fix(deps): update dependency @modelcontextprotocol/sdk to v1.25.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@modelcontextprotocol/sdk (source)	1.24.0 → 1.25.2

GitHub Vulnerability Alerts

CVE-2026-0621

Impact

A ReDoS vulnerability in the UriTemplate class allows attackers to cause denial of service. The partToRegExp() function generates a regex pattern with nested quantifiers (([^/]+(?:,[^/]+)*)) for exploded template variables (e.g., {/id*}, {?tags*}), causing catastrophic backtracking on malicious input.

Who is affected: MCP servers that register resource templates with exploded array patterns and accept requests from untrusted clients.

Attack result: An attacker sends a crafted URI via resources/read request, causing 100% CPU utilization, server hang/crash, and denial of service for all clients.

Affected Versions

All versions of @modelcontextprotocol/sdk prior to the patched release.

Patches

v1.25.2 contains b392f02ffcf37c088dbd114fedf25026ec3913d3 the fix modifies the regex pattern to prevent backtracking.

Workarounds

• Avoid using exploded patterns ({/id*}, {?tags*}) in resource templates
• Implement request timeouts and rate limiting
• Validate URIs before processing to reject suspicious patterns

---

Release Notes

modelcontextprotocol/typescript-sdk (@​modelcontextprotocol/sdk)

v1.25.2

Compare Source

What's Changed

• ci: trigger workflow on v1.x branch by @​felixweinberger in #​1319
• fix: README badges links destinations by @​antonpk1 in #​907
• fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport) by @​pcarleton in #​1365

New Contributors

• @​antonpk1 made their first contribution in #​907

Full Changelog: modelcontextprotocol/typescript-sdk@1.25.1...v1.25.2

v1.25.1

Compare Source

What's Changed

• spec types - backwards compatibility changes by @​KKonstantinov in #​1306
• chore: bump version for patch fix by @​felixweinberger in #​1307

Full Changelog: modelcontextprotocol/typescript-sdk@1.25.0...1.25.1

v1.25.0

Compare Source

What's Changed

• list changed handlers on client constructor by @​mattzcarey in #​1206
• Role - moved from inline to reusable type by @​KKonstantinov in #​1221
• fix: use versioned npm tag for non-main branch releases by @​pcarleton in #​1236
• No automatic completion support unless needed - Revisited yet again by @​cliffhall in #​1237
• fix: Support updating output schema by @​vincent0426 in #​1048
• Remove type dependency on @​cfworker/json-schema by @​LucaButBoring in #​1229
• Relocate tests under /test by @​KKonstantinov in #​1220
• Fix tsconfig: remove tests by @​KKonstantinov in #​1240
• tsconfig - tests and build fix by @​KKonstantinov in #​1243
• fix a typo in examples README by @​DaleSeo in #​1246
• Protocol date validation by @​mattzcarey in #​1247
• Flaky test fix on Types.test.ts by @​KKonstantinov in #​1244
• SPEC COMPLIANCE: Remove loose/passthrough types not allowed/defined by MCP spec + Task types by @​KKonstantinov in #​1242
• Follow-up fixes for PR #​1242 by @​felixweinberger in #​1274
• Update server examples and docs by @​DaleSeo in #​1285
• Update TypeScript config to ES2020 to fix AJV imports by @​mattzcarey in #​1297
• Fix Zod v4 schema description extraction by @​felixweinberger in #​1296
• Add optional description field to Implementation schema by @​calclavia in #​1295
• Add theme property to Icon schema by @​DaleSeo in #​1290
• feat: fetch transport by @​mattzcarey in #​1209
• chore: bump version for release by @​felixweinberger in #​1301

New Contributors

• @​vincent0426 made their first contribution in #​1048

Full Changelog: modelcontextprotocol/typescript-sdk@1.24.3...1.25.0

v1.24.3

Compare Source

What's Changed

• chore: fix dev dependency security vulnerabilities by @​felixweinberger in #​1227
• chore(deps): bump express from 5.0.1 to 5.2.1 in the npm_and_yarn group across 1 directory by @​dependabot[bot] in #​1228
• fix: release HTTP connections after POST responses by @​mattzcarey in #​1214
• fix: skip priming events and closeSSEStream for old protocol versions by @​felixweinberger in #​1233
• chore: bump version for patch release by @​felixweinberger in #​1235

Full Changelog: modelcontextprotocol/typescript-sdk@1.24.2...1.24.3

v1.24.2

Compare Source

What's Changed

• feat: add optional resource annotations by @​vhorvath2010 in #​954
• chore: refresh CLAUDE.md by @​LucaButBoring in #​1217
• refactor: make Server class framework-agnostic by moving express to separate module by @​cytle in #​1223
• chore: bump version to 1.24.2 by @​pcarleton in #​1224

New Contributors

• @​vhorvath2010 made their first contribution in #​954
• @​cytle made their first contribution in #​1223

Full Changelog: modelcontextprotocol/typescript-sdk@1.24.1...1.24.2

v1.24.1

Compare Source

What's Changed

• fix(streamableHttp): fix infinite retries when maxRetries is set to 0 by @​mrorigo in #​1216
• chore: update protocol version to 2025-11-25 by @​dsp-ant in #​1218
• chore: bump version for release by @​felixweinberger in #​1219

New Contributors

• @​mrorigo made their first contribution in #​1216

Full Changelog: modelcontextprotocol/typescript-sdk@1.24.0...1.24.1

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Scope: all 21 workspace projects
Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 61, reused 0, downloaded 0, added 0
frontend/apps/app                        |  WARN  deprecated [email protected]
Progress: resolved 80, reused 0, downloaded 0, added 0
Progress: resolved 92, reused 0, downloaded 0, added 0
/tmp/renovate/repos/github/liam-hq/liam/frontend/internal-packages/mcp-server:
 ERR_PNPM_NO_MATCHING_VERSION  No matching version found for @modelcontextprotocol/[email protected] published by Tue Jan 06 2026 19:11:42 GMT+0000 (Coordinated Universal Time) while fetching it from https://registry.npmjs.org/. Version 1.25.2 satisfies the specs but was released at Wed Jan 07 2026 15:34:12 GMT+0000 (Coordinated Universal Time)

This error happened while installing a direct dependency of /tmp/renovate/repos/github/liam-hq/liam/frontend/internal-packages/mcp-server

The latest release of @modelcontextprotocol/sdk is "1.25.2". Published at 1/7/2026

If you need the full list of all 72 published versions run "$ pnpm view @modelcontextprotocol/sdk versions".

If you want to install the matched version ignoring the time it was published, you can add the package name to the minimumReleaseAgeExclude setting. Read more about it: https://pnpm.io/settings#minimumreleaseageexclude
Progress: resolved 102, reused 0, downloaded 0, added 0

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
liam-app	Error		Jan 8, 2026 7:49am
liam-assets	Error	Comment	Jan 8, 2026 7:49am
liam-storybook	Error		Jan 8, 2026 7:49am

2 Skipped Deployments

Project	Deployment	Review	Updated (UTC)
liam-docs	Ignored	Preview	Jan 8, 2026 7:49am
liam-erd-sample	Skipped		Jan 8, 2026 7:49am

[giselles-ai]

Finished running flow.

Step 1
🟢	On Pull Request Opened Status: Success Updated: Jan 8, 2026 7:49am
Step 2
🟢	gpt-5 Status: Success Updated: Jan 8, 2026 7:49am
Step 3
🟢	Create Pull Request Comment Status: Success Updated: Jan 8, 2026 7:49am

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[giselles-ai]

Check changeset necessity

Status:

• NOT REQUIRED

Reason:

• The only change is a dependency bump of @modelcontextprotocol/sdk (1.24.0 → 1.25.2) in frontend/internal-packages/mcp-server.
• mcp-server is not one of the target release packages that require changesets: @liam-hq/cli, @liam-hq/erd-core, @liam-hq/schema, @liam-hq/ui.
• No user-facing code or dependencies in the target packages were modified; no API, feature, or behavioral changes to published packages.
• Although it’s a security fix, its impact is limited to the internal mcp-server and does not affect released packages’ public surface.

Changeset (copy & paste):

<!-- No changeset required for this PR -->