ci: fix failing "Node.js SDK (18)" integration tests#241
Merged
Conversation
… data leak CVE Upgrades @modelcontextprotocol/sdk from ^1.25.2 to ^1.26.0 (resolved 1.27.1) to address a cross-client data leak vulnerability caused by transport and server/protocol instance reuse in stateless deployments. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the workspace’s Model Context Protocol (MCP) SDK dependency to a newer minor release in order to pick up fixes for a reported cross-client data leak vulnerability related to transport/server/protocol instance reuse.
Changes:
- Bump
@modelcontextprotocol/sdkin the workspace catalog from^1.25.2to^1.26.0. - Refresh
pnpm-lock.yamlto resolve the SDK to1.27.1and update related transitive dependencies.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| pnpm-workspace.yaml | Updates the workspace catalog version range for @modelcontextprotocol/sdk. |
| pnpm-lock.yaml | Updates the resolved MCP SDK version (to 1.27.1) and adjusts transitive dependency graph accordingly. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
gwharris7
previously approved these changes
Apr 27, 2026
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
gwharris7
previously approved these changes
Apr 27, 2026
gwharris7
previously approved these changes
Apr 27, 2026
sellakumaran
previously approved these changes
Apr 28, 2026
Copilot
AI
changed the title
Fix: upgrade @modelcontextprotocol/sdk to ^1.26.0
ci: fix failing "Node.js SDK (18)" integration tests
Jun 3, 2026
sellakumaran
approved these changes
Jun 4, 2026
abbinayaa
approved these changes
Jun 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes two root causes of the failing "Node.js SDK (18)" CI job (check run 79356814555).
Root Causes & Changes
1.
ReferenceError: crypto is not defined— 5 LangChain test failuresIn Node.js 18, the Web Crypto API is exposed as
globalThis.cryptobut is not automatically aliased to a barecryptoglobal in CommonJS module context.@langchain/corereferencescryptodirectly inuuid/rng.ts, throwing aReferenceErrorat runtime on Node.js 18.Fix:
tests/observability/integration/jest.polyfills.js— a lightweight setup file that polyfillsglobalThis.cryptousing Node's built-inrequire('crypto').webcrypto. Atypeofguard makes it a no-op on Node.js 19+ wherecryptois already a first-class global.setupFilesentry injest.integration.config.cjsso it runs before any test modules are loaded.2. Test timeout — 1 OpenAI test failure (
validate error.type on failing tool)The test creates an agent with a tool that always throws. When the tool fails, the agent can loop through additional LLM turns, exhausting the 60 s
testTimeout.Fix:
{ maxTurns: 3 }to therun()call to cap agent turns and prevent runaway loops (supported bySharedRunOptionsin@openai/agents@0.7.x).testTimeoutfrom60000→120000ms in bothjest.integration.config.cjsandsetup.tsto give Azure OpenAI API calls adequate headroom.