://registry.npmjs.org/. Version 1.24.0 satisfies the specs but was released at Tue Dec 02 2025 13:47:24 GMT+0000 (Coordinated Universal Time)

This error happened while installing a direct dependency of /tmp/renovate/repos/github/liam-hq/liam/frontend/internal-packages/mcp-server

The latest release of @modelcontextprotocol/sdk is "1.24.2". Published at 12/3/2025 2:14:20 PM

Other releases are:
  * beta: 1.23.0-beta.0 published at 11/20/2025

If you need the full list of all 67 published versions run "$ pnpm view @modelcontextprotocol/sdk versions".

If you want to install the matched version ignoring the time it was published, you can add the package name to the minimumReleaseAgeExclude setting. Read more about it: https://pnpm.io/settings#minimumreleaseageexclude

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
liam-app	Error			Dec 4, 2025 5:42am
liam-assets	Error		Comment	Dec 4, 2025 5:42am
liam-storybook	Error			Dec 4, 2025 5:42am

2 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
liam-docs	Ignored	Preview		Dec 4, 2025 5:42am
liam-erd-sample	Skipped			Dec 4, 2025 5:42am

[giselles-ai]

Finished running flow.

Step 1
🟢	On Pull Request Opened Status: Success Updated: Dec 2, 2025 6:46pm
Step 2
🟢	gpt-5 Status: Success Updated: Dec 2, 2025 6:47pm
Step 3
🟢	Create Pull Request Comment Status: Success Updated: Dec 2, 2025 6:47pm

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[giselles-ai]

Check changeset necessity

Status: NOT REQUIRED

Reason:

• The only affected package is frontend/internal-packages/mcp-server, which is not one of the target packages that require changesets (@liam-hq/cli, @liam-hq/erd-core, @liam-hq/schema, @liam-hq/ui).
• The change is a dependency bump of @modelcontextprotocol/sdk from 1.20.2 to 1.24.0 in an internal package; no changes to the target, published packages.
• No user-facing API, feature, UI, or behavior changes in the target packages.
• No changeset file exists in this PR, and none is necessary per the guide.

Changeset (copy & paste):

N/A – this PR does not require a changeset.