Skip to content

chore(deps): bump the production-dependencies group across 1 directory with 5 updates #112

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dependabot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): bump the production-dependencies group across 1 directory with 5 updates #112

dependabot wants to merge 1 commit into from
+149 −102

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jan 22, 2026

Bumps the production-dependencies group with 5 updates in the / directory:

Package From To
@modelcontextprotocol/sdk 1.25.2 1.25.3
jwks-rsa 3.2.0 3.2.1
@modelcontextprotocol/ext-apps 0.4.0 0.4.1
@typescript-eslint/types 8.53.0 8.53.1
@typescript-eslint/typescript-estree 8.53.0 8.53.1

Updates @modelcontextprotocol/sdk from 1.25.2 to 1.25.3

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

v1.25.3

What's Changed

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.2...v1.25.3

Commits
  • ced7535 1.25.3
  • 6e8f7e1 fix: prevent Hono from overriding global Response object (v1.x) (#1411)
  • 12ae856 [v1.x backport] Use correct schema for client sampling validation when tools ...
  • See full diff in compare view

Updates jwks-rsa from 3.2.0 to 3.2.1

Release notes

Sourced from jwks-rsa's releases.

v3.2.1

Added

Fixed

  • fix: Migrate to WHATWG URL API from node's core url #465 (cschetan77)
  • fix: Moving @​types/express to dev and re generating package lock #464 (cschetan77)
Changelog

Sourced from jwks-rsa's changelog.

v3.2.1 (2026-01-15)

Full Changelog

Added

Fixed

  • fix: Migrate to WHATWG URL API from node's core url #465 (cschetan77)
  • fix: Moving @​types/express to dev and re generating package lock #464 (cschetan77)
Commits
  • 6b48ed5 chore: Reverting build option set in release.yml (#475)
  • bba2694 Reverting build option set in release.yml
  • e138f9e Release v3.2.1 (#473)
  • afc4d7c Merge branch 'master' into release/v3.2.1
  • fadca56 chore: Enable trusted publishing of package using OIDC (#474)
  • b019195 add line breaks at the end of release workflow files
  • 8652f78 updating release github actions to support publishing package with OIDC
  • 4f1f426 Release v3.2.1
  • 539521a fix: Migrate to WHATWG URL API from node's core url (#465)
  • 0ac2eb8 fix lint
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for jwks-rsa since your current version.


Updates @modelcontextprotocol/ext-apps from 0.4.0 to 0.4.1

Release notes

Sourced from @​modelcontextprotocol/ext-apps's releases.

0.4.1

What's Changed

New Contributors

Full Changelog: modelcontextprotocol/ext-apps@v0.4.0...v0.4.1

Commits
  • 8c3b1da chore: bump version to 0.4.1 (#282)
  • be8d725 Merge pull request #272 from modelcontextprotocol/uv-qr-server
  • 0936d52 feat(shadertoy): show fullscreen button only on widget hover, add min-height ...
  • b78cd74 feat(shadertoy): add fullscreen support + ditch insets for max visual effect ...
  • 89a6845 fix(examples): resolve DIST_DIR path for npm package execution (#277)
  • 847427a pdf-server: fix scrolling gap in inline mode (#280)
  • b94982c fix[examples/transcript]: fix transitional deltas (#275)
  • 489d28b fix: increase webServer timeout for uv dependency download
  • c73d363 fix: change unknown source message log from error to debug level (#239)
  • dbc7a41 Merge pull request #274 from matteo8p/use-tool-type-from-official-sdk
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by ochafik, a new releaser for @​modelcontextprotocol/ext-apps since your current version.


Updates @typescript-eslint/types from 8.53.0 to 8.53.1

Release notes

Sourced from @​typescript-eslint/types's releases.

v8.53.1

8.53.1 (2026-01-19)

🩹 Fixes

  • eslint-plugin: [consistent-indexed-object-style] skip fixer if interface is a default export (#11951)
  • utils: make RuleCreator root defaultOptions optional (#11956)

❤️ Thank You

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from @​typescript-eslint/types's changelog.

8.53.1 (2026-01-19)

This was a version bump only for types to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

Commits

Updates @typescript-eslint/typescript-estree from 8.53.0 to 8.53.1

Release notes

Sourced from @​typescript-eslint/typescript-estree's releases.

v8.53.1

8.53.1 (2026-01-19)

🩹 Fixes

  • eslint-plugin: [consistent-indexed-object-style] skip fixer if interface is a default export (#11951)
  • utils: make RuleCreator root defaultOptions optional (#11956)

❤️ Thank You

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from @​typescript-eslint/typescript-estree's changelog.

8.53.1 (2026-01-19)

This was a version bump only for typescript-estree to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Jan 22, 2026

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 22, 2026

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Comment @coderabbitai help to get the list of available commands and usage tips.

@dependabot @gabrypavanello
chore(deps): bump the production-dependencies group across 1 director…
32a3dc0 
…y with 5 updates

Bumps the production-dependencies group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk) | `1.25.2` | `1.25.3` |
| [jwks-rsa](https://github.com/auth0/node-jwks-rsa) | `3.2.0` | `3.2.1` |
| [@modelcontextprotocol/ext-apps](https://github.com/modelcontextprotocol/ext-apps) | `0.4.0` | `0.4.1` |
| [@typescript-eslint/types](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/types) | `8.53.0` | `8.53.1` |
| [@typescript-eslint/typescript-estree](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-estree) | `8.53.0` | `8.53.1` |



Updates `@modelcontextprotocol/sdk` from 1.25.2 to 1.25.3
- [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases)
- [Commits](modelcontextprotocol/typescript-sdk@v1.25.2...v1.25.3)

Updates `jwks-rsa` from 3.2.0 to 3.2.1
- [Release notes](https://github.com/auth0/node-jwks-rsa/releases)
- [Changelog](https://github.com/auth0/node-jwks-rsa/blob/master/CHANGELOG.md)
- [Commits](auth0/node-jwks-rsa@v3.2.0...v3.2.1)

Updates `@modelcontextprotocol/ext-apps` from 0.4.0 to 0.4.1
- [Release notes](https://github.com/modelcontextprotocol/ext-apps/releases)
- [Changelog](https://github.com/modelcontextprotocol/ext-apps/blob/main/RELEASES.md)
- [Commits](modelcontextprotocol/ext-apps@v0.4.0...v0.4.1)

Updates `@typescript-eslint/types` from 8.53.0 to 8.53.1
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/types/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.53.1/packages/types)

Updates `@typescript-eslint/typescript-estree` from 8.53.0 to 8.53.1
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-estree/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.53.1/packages/typescript-estree)

---
updated-dependencies:
- dependency-name: "@modelcontextprotocol/sdk"
  dependency-version: 1.25.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: jwks-rsa
  dependency-version: 3.2.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: "@modelcontextprotocol/ext-apps"
  dependency-version: 0.4.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: "@typescript-eslint/types"
  dependency-version: 8.53.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: "@typescript-eslint/typescript-estree"
  dependency-version: 8.53.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@gabrypavanello gabrypavanello force-pushed the dependabot/npm_and_yarn/production-dependencies-df6d214cd1 branch from a33cd9f to 32a3dc0 Compare January 22, 2026 13:13
@claude
Copy link
Contributor

claude bot commented Jan 22, 2026

Pull Request Review - Dependency Updates

Overview

This is a Dependabot PR that updates 5 production dependencies with patch version bumps only. All changes are minor version increments that should be backwards-compatible.

Updated Dependencies

1. @modelcontextprotocol/sdk (1.25.2 → 1.25.3)

Packages affected: core, testing

Changes:

  • Fix: Use correct schema for client sampling validation when tools are present
  • Fix: Prevent Hono from overriding global Response object

Assessment:SAFE - Bug fixes with no breaking changes. The Hono Response fix is particularly important for avoiding potential runtime conflicts.

2. jwks-rsa (3.2.0 → 3.2.1)

Packages affected: core

Changes:

  • Fix: Migrate to WHATWG URL API from Node's core url module
  • Fix: Move @types/express to devDependencies (was incorrectly in dependencies)

Assessment:SAFE - The URL API migration is a modernization improvement. Moving @types/express to dev deps is correct and reduces production bundle size.

3. @modelcontextprotocol/ext-apps (0.4.0 → 0.4.1)

Packages affected: ui

Changes:

  • Multiple bug fixes including iframe rendering, fullscreen support, and PDF viewer improvements
  • Enhanced basic-host with URL params and unified layout
  • Improved example consistency for AI learning
  • License update to Apache 2.0 for new contributions

Assessment:SAFE - Patch release with bug fixes and feature enhancements. No breaking changes indicated.

4. @typescript-eslint/types (8.53.0 → 8.53.1)

Packages affected: ui-react-builder

Changes:

  • Version bump only for alignment with other typescript-eslint packages
  • No actual code changes in this package

Assessment:SAFE - No functional changes.

5. @typescript-eslint/typescript-estree (8.53.0 → 8.53.1)

Packages affected: ui-react-builder

Changes:

  • Version bump only for alignment with other typescript-eslint packages
  • No actual code changes in this package

Assessment:SAFE - No functional changes.

Security Analysis

✅ No security vulnerabilities addressed or introduced
✅ All updates come from trusted sources (MCP project, Auth0, TypeScript-ESLint team)
✅ Dependency chain properly resolved in pnpm-lock.yaml

Compatibility Analysis

✅ All changes are patch versions (semver PATCH level)
✅ No breaking changes expected based on release notes
✅ TypeScript compatibility maintained (all packages support >=4.8.4 <6.0.0)
✅ Node.js version requirements unchanged (>=18.0.0)

Code Quality

✅ Only lockfile and package.json updates - no code changes
✅ Follows repository's dependency management practices
✅ Properly grouped by Dependabot into production dependencies

Test Coverage

⚠️ RECOMMENDATION: Ensure CI passes before merging. The repository policy requires:

  • pnpm build && pnpm test && pnpm lint && pnpm typecheck

Performance Considerations

✅ No performance impact expected
✅ Slight bundle size reduction from jwks-rsa moving dev deps out of production

Final Recommendation

✅ APPROVED - This PR is safe to merge once CI passes.

Why this is safe:

  1. All updates are patch versions with backwards-compatible bug fixes
  2. Changes address legitimate bugs (Hono Response conflict, URL API modernization)
  3. No API-breaking changes in any of the dependencies
  4. Follows the repository's strict type-safety and compatibility requirements
  5. Dependencies align with the stack requirements in AGENTS.md (Zod v4, Express v5, Node >=18)

Action Items:

  • ✅ Wait for CI to complete successfully
  • ✅ Merge using the repository's standard process
  • ✅ No code review needed - standard Dependabot workflow

Review conducted following repository guidelines in /AGENTS.md. All dependencies verified against project requirements for TypeScript strict mode, Zod 4, Express 5, and Node >=18.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants