chore(deps): bump conformance to 0.1.15, port auth/pre-registration from v1.x#1650
chore(deps): bump conformance to 0.1.15, port auth/pre-registration from v1.x#1650felixweinberger wants to merge 4 commits intomainfrom
Conversation
|
@modelcontextprotocol/client
@modelcontextprotocol/server
@modelcontextprotocol/express
@modelcontextprotocol/hono
@modelcontextprotocol/node
commit: |
Pulls sdk@^1.26.0 (resolves to 1.27.1), clearing the Dependabot alert for GHSA-345p-7cg4-v4c7 (cross-client data leak, fixed in 1.26.0). Also removes stale minimumReleaseAgeExclude entries for hono@4.11.4 and @hono/node-server@1.19.9 (both well past 7 days).
felixweinberger
force-pushed
the
chore/hono-lockfile-refresh
branch
from
5c7fbed to
113caa2
Compare
felixweinberger
changed the title
…cenarios Conformance 0.1.15 added three scenarios the v2 SDK doesn't implement yet: - client: auth/pre-registration (OAuth without DCR) - client: auth/cross-app-access-complete-flow (SEP-990) - server: dns-rebinding-protection Baseline them via --expected-failures so CI exits 0 on expected failures, 1 on regressions or stale entries (scenario starts passing → must update file).
The SDK has localhostHostValidation() middleware; the conformance test server just wasn't using it. Add it so the dns-rebinding-protection scenario passes instead of baselining it as an expected failure.
Forward-ports PR #1545 from v1.x. The SDK already skips DCR when clientInformation() returns pre-populated credentials; only the conformance adapter wiring was missing. - withOAuthRetry: accept optional existingProvider - everythingClient: register auth/pre-registration handler - expected-failures: drop now-passing scenario
felixweinberger
changed the title
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — test-harness dependency bump with corresponding fixture updates, no production code touched.
Extended reasoning...
Overview
This PR bumps the @modelcontextprotocol/conformance dev dependency from 0.1.10 to 0.1.15 and makes the test harness changes needed to pass the new conformance suite version. All code changes are confined to test/conformance/ (a private test-only package):
pnpm-lock.yaml/package.json— the version bump itself, pulling sdk@1.27.1 transitively (clears a Dependabot alert for express-rate-limit)pnpm-workspace.yaml— drops staleminimumReleaseAgeExcludeentries for hono/@hono/node-server now that the fix versions are past the 7-day windowexpected-failures.yaml— new baseline listingauth/cross-app-access-complete-flowas not-yet-implemented, wired into the test scripts via--expected-failureseverythingClient.ts— adds theauth/pre-registrationscenario, following the same pattern as existing auth scenarios; uses a pre-populatedConformanceOAuthProviderto skip dynamic client registrationeverythingServer.ts— enableslocalhostHostValidation()middleware so the DNS-rebinding-protection scenario passeswithOAuthRetry.ts— adds an optionalexistingProviderparameter with??fallback, fully backwards-compatible
Security risks
None. No production or published code is modified. The lockfile changes are transitive deps of a dev-only test package. The localhostHostValidation() addition improves the security posture of the test server (though it's only ever bound to localhost anyway).
Level of scrutiny
Low. This is test infrastructure maintenance — a dependency bump with the minimal fixture changes needed to keep CI green on the new suite version. No package exports, no API changes, no logic in shipped code. The shell script at scripts/run-server-conformance.sh already forwards "$@", so the new --expected-failures flag is correctly plumbed through.
Other factors
Verified that localhostHostValidation is exported from @modelcontextprotocol/express (packages/middleware/express/src/middleware/hostHeaderValidation.ts:50) and that ConformanceOAuthProvider.saveClientInformation exists (test/conformance/src/helpers/conformanceOAuthProvider.ts:38). The PR description mentions three new scenarios but only one is in expected-failures.yaml — this is consistent, since the other two (pre-registration and dns-rebinding) are implemented by this PR rather than marked as expected failures. No changeset is needed since @modelcontextprotocol/test-conformance is private.
2 participants
Bumps conformance
0.1.10→0.1.15. Pullssdk@^1.26.0(resolves to 1.27.1), clearing Dependabot alert #44 (GHSA-345p-7cg4-v4c7).Forward-ports #1545 from v1.x so
auth/pre-registrationpasses (adapter-only, no SDK changes). Addsexpected-failures.yamlbaseline forcross-app-access-complete-flow(SEP-990, blocked on #1531).Also drops stale
minimumReleaseAgeExcludeentries.