Update all non-major dependencies

[cnap-tech-renovate]

This PR contains the following updates:

Package	Type	Update	Change
@modelcontextprotocol/sdk (source)	devDependencies	minor	1.26.0 → 1.27.1
hono (source)	devDependencies	patch	4.12.2 → 4.12.4
oxlint (source)	devDependencies	minor	1.50.0 → 1.51.0

---

Release Notes

modelcontextprotocol/typescript-sdk (@​modelcontextprotocol/sdk)

v1.27.1

Compare Source

What's Changed

• feat: implement auth/pre-registration conformance scenario by @​felixweinberger in #​1545
• docs: add governance documentation for SEP-1730 by @​felixweinberger in #​1547
• docs: comprehensive feature documentation for SEP-1730 Tier 1 by @​felixweinberger in #​1548
• fix: prevent command injection in example URL opening (v1.x backport) by @​maxisbey in #​1579
• fix: call onerror for silently swallowed transport errors by @​qing-ant in #​1580
• chore: bump version to 1.27.1 by @​felixweinberger in #​1581

New Contributors

• @​qing-ant made their first contribution in #​1580

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.0...v1.27.1

v1.27.0

Compare Source

What's Changed

• feat: add conformance test infrastructure for v1.x by @​felixweinberger in #​1518
• feat: backport discoverOAuthServerInfo() and discovery caching to v1.x by @​felixweinberger in #​1533
• feat: add url property to RequestInfo interface by @​valentinbeggi in #​1353
• [v1.x] feat(tasks): add streaming methods for elicitation and sampling by @​LucaButBoring in #​1528
• chore: bump version for v1.27.0 by @​felixweinberger in #​1541

New Contributors

• @​valentinbeggi made their first contribution in #​1353

Full Changelog: modelcontextprotocol/typescript-sdk@v1.26.0...v1.27.0

honojs/hono (hono)

v4.12.4

Compare Source

Security fixes

This release includes fixes for the following security issues:

SSE Control Field Injection

Affects: streamSSE() in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry. GHSA-p6xx-57qc-3wxr

Cookie Attribute Injection in setCookie()

Affects: setCookie() from hono/cookie. Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options. GHSA-5pq2-9x2x-5p6w

Middleware Bypass in Serve Static

Affects: Serve Static middleware. Fixes inconsistent URL decoding that could allow protected static resources to be accessed without triggering route-based middleware. GHSA-q5qw-h33p-qvwr

Users who uses Strreaming Helper, Cookie utility, and Serve Static are strongly encouraged to upgrade to this version.

---

Other changes

• fix(client): preserve route schema in ApplyGlobalResponse by @​agumy in #​4777
• fix(utils/url): specify the return type of tryDecodeURI by @​yusukebe in #​4779

New Contributors

• @​agumy made their first contribution in #​4777

Full Changelog: honojs/hono@v4.12.3...v4.12.4

v4.12.3

Compare Source

What's Changed

• fix(validator): prevent type diff bug in form data parsing by @​EdamAme-x in #​4753
• fix(jwt): use Math.floor instead of bitwise OR for safe timestamp by @​EdamAme-x in #​4754
• fix(jwt): fix JwtVariables for ContextVariableMap by @​yusukebe in #​4764
• fix(types): remove DOM type dependencies from ClientResponse and request method by @​YevheniiKotyrlo in #​4768
• fix(types): correct middleware types by @​hmnd in #​4774
• fix(jwt): prevent memory leak by avoiding mutation of options object by @​EdamAme-x in #​4759

New Contributors

• @​YevheniiKotyrlo made their first contribution in #​4768
• @​hmnd made their first contribution in #​4774

Full Changelog: honojs/hono@v4.12.2...v4.12.3

oxc-project/oxc (oxlint)

v1.51.0

Compare Source

🚀 Features

• f34f6fa linter: Introduce typeCheck config option (#​19764) (camc314)
• 694be7d linter: Introduce typeAware as config options (#​19614) (camc314)

🐛 Bug Fixes

• 04e6223 npm: Add preferUnplugged for Yarn PnP compatibility (#​19829) (Boshen)

📚 Documentation

• 2fa936f README.md: Map npm package links to npmx.dev (#​19666) (Boshen)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[cnap-tech-renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.