build(deps): bump the npm_and_yarn group across 3 directories with 4 updates #2625

dependabot · 2025-12-29T10:19:27Z

Bumps the npm_and_yarn group with 3 updates in the / directory: @modelcontextprotocol/sdk, better-auth and js-yaml.
Bumps the npm_and_yarn group with 3 updates in the /apps/sim directory: @modelcontextprotocol/sdk, better-auth and js-yaml.
Bumps the npm_and_yarn group with 1 update in the /scripts directory: glob.

Updates @modelcontextprotocol/sdk from 1.20.2 to 1.24.0

Release notes

Sourced from @modelcontextprotocol/sdk's releases.

1.24.0

Summary

This release brings us up to speed with the latest MCP spec 2025-11-25. Take a look at the latest spec as well as the release blog post.

What's Changed

fix: update spec links from latest to draft by @domdomegg in modelcontextprotocol/typescript-sdk#1171

Make sure to consume HTTP error response bodies by @GreenStage in modelcontextprotocol/typescript-sdk#1173

docs: add GET request handling for streamableHttp stateless mode by @saharis9988 in modelcontextprotocol/typescript-sdk#1161

SEP-1686: Tasks by @LucaButBoring in modelcontextprotocol/typescript-sdk#1041

Fix JSON parse error on SSE events with empty data by @felixweinberger in modelcontextprotocol/typescript-sdk#1184

Fix StreamableHTTPClientTransport instantiation by @yuwzho in modelcontextprotocol/typescript-sdk#944

feat: eslint rule to prefer node protocols by @mattzcarey in modelcontextprotocol/typescript-sdk#1187

fix: call tasks/result to deliver side-channel messages by @felixweinberger in modelcontextprotocol/typescript-sdk#1185

Add invalid_target oauth error (rfc 8707) by @GreenStage in modelcontextprotocol/typescript-sdk#1183

fix(client): use StreamableHTTPError instead of plain Error in send() by @yamadashy in modelcontextprotocol/typescript-sdk#1178

coerce 'expires_in' to be a number by @adam-kuhn in modelcontextprotocol/typescript-sdk#1111

Allow HTTP issuer URLs when MCP_DEV_MODE is enabled by @jerome3o-anthropic in modelcontextprotocol/typescript-sdk#1189

fix: update registerTool signature for proper typed ToolCallback by @mattzcarey in modelcontextprotocol/typescript-sdk#1188

SEP-1046: Client credentials flow for M2M without user interaction by @KKonstantinov in modelcontextprotocol/typescript-sdk#1157

adds the transitive @types/express-serve-static-core dependency as a direct devDependency by @mgyarmathy in modelcontextprotocol/typescript-sdk#1078

Fix optional argument handling in prompts for Zod V4 by @filip-bartuska-ipf in modelcontextprotocol/typescript-sdk#1199

fix hanging stdio servers by @mattzcarey in modelcontextprotocol/typescript-sdk#1200

README refactor by @KKonstantinov in modelcontextprotocol/typescript-sdk#1197

[Docs] Fix typo by @koic in modelcontextprotocol/typescript-sdk#1067

feat: add closeSSEStream callback to RequestHandlerExtra by @felixweinberger in modelcontextprotocol/typescript-sdk#1166

fix: improve SSE reconnection behavior by @felixweinberger in modelcontextprotocol/typescript-sdk#1191

fix: normalize headers in sse transport by @marcrasi in modelcontextprotocol/typescript-sdk#856

feat: add closeStandaloneSSEStream for GET stream polling by @felixweinberger in modelcontextprotocol/typescript-sdk#1203

fix: normalize null to undefined in ElicitResultSchema content field by @mattzcarey in modelcontextprotocol/typescript-sdk#1204

Modify Origin header validation in validateRequestHeaders (streamableHttp.ts and sse.ts) to allow requests without an Origin, as they are not relevant to server DNS rebinding protection. by @jacopoc in modelcontextprotocol/typescript-sdk#1205

fix: allow zod 4 transformations by @mattzcarey in modelcontextprotocol/typescript-sdk#1213

feat: backwards-compatible createMessage overloads for SEP-1577 by @felixweinberger in modelcontextprotocol/typescript-sdk#1212

chore: bump version for release by @felixweinberger in modelcontextprotocol/typescript-sdk#1215

New Contributors

@GreenStage made their first contribution in modelcontextprotocol/typescript-sdk#1173

@saharis9988 made their first contribution in modelcontextprotocol/typescript-sdk#1161

@yuwzho made their first contribution in modelcontextprotocol/typescript-sdk#944

@yamadashy made their first contribution in modelcontextprotocol/typescript-sdk#1178

@adam-kuhn made their first contribution in modelcontextprotocol/typescript-sdk#1111

@mgyarmathy made their first contribution in modelcontextprotocol/typescript-sdk#1078

@filip-bartuska-ipf made their first contribution in modelcontextprotocol/typescript-sdk#1199

@koic made their first contribution in modelcontextprotocol/typescript-sdk#1067

@marcrasi made their first contribution in modelcontextprotocol/typescript-sdk#856

@jacopoc made their first contribution in modelcontextprotocol/typescript-sdk#1205

Full Changelog: modelcontextprotocol/typescript-sdk@1.23.0...1.24.0

1.23.1

Fixed:

... (truncated)

Commits

356b7e6 chore: bump version for release (#1215)
09623e2 Merge commit from fork
cf51343 feat: backwards-compatible createMessage overloads for SEP-1577 (#1212)
8204126 fix: allow zod 4 transformations (#1213)
6083600 Modify Origin header validation in validateRequestHeaders (streamableHttp.ts ...
a6ee2cb fix: normalize null to undefined in ElicitResultSchema content field (#1204)
4b651b8 feat: add closeStandaloneSSEStream for GET stream polling (#1203)
5ceabfb fix: normalize headers in sse transport (#856)
f67fc2f fix: improve SSE reconnection behavior (#1191)
fab7e1e feat: add closeSSEStream callback to RequestHandlerExtra (#1166)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by pcarleton, a new releaser for @modelcontextprotocol/sdk since your current version.

Updates better-auth from 1.3.12 to 1.4.5

Release notes

Sourced from better-auth's releases.

v1.4.5-beta.2

   🐞 Bug Fixes

Add helper types to exports - by @himself65 in better-auth/better-auth#6479 (9b556)

    View changes on GitHub

v1.4.4

   🚀 Features

cli: Better-auth-command - by @Ridhim-RR in better-auth/better-auth#6362 (5e06f)

scim: Add support to parse custom scim+json media type - by @jonathansamines in better-auth/better-auth#6365 (6e9ec)

   🐞 Bug Fixes

Customizing fields should be optional for rate limit options - by @ceolinwill in better-auth/better-auth#6398 (115c9)

Chunk account data cookie when exceeding limit - by @jslno in better-auth/better-auth#6393 (c9eca)

Remove applying user-agent by default - by @Bekacru in better-auth/better-auth#6417 (34d7d)

Additional fields default values should apply when creating session - by @Bekacru in better-auth/better-auth#5763 (d5713)

Return null early if userid isn't defined - by @Bekacru in better-auth/better-auth#6418 (e4508)

logger: Log level priority - by @danielfinke in better-auth/better-auth#6411 (4c25b)

mcp: Return origin url as authorization server - by @jslno in better-auth/better-auth#6397 (594bb)

multi-session: Endpoints breaks with invalid signatures - by @ping-maxwell in better-auth/better-auth#6342 (9433e)

oidc-provider: Resolve getSignedCookie return type - by @bytaesu in better-auth/better-auth#6346 (425dd)

    View changes on GitHub

v1.4.4-beta.3

   🚀 Features

Lint dependencies - by @jonathansamines in better-auth/better-auth#6309 (efaef)

cli: Better-auth-command - by @Ridhim-RR in better-auth/better-auth#6362 (1abd7)

one-tap: Add fedcm support - by @jslno in better-auth/better-auth#6380 (fd23c)

scim: Add support to parse custom scim+json media type - by @jonathansamines in better-auth/better-auth#6365 (a91a8)

   🐞 Bug Fixes

Customizing fields should be optional for rate limit options - by @ceolinwill in better-auth/better-auth#6398 (9abd8)

Chunk account data cookie when exceeding limit - by @jslno in better-auth/better-auth#6393 (57d36)

Remove applying user-agent by default - by @Bekacru in better-auth/better-auth#6417 (0617b)

Improve error handling for unsupported additionalFields on generate - by @Kinfe123 in better-auth/better-auth#3977 (39eb6)

Return null early if userid isn't defined - by @Bekacru in better-auth/better-auth#6418 (022ce)

Additional fields default values should apply when creating session - by @Bekacru in better-auth/better-auth#5763 (76998)

Preserve user ID in cookie cache during stateless sessions - by @GautamBytes in better-auth/better-auth#6452 (a25fb)

expo:

Dismiss auth session on android to prevent invalid state error - by @GautamBytes in better-auth/better-auth#6388 (3a133)

logger:

Log level priority - by @danielfinke in better-auth/better-auth#6411 (fa01c)

mcp:

Return origin url as authorization server - by @jslno in better-auth/better-auth#6397 (86c8d)

... (truncated)

Commits

2000fd6 chore: release v1.4.5
fcab5a8 fix: add helper types to exports (#6479)
c666670 chore: release v1.4.5-beta.1
fd72560 fix(db-adapter): string[] and number[] fieldTypes incorrectly parsed for plug...
189dedd chore: release v1.4.4-beta.3
6269a33 chore: release v1.4.4-beta.2
52c15d4 chore: fix validation errors in unit tests (#6466)
a25fb65 fix: preserve user ID in cookie cache during stateless sessions (#6452)
5cbe0a5 chore: enforce imports to use node: protocol (#6461)
fbe51c8 chore: add spell checker (#6319)
Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

Fix prototype pollution issue in yaml merge (<<) operator.

Commits

cc482e7 4.1.1 released
50968b8 dist rebuild
d092d86 lint fix
383665f fix prototype pollution in merge (<<)
0d3ca7a README.md: HTTP => HTTPS (#678)
49baadd doc: 'empty' style option for !!null
ba3460e Fix demo link (#618)
See full diff in compare view

Updates @modelcontextprotocol/sdk from 1.20.2 to 1.24.0

Release notes

Sourced from @modelcontextprotocol/sdk's releases.

1.24.0

Summary

This release brings us up to speed with the latest MCP spec 2025-11-25. Take a look at the latest spec as well as the release blog post.

What's Changed

fix: update spec links from latest to draft by @domdomegg in modelcontextprotocol/typescript-sdk#1171

Make sure to consume HTTP error response bodies by @GreenStage in modelcontextprotocol/typescript-sdk#1173

docs: add GET request handling for streamableHttp stateless mode by @saharis9988 in modelcontextprotocol/typescript-sdk#1161

SEP-1686: Tasks by @LucaButBoring in modelcontextprotocol/typescript-sdk#1041

Fix JSON parse error on SSE events with empty data by @felixweinberger in modelcontextprotocol/typescript-sdk#1184

Fix StreamableHTTPClientTransport instantiation by @yuwzho in modelcontextprotocol/typescript-sdk#944

feat: eslint rule to prefer node protocols by @mattzcarey in modelcontextprotocol/typescript-sdk#1187

fix: call tasks/result to deliver side-channel messages by @felixweinberger in modelcontextprotocol/typescript-sdk#1185

Add invalid_target oauth error (rfc 8707) by @GreenStage in modelcontextprotocol/typescript-sdk#1183

fix(client): use StreamableHTTPError instead of plain Error in send() by @yamadashy in modelcontextprotocol/typescript-sdk#1178

coerce 'expires_in' to be a number by @adam-kuhn in modelcontextprotocol/typescript-sdk#1111

Allow HTTP issuer URLs when MCP_DEV_MODE is enabled by @jerome3o-anthropic in modelcontextprotocol/typescript-sdk#1189

fix: update registerTool signature for proper typed ToolCallback by @mattzcarey in modelcontextprotocol/typescript-sdk#1188

SEP-1046: Client credentials flow for M2M without user interaction by @KKonstantinov in modelcontextprotocol/typescript-sdk#1157

adds the transitive @types/express-serve-static-core dependency as a direct devDependency by @mgyarmathy in modelcontextprotocol/typescript-sdk#1078

Fix optional argument handling in prompts for Zod V4 by @filip-bartuska-ipf in modelcontextprotocol/typescript-sdk#1199

fix hanging stdio servers by @mattzcarey in modelcontextprotocol/typescript-sdk#1200

README refactor by @KKonstantinov in modelcontextprotocol/typescript-sdk#1197

[Docs] Fix typo by @koic in modelcontextprotocol/typescript-sdk#1067

feat: add closeSSEStream callback to RequestHandlerExtra by @felixweinberger in modelcontextprotocol/typescript-sdk#1166

fix: improve SSE reconnection behavior by @felixweinberger in modelcontextprotocol/typescript-sdk#1191

fix: normalize headers in sse transport by @marcrasi in modelcontextprotocol/typescript-sdk#856

feat: add closeStandaloneSSEStream for GET stream polling by @felixweinberger in modelcontextprotocol/typescript-sdk#1203

fix: normalize null to undefined in ElicitResultSchema content field by @mattzcarey in modelcontextprotocol/typescript-sdk#1204

Modify Origin header validation in validateRequestHeaders (streamableHttp.ts and sse.ts) to allow requests without an Origin, as they are not relevant to server DNS rebinding protection. by @jacopoc in modelcontextprotocol/typescript-sdk#1205

fix: allow zod 4 transformations by @mattzcarey in modelcontextprotocol/typescript-sdk#1213

feat: backwards-compatible createMessage overloads for SEP-1577 by @felixweinberger in modelcontextprotocol/typescript-sdk#1212

chore: bump version for release by @felixweinberger in modelcontextprotocol/typescript-sdk#1215

New Contributors

@GreenStage made their first contribution in modelcontextprotocol/typescript-sdk#1173

@saharis9988 made their first contribution in modelcontextprotocol/typescript-sdk#1161

@yuwzho made their first contribution in modelcontextprotocol/typescript-sdk#944

@yamadashy made their first contribution in modelcontextprotocol/typescript-sdk#1178

@adam-kuhn made their first contribution in modelcontextprotocol/typescript-sdk#1111

@mgyarmathy made their first contribution in modelcontextprotocol/typescript-sdk#1078

@filip-bartuska-ipf made their first contribution in modelcontextprotocol/typescript-sdk#1199

@koic made their first contribution in modelcontextprotocol/typescript-sdk#1067

@marcrasi made their first contribution in modelcontextprotocol/typescript-sdk#856

@jacopoc made their first contribution in modelcontextprotocol/typescript-sdk#1205

Full Changelog: modelcontextprotocol/typescript-sdk@1.23.0...1.24.0

1.23.1

Fixed:

... (truncated)

Commits

356b7e6 chore: bump version for release (#1215)
09623e2 Merge commit from fork
cf51343 feat: backwards-compatible createMessage overloads for SEP-1577 (#1212)
8204126 fix: allow zod 4 transformations (#1213)
6083600 Modify Origin header validation in validateRequestHeaders (streamableHttp.ts ...
a6ee2cb fix: normalize null to undefined in ElicitResultSchema content field (#1204)
4b651b8 feat: add closeStandaloneSSEStream for GET stream polling (#1203)
5ceabfb fix: normalize headers in sse transport (#856)
f67fc2f fix: improve SSE reconnection behavior (#1191)
fab7e1e feat: add closeSSEStream callback to RequestHandlerExtra (#1166)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by pcarleton, a new releaser for @modelcontextprotocol/sdk since your current version.

Updates better-auth from 1.3.12 to 1.4.5

Release notes

Sourced from better-auth's releases.

v1.4.5-beta.2

   🐞 Bug Fixes

Add helper types to exports - by @himself65 in better-auth/better-auth#6479 (9b556)

    View changes on GitHub

v1.4.4

   🚀 Features

cli: Better-auth-command - by @Ridhim-RR in better-auth/better-auth#6362 (5e06f)

scim: Add support to parse custom scim+json media type - by @jonathansamines in better-auth/better-auth#6365 (6e9ec)

   🐞 Bug Fixes

Customizing fields should be optional for rate limit options - by @ceolinwill in better-auth/better-auth#6398 (115c9)

Chunk account data cookie when exceeding limit - by @jslno in better-auth/better-auth#6393 (c9eca)

Remove applying user-agent by default - by @Bekacru in better-auth/better-auth#6417 (34d7d)

Additional fields default values should apply when creating session - by @Bekacru in better-auth/better-auth#5763 (d5713)

Return null early if userid isn't defined - by @Bekacru in better-auth/better-auth#6418 (e4508)

logger: Log level priority - by @danielfinke in better-auth/better-auth#6411 (4c25b)

mcp: Return origin url as authorization server - by @jslno in better-auth/better-auth#6397 (594bb)

multi-session: Endpoints breaks with invalid signatures - by @ping-maxwell in better-auth/better-auth#6342 (9433e)

oidc-provider: Resolve getSignedCookie return type - by @bytaesu in better-auth/better-auth#6346 (425dd)

    View changes on GitHub

v1.4.4-beta.3

   🚀 Features

Lint dependencies - by @jonathansamines in better-auth/better-auth#6309 (efaef)

cli: Better-auth-command - by @Ridhim-RR in better-auth/better-auth#6362 (1abd7)

one-tap: Add fedcm support - by @jslno in better-auth/better-auth#6380 (fd23c)

scim: Add support to parse custom scim+json media type - by @jonathansamines in better-auth/better-auth#6365 (a91a8)

   🐞 Bug Fixes

Customizing fields should be optional for rate limit options - by @ceolinwill in better-auth/better-auth#6398 (9abd8)

Chunk account data cookie when exceeding limit - by @jslno in better-auth/better-auth#6393 (57d36)

Remove applying user-agent by default - by @Bekacru in better-auth/better-auth#6417 (0617b)

Improve error handling for unsupported additionalFields on generate - by @Kinfe123 in better-auth/better-auth#3977 (39eb6)

Return null early if userid isn't defined - by @Bekacru in better-auth/better-auth#6418 (022ce)

Additional fields default values should apply when creating session - by @Bekacru in better-auth/better-auth#5763 (76998)

Preserve user ID in cookie cache during stateless sessions - by @GautamBytes in better-auth/better-auth#6452 (a25fb)

expo:

Dismiss auth session on android to prevent invalid state error - by @GautamBytes in better-auth/better-auth#6388 (3a133)

logger:

Log level priority - by @danielfinke in better-auth/better-auth#6411 (fa01c)

mcp:

Return origin url as authorization server - by @jslno in better-auth/better-auth#6397 (86c8d)

... (truncated)

Commits

2000fd6 chore: release v1.4.5
fcab5a8 fix: add helper types to exports (#6479)
c666670 chore: release v1.4.5-beta.1
fd72560 fix(db-adapter): string[] and number[] fieldTypes incorrectly parsed for plug...
189dedd chore: release v1.4.4-beta.3
6269a33 chore: release v1.4.4-beta.2
52c15d4 chore: fix validation errors in unit tests (#6466)
a25fb65 fix: preserve user ID in cookie cache during stateless sessions (#6452)
5cbe0a5 chore: enforce imports to use node: protocol (#6461)
fbe51c8 chore: add spell checker (#6319)
Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

Fix prototype pollution issue in yaml merge (<<) operator.

Commits

cc482e7 4.1.1 released
50968b8 dist rebuild
d092d86 lint fix
383665f fix prototype pollution in merge (<<)
0d3ca7a README.md: HTTP => HTTPS (#678)
49baadd doc: 'empty' style option for !!null
ba3460e Fix demo link (#618)
See full diff in compare view

Updates @modelcontextprotocol/sdk from 1.20.2 to 1.24.0

Release notes

Sourced from @modelcontextprotocol/sdk's releases.

1.24.0

Summary

This release brings us up to speed with the latest MCP spec 2025-11-25. Take a look at the latest spec as well as the release blog post.

What's Changed

fix: update spec links from latest to draft by @domdomegg in modelcontextprotocol/typescript-sdk#1171

Make sure to consume HTTP error response bodies by @GreenStage in modelcontextprotocol/typescript-sdk#1173

docs: add GET request handling for streamableHttp stateless mode by @saharis9988 in modelcontextprotocol/typescript-sdk#1161

SEP-1686: Tasks by @LucaButBoring in modelcontextprotocol/typescript-sdk#1041

Fix JSON parse error on SSE events with empty data by @felixweinberger in modelcontextprotocol/typescript-sdk#1184

Fix StreamableHTTPClientTransport instantiation by @yuwzho in modelcontextprotocol/typescript-sdk#944

feat: eslint rule to prefer node protocols by @mattzcarey in modelcontextprotocol/typescript-sdk#1187

fix: call tasks/result to deliver side-channel messages by @felixweinberger in modelcontextprotocol/typescript-sdk#1185

Add invalid_target oauth error (rfc 8707) by @GreenStage in modelcontextprotocol/typescript-sdk#1183

fix(client): use StreamableHTTPError instead of plain Error in send() by @yamadashy in modelcontextprotocol/typescript-sdk#1178

coerce 'expires_in' to be a number by @adam-kuhn in modelcontextprotocol/typescript-sdk#1111

Allow HTTP issuer URLs when MCP_DEV_MODE is enabled by @jerome3o-anthropic in modelcontextprotocol/typescript-sdk#1189

fix: update registerTool signature for proper typed ToolCallback by @mattzcarey in modelcontextprotocol/typescript-sdk#1188

SEP-1046: Client credentials flow for M2M without user interaction by @KKonstantinov in modelcontextprotocol/typescript-sdk#1157

adds the transitive @types/express-serve-static-core dependency as a direct devDependency by @mgyarmathy in modelcontextprotocol/typescript-sdk#1078

Fix optional argument handling in prompts for Zod V4 by @filip-bartuska-ipf in modelcontextprotocol/typescript-sdk#1199

fix hanging stdio servers by @mattzcarey in modelcontextprotocol/typescript-sdk#1200

README refactor by @KKonstantinov in modelcontextprotocol/typescript-sdk#1197

[Docs] Fix typo by @koic in modelcontextprotocol/typescript-sdk#1067

feat: add closeSSEStream callback to RequestHandlerExtra by @felixweinberger in modelcontextprotocol/typescript-sdk#1166

fix: improve SSE reconnection behavior by @felixweinberger in modelcontextprotocol/typescript-sdk#1191

fix: normalize headers in sse transport by @marcrasi in modelcontextprotocol/typescript-sdk#856

feat: add closeStandaloneSSEStream fo...
Description has been truncated

…updates Bumps the npm_and_yarn group with 3 updates in the / directory: [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk), [better-auth](https://github.com/better-auth/better-auth/tree/HEAD/packages/better-auth) and [js-yaml](https://github.com/nodeca/js-yaml). Bumps the npm_and_yarn group with 3 updates in the /apps/sim directory: [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk), [better-auth](https://github.com/better-auth/better-auth/tree/HEAD/packages/better-auth) and [js-yaml](https://github.com/nodeca/js-yaml). Bumps the npm_and_yarn group with 1 update in the /scripts directory: [glob](https://github.com/isaacs/node-glob). Updates `@modelcontextprotocol/sdk` from 1.20.2 to 1.24.0 - [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases) - [Commits](modelcontextprotocol/typescript-sdk@1.20.2...1.24.0) Updates `better-auth` from 1.3.12 to 1.4.5 - [Release notes](https://github.com/better-auth/better-auth/releases) - [Commits](https://github.com/better-auth/better-auth/commits/v1.4.5/packages/better-auth) Updates `js-yaml` from 4.1.0 to 4.1.1 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.1.0...4.1.1) Updates `@modelcontextprotocol/sdk` from 1.20.2 to 1.24.0 - [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases) - [Commits](modelcontextprotocol/typescript-sdk@1.20.2...1.24.0) Updates `better-auth` from 1.3.12 to 1.4.5 - [Release notes](https://github.com/better-auth/better-auth/releases) - [Commits](https://github.com/better-auth/better-auth/commits/v1.4.5/packages/better-auth) Updates `js-yaml` from 4.1.0 to 4.1.1 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.1.0...4.1.1) Updates `@modelcontextprotocol/sdk` from 1.20.2 to 1.24.0 - [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases) - [Commits](modelcontextprotocol/typescript-sdk@1.20.2...1.24.0) Updates `better-auth` from 1.3.12 to 1.4.5 - [Release notes](https://github.com/better-auth/better-auth/releases) - [Commits](https://github.com/better-auth/better-auth/commits/v1.4.5/packages/better-auth) Updates `js-yaml` from 4.1.0 to 4.1.1 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.1.0...4.1.1) Updates `@modelcontextprotocol/sdk` from 1.20.2 to 1.24.0 - [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases) - [Commits](modelcontextprotocol/typescript-sdk@1.20.2...1.24.0) Updates `better-auth` from 1.3.12 to 1.4.5 - [Release notes](https://github.com/better-auth/better-auth/releases) - [Commits](https://github.com/better-auth/better-auth/commits/v1.4.5/packages/better-auth) Updates `js-yaml` from 4.1.0 to 4.1.1 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.1.0...4.1.1) Updates `glob` from 11.0.2 to 11.1.0 - [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md) - [Commits](isaacs/node-glob@v11.0.2...v11.1.0) --- updated-dependencies: - dependency-name: "@modelcontextprotocol/sdk" dependency-version: 1.24.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: better-auth dependency-version: 1.4.5 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: js-yaml dependency-version: 4.1.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: "@modelcontextprotocol/sdk" dependency-version: 1.24.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: better-auth dependency-version: 1.4.5 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: js-yaml dependency-version: 4.1.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: "@modelcontextprotocol/sdk" dependency-version: 1.24.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: better-auth dependency-version: 1.4.5 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: js-yaml dependency-version: 4.1.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: "@modelcontextprotocol/sdk" dependency-version: 1.24.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: better-auth dependency-version: 1.4.5 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: js-yaml dependency-version: 4.1.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: glob dependency-version: 11.1.0 dependency-type: direct:production dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

vercel · 2025-12-29T10:19:32Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
docs	Error		Dec 29, 2025 10:20am

greptile-apps · 2025-12-29T10:22:08Z

Greptile Summary

This PR updates four npm dependencies across the monorepo, automatically generated by Dependabot:

Security Updates:

js-yaml 4.1.0 → 4.1.1 - Fixes a prototype pollution vulnerability in the YAML merge operator (<<). This is a critical security patch that should be merged.

Feature Updates:

@modelcontextprotocol/sdk 1.20.2 → 1.24.0 - Updates to MCP spec 2025-11-25 with new Tasks API, improved SSE reconnection behavior, OAuth enhancements (client credentials flow, HTTP issuer URLs in dev mode), Zod 4 compatibility fixes, and bug fixes for JSON parsing and header normalization
better-auth 1.3.12 → 1.4.5 - Includes bug fixes for cookie chunking when exceeding limits, multi-session endpoint handling with invalid signatures, additional fields default values during session creation, user-agent handling, and adds SCIM custom media type support
glob 11.0.3 → 11.1.0 (scripts directory only) - Minor version bump with no breaking changes

All updates appear to be non-breaking and include improvements and bug fixes. The js-yaml security fix makes this PR important to merge promptly.

Confidence Score: 5/5

This PR is safe to merge with minimal risk - it contains automated dependency updates with important security fixes
Score of 5 reflects: (1) automated Dependabot PR with clear dependency updates, (2) includes critical security fix for js-yaml prototype pollution, (3) all updates are minor/patch versions with no breaking changes documented, (4) updates include bug fixes and improvements to existing functionality, (5) no custom code changes that could introduce bugs
No files require special attention - all changes are straightforward dependency version bumps in package.json files

Important Files Changed

Filename	Overview
apps/sim/package.json	Updates MCP SDK (1.20.2→1.24.0), better-auth (1.3.12→1.4.5), and js-yaml (4.1.0→4.1.1 security fix)
scripts/package.json	Updates glob from 11.0.3 to 11.1.0 - minor version bump with no breaking changes
scripts/package-lock.json	Lock file updated to reflect glob and transitive dependency updates, adds yaml 2.8.1

Sequence Diagram

sequenceDiagram
    participant Dependabot
    participant npm_registry as NPM Registry
    participant root as Root package.json
    participant sim as apps/sim/package.json
    participant scripts as scripts/package.json
    participant lock as scripts/package-lock.json
    
    Dependabot->>npm_registry: Check for updates in npm_and_yarn group
    npm_registry-->>Dependabot: Return available updates
    
    Note over Dependabot: Found 4 updates:<br/>@modelcontextprotocol/sdk 1.24.0<br/>better-auth 1.4.5<br/>js-yaml 4.1.1<br/>glob 11.1.0
    
    Dependabot->>sim: Update @modelcontextprotocol/sdk: 1.20.2 → 1.24.0
    Note right of sim: Adds MCP spec 2025-11-25<br/>Tasks API, SSE improvements
    
    Dependabot->>sim: Update better-auth: 1.3.12 → 1.4.5
    Note right of sim: Cookie chunking fixes<br/>Multi-session improvements
    
    Dependabot->>sim: Update js-yaml: 4.1.0 → 4.1.1
    Note right of sim: SECURITY FIX:<br/>Prototype pollution patch
    
    Dependabot->>scripts: Update glob: 11.0.3 → 11.1.0
    Note right of scripts: Minor version bump
    
    Dependabot->>lock: Regenerate package-lock.json
    Note right of lock: Update transitive dependencies<br/>Add yaml 2.8.1
    
    Dependabot->>Dependabot: Create PR #2625
    Note over Dependabot: All updates non-breaking<br/>Ready for review

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Dec 29, 2025

dependabot bot mentioned this pull request Dec 29, 2025

chore(deps): bump the npm_and_yarn group across 3 directories with 4 updates #2194

Closed

vercel bot had a problem deploying to Preview December 29, 2025 10:20 Failure

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

build(deps): bump the npm_and_yarn group across 3 directories with 4 updates #2625

build(deps): bump the npm_and_yarn group across 3 directories with 4 updates #2625

dependabot bot commented on behalf of github Dec 29, 2025

Uh oh!

vercel bot commented Dec 29, 2025 •

edited

Loading

Uh oh!

greptile-apps bot commented Dec 29, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

build(deps): bump the npm_and_yarn group across 3 directories with 4 updates #2625

Are you sure you want to change the base?

build(deps): bump the npm_and_yarn group across 3 directories with 4 updates #2625

Conversation

dependabot bot commented on behalf of github Dec 29, 2025

1.24.0

Summary

What's Changed

New Contributors

1.23.1

Fixed:

v1.4.5-beta.2

🐞 Bug Fixes

View changes on GitHub

v1.4.4

🚀 Features

🐞 Bug Fixes

View changes on GitHub

v1.4.4-beta.3

🚀 Features

🐞 Bug Fixes

[4.1.1] - 2025-11-12

Security

1.24.0

Summary

What's Changed

New Contributors

1.23.1

Fixed:

v1.4.5-beta.2

🐞 Bug Fixes

View changes on GitHub

v1.4.4

🚀 Features

🐞 Bug Fixes

View changes on GitHub

v1.4.4-beta.3

🚀 Features

🐞 Bug Fixes

[4.1.1] - 2025-11-12

Security

1.24.0

Summary

What's Changed

Uh oh!

vercel bot commented Dec 29, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

greptile-apps bot commented Dec 29, 2025

Greptile Summary

Confidence Score: 5/5

Important Files Changed

Sequence Diagram

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

vercel bot commented Dec 29, 2025 •

edited

Loading