chore(deps): update module github.com/modelcontextprotocol/go-sdk to v1.4.0

GitLab Dependency Botrequested to merge
gitlab-renovate-forks/cli:renovate/github.com-modelcontextprotocol-go-sdk-1.x into main

This MR contains the following updates:

Package Type Update Change
github.com/modelcontextprotocol/go-sdk require minor v1.3.1 -> v1.4.0

⚠️ Warning

Some dependencies could not be looked up. Check the warning logs for more information.

MR created with the help of gitlab-org/frontend/renovate-gitlab-bot

Release Notes

modelcontextprotocol/go-sdk (github.com/modelcontextprotocol/go-sdk)

v1.4.0

Compare Source

This release marks the completion of the full 2025-11-25 specification implementation, by introducing the support for Sampling with Tools and experimental client-side OAuth support. It also contains multiple bug fixes and improvements. Thanks to all contributors!

Client-side OAuth support

This release introduces experimental support for OAuth on the client side of the SDK. It aims to support the full scope of the current MCP specification for authorization. To use it, you need to compile the SDK with the -tags mcp_go_client_oauth flag. Some changes may still be applied to this new API, based on developer feedback. The functionality is planned to become stable in v1.5.0 release, expected by the end of March 2026. More details can be found at https://github.com/modelcontextprotocol/go-sdk/blob/main/docs/protocol.md#client.

Sampling with Tools

Starting from this release, the server use the new CreateMessageWithTools method to create a sampling request to the client that contains tools that can be used by the client. On the client side, CreateMessageWithToolsHandler may be used to handle such requests and issue ToolUse responses to the server.

Behavior changes

We have two important behavior changes that were introduced to fix a bug or improve security posture. They can be temporarily turned off by specifying a special MCPGODEBUG environment variable when running the SDK. Different options can be added together, separated by a comma.

Introduced DNS rebinding protection (MCPGODEBUG=disablelocalhostprotection=1)

The requests arriving via a localhost address (127.0.0.1, [::1]) that have a non-localhost Host header will be rejected to protect against DNS rebinding attacks. The option to remove this protection will be removed in v1.6.0.

Removed JSON content escaping when marshaling (MCPGODEBUG=jsonescaping=1):

By default encoding/json escapes the contents of the objects, which causes some servers to fail. We switched to no escaping by default. The option to bring back the escaping will be removed in v1.6.0.

Bug fixes

Security vulnerability caused by the case insensitive parsing behavior of encoding/json has been submitted (also release as a cherry pick in v1.3.1). Security advisory has been posted.

Other fixes:

Enhancements

Notably, the SDK now supports the extensions field in client and server capabilities, which should enable creation of MCP Apps.

Other enhancements:

Repository organization

Some effort was put into better organization of the repository, as well as making sure it's up to date and secure. As a highlight, the repository is not integrated with OSSF Scorecard with a positive score of 8.7. Additionally, the full conformance test suite is now run on every MR and push to main.

New Contributors

Full Changelog: https://github.com/modelcontextprotocol/go-sdk/compare/v1.3.0...v1.4.0

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

  • If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Merge request reports