Skip to content

build(deps): bump the npm_and_yarn group across 3 directories with 4 updates#2625

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-2c2ab1488e
Closed

build(deps): bump the npm_and_yarn group across 3 directories with 4 updates#2625
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-2c2ab1488e

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Dec 29, 2025
edited
Loading

Bumps the npm_and_yarn group with 3 updates in the / directory: @modelcontextprotocol/sdk, better-auth and js-yaml.
Bumps the npm_and_yarn group with 3 updates in the /apps/sim directory: @modelcontextprotocol/sdk, better-auth and js-yaml.
Bumps the npm_and_yarn group with 1 update in the /scripts directory: glob.

Updates @modelcontextprotocol/sdk from 1.20.2 to 1.24.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

1.24.0

Summary

This release brings us up to speed with the latest MCP spec 2025-11-25. Take a look at the latest spec as well as the release blog post.

What's Changed

New Contributors

Full Changelog: modelcontextprotocol/typescript-sdk@1.23.0...1.24.0

1.23.1

Fixed:

... (truncated)

Commits
  • 356b7e6 chore: bump version for release (#1215)
  • 09623e2 Merge commit from fork
  • cf51343 feat: backwards-compatible createMessage overloads for SEP-1577 (#1212)
  • 8204126 fix: allow zod 4 transformations (#1213)
  • 6083600 Modify Origin header validation in validateRequestHeaders (streamableHttp.ts ...
  • a6ee2cb fix: normalize null to undefined in ElicitResultSchema content field (#1204)
  • 4b651b8 feat: add closeStandaloneSSEStream for GET stream polling (#1203)
  • 5ceabfb fix: normalize headers in sse transport (#856)
  • f67fc2f fix: improve SSE reconnection behavior (#1191)
  • fab7e1e feat: add closeSSEStream callback to RequestHandlerExtra (#1166)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by pcarleton, a new releaser for @​modelcontextprotocol/sdk since your current version.


Updates better-auth from 1.3.12 to 1.4.5

Release notes

Sourced from better-auth's releases.

v1.4.5-beta.2

   🐞 Bug Fixes

    View changes on GitHub

v1.4.4

   🚀 Features

   🐞 Bug Fixes

    View changes on GitHub

v1.4.4-beta.3

   🚀 Features

   🐞 Bug Fixes

... (truncated)

Commits
  • 2000fd6 chore: release v1.4.5
  • fcab5a8 fix: add helper types to exports (#6479)
  • c666670 chore: release v1.4.5-beta.1
  • fd72560 fix(db-adapter): string[] and number[] fieldTypes incorrectly parsed for plug...
  • 189dedd chore: release v1.4.4-beta.3
  • 6269a33 chore: release v1.4.4-beta.2
  • 52c15d4 chore: fix validation errors in unit tests (#6466)
  • a25fb65 fix: preserve user ID in cookie cache during stateless sessions (#6452)
  • 5cbe0a5 chore: enforce imports to use node: protocol (#6461)
  • fbe51c8 chore: add spell checker (#6319)
  • Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

Updates @modelcontextprotocol/sdk from 1.20.2 to 1.24.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

1.24.0

Summary

This release brings us up to speed with the latest MCP spec 2025-11-25. Take a look at the latest spec as well as the release blog post.

What's Changed

New Contributors

Full Changelog: modelcontextprotocol/typescript-sdk@1.23.0...1.24.0

1.23.1

Fixed:

... (truncated)

Commits
  • 356b7e6 chore: bump version for release (#1215)
  • 09623e2 Merge commit from fork
  • cf51343 feat: backwards-compatible createMessage overloads for SEP-1577 (#1212)
  • 8204126 fix: allow zod 4 transformations (#1213)
  • 6083600 Modify Origin header validation in validateRequestHeaders (streamableHttp.ts ...
  • a6ee2cb fix: normalize null to undefined in ElicitResultSchema content field (#1204)
  • 4b651b8 feat: add closeStandaloneSSEStream for GET stream polling (#1203)
  • 5ceabfb fix: normalize headers in sse transport (#856)
  • f67fc2f fix: improve SSE reconnection behavior (#1191)
  • fab7e1e feat: add closeSSEStream callback to RequestHandlerExtra (#1166)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by pcarleton, a new releaser for @​modelcontextprotocol/sdk since your current version.


Updates better-auth from 1.3.12 to 1.4.5

Release notes

Sourced from better-auth's releases.

v1.4.5-beta.2

   🐞 Bug Fixes

    View changes on GitHub

v1.4.4

   🚀 Features

   🐞 Bug Fixes

    View changes on GitHub

v1.4.4-beta.3

   🚀 Features

   🐞 Bug Fixes

... (truncated)

Commits
  • 2000fd6 chore: release v1.4.5
  • fcab5a8 fix: add helper types to exports (#6479)
  • c666670 chore: release v1.4.5-beta.1
  • fd72560 fix(db-adapter): string[] and number[] fieldTypes incorrectly parsed for plug...
  • 189dedd chore: release v1.4.4-beta.3
  • 6269a33 chore: release v1.4.4-beta.2
  • 52c15d4 chore: fix validation errors in unit tests (#6466)
  • a25fb65 fix: preserve user ID in cookie cache during stateless sessions (#6452)
  • 5cbe0a5 chore: enforce imports to use node: protocol (#6461)
  • fbe51c8 chore: add spell checker (#6319)
  • Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

Updates @modelcontextprotocol/sdk from 1.20.2 to 1.24.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

1.24.0

Summary

This release brings us up to speed with the latest MCP spec 2025-11-25. Take a look at the latest spec as well as the release blog post.

What's Changed

@dependabot
build(deps): bump the npm_and_yarn group across 3 directories with 4 …
01406b9 
…updates

Bumps the npm_and_yarn group with 3 updates in the / directory: [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk), [better-auth](https://github.com/better-auth/better-auth/tree/HEAD/packages/better-auth) and [js-yaml](https://github.com/nodeca/js-yaml).
Bumps the npm_and_yarn group with 3 updates in the /apps/sim directory: [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk), [better-auth](https://github.com/better-auth/better-auth/tree/HEAD/packages/better-auth) and [js-yaml](https://github.com/nodeca/js-yaml).
Bumps the npm_and_yarn group with 1 update in the /scripts directory: [glob](https://github.com/isaacs/node-glob).


Updates `@modelcontextprotocol/sdk` from 1.20.2 to 1.24.0
- [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases)
- [Commits](modelcontextprotocol/typescript-sdk@1.20.2...1.24.0)

Updates `better-auth` from 1.3.12 to 1.4.5
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Commits](https://github.com/better-auth/better-auth/commits/v1.4.5/packages/better-auth)

Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.1.1)

Updates `@modelcontextprotocol/sdk` from 1.20.2 to 1.24.0
- [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases)
- [Commits](modelcontextprotocol/typescript-sdk@1.20.2...1.24.0)

Updates `better-auth` from 1.3.12 to 1.4.5
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Commits](https://github.com/better-auth/better-auth/commits/v1.4.5/packages/better-auth)

Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.1.1)

Updates `@modelcontextprotocol/sdk` from 1.20.2 to 1.24.0
- [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases)
- [Commits](modelcontextprotocol/typescript-sdk@1.20.2...1.24.0)

Updates `better-auth` from 1.3.12 to 1.4.5
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Commits](https://github.com/better-auth/better-auth/commits/v1.4.5/packages/better-auth)

Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.1.1)

Updates `@modelcontextprotocol/sdk` from 1.20.2 to 1.24.0
- [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases)
- [Commits](modelcontextprotocol/typescript-sdk@1.20.2...1.24.0)

Updates `better-auth` from 1.3.12 to 1.4.5
- [Release notes](https://github.com/better-auth/better-auth/releases)
- [Commits](https://github.com/better-auth/better-auth/commits/v1.4.5/packages/better-auth)

Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.1.1)

Updates `glob` from 11.0.2 to 11.1.0
- [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md)
- [Commits](isaacs/node-glob@v11.0.2...v11.1.0)

---
updated-dependencies:
- dependency-name: "@modelcontextprotocol/sdk"
  dependency-version: 1.24.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: better-auth
  dependency-version: 1.4.5
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@modelcontextprotocol/sdk"
  dependency-version: 1.24.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: better-auth
  dependency-version: 1.4.5
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@modelcontextprotocol/sdk"
  dependency-version: 1.24.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: better-auth
  dependency-version: 1.4.5
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@modelcontextprotocol/sdk"
  dependency-version: 1.24.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: better-auth
  dependency-version: 1.4.5
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: glob
  dependency-version: 11.1.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Dec 29, 2025
@dependabot dependabot bot mentioned this pull request Dec 29, 2025
Closed
@vercel
Copy link

vercel bot commented Dec 29, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
docs Error Error Dec 29, 2025 10:20am

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Dec 29, 2025

Greptile Summary

This PR updates four npm dependencies across the monorepo, automatically generated by Dependabot:

Security Updates:

  • js-yaml 4.1.0 → 4.1.1 - Fixes a prototype pollution vulnerability in the YAML merge operator (<<). This is a critical security patch that should be merged.

Feature Updates:

  • @modelcontextprotocol/sdk 1.20.2 → 1.24.0 - Updates to MCP spec 2025-11-25 with new Tasks API, improved SSE reconnection behavior, OAuth enhancements (client credentials flow, HTTP issuer URLs in dev mode), Zod 4 compatibility fixes, and bug fixes for JSON parsing and header normalization
  • better-auth 1.3.12 → 1.4.5 - Includes bug fixes for cookie chunking when exceeding limits, multi-session endpoint handling with invalid signatures, additional fields default values during session creation, user-agent handling, and adds SCIM custom media type support
  • glob 11.0.3 → 11.1.0 (scripts directory only) - Minor version bump with no breaking changes

All updates appear to be non-breaking and include improvements and bug fixes. The js-yaml security fix makes this PR important to merge promptly.

Confidence Score: 5/5

  • This PR is safe to merge with minimal risk - it contains automated dependency updates with important security fixes
  • Score of 5 reflects: (1) automated Dependabot PR with clear dependency updates, (2) includes critical security fix for js-yaml prototype pollution, (3) all updates are minor/patch versions with no breaking changes documented, (4) updates include bug fixes and improvements to existing functionality, (5) no custom code changes that could introduce bugs
  • No files require special attention - all changes are straightforward dependency version bumps in package.json files

Important Files Changed

Filename Overview
apps/sim/package.json Updates MCP SDK (1.20.2→1.24.0), better-auth (1.3.12→1.4.5), and js-yaml (4.1.0→4.1.1 security fix)
scripts/package.json Updates glob from 11.0.3 to 11.1.0 - minor version bump with no breaking changes
scripts/package-lock.json Lock file updated to reflect glob and transitive dependency updates, adds yaml 2.8.1

Sequence Diagram

sequenceDiagram
    participant Dependabot
    participant npm_registry as NPM Registry
    participant root as Root package.json
    participant sim as apps/sim/package.json
    participant scripts as scripts/package.json
    participant lock as scripts/package-lock.json
    
    Dependabot->>npm_registry: Check for updates in npm_and_yarn group
    npm_registry-->>Dependabot: Return available updates
    
    Note over Dependabot: Found 4 updates:<br/>@modelcontextprotocol/sdk 1.24.0<br/>better-auth 1.4.5<br/>js-yaml 4.1.1<br/>glob 11.1.0
    
    Dependabot->>sim: Update @modelcontextprotocol/sdk: 1.20.2 → 1.24.0
    Note right of sim: Adds MCP spec 2025-11-25<br/>Tasks API, SSE improvements
    
    Dependabot->>sim: Update better-auth: 1.3.12 → 1.4.5
    Note right of sim: Cookie chunking fixes<br/>Multi-session improvements
    
    Dependabot->>sim: Update js-yaml: 4.1.0 → 4.1.1
    Note right of sim: SECURITY FIX:<br/>Prototype pollution patch
    
    Dependabot->>scripts: Update glob: 11.0.3 → 11.1.0
    Note right of scripts: Minor version bump
    
    Dependabot->>lock: Regenerate package-lock.json
    Note right of lock: Update transitive dependencies<br/>Add yaml 2.8.1
    
    Dependabot->>Dependabot: Create PR #2625
    Note over Dependabot: All updates non-breaking<br/>Ready for review
Loading

chad091973-sys
chad091973-sys reviewed Jan 24, 2026
View reviewed changes
scripts/package-lock.json
@@ -854,17 +819,15 @@
"version": "1.3.6",
"resolved": "https://registry.npmjs.org/make-error/-/make-error-1.3.6.tgz",
"integrity": "sha512-s8UhlNe7vPKomQhC1qFelMokr/Sc3AgNbso3n74mVPA5LTZwkB9NlXf4XPamLxJE8h0gh73rM94xvwRT2CVInw==",
Copy link

@chad091973-sys chad091973-sys Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi

@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Jan 24, 2026

Superseded by #2982.

@dependabot dependabot bot closed this Jan 24, 2026
@dependabot dependabot bot deleted the dependabot/npm_and_yarn/npm_and_yarn-2c2ab1488e branch January 24, 2026 22:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@chad091973-sys chad091973-sys chad091973-sys left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chad091973-sys