Skip to content

chore(deps): bump the minor-and-patch group across 1 directory with 3 updates#62

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/minor-and-patch-a67af39979
Open

chore(deps): bump the minor-and-patch group across 1 directory with 3 updates#62
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/minor-and-patch-a67af39979

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 9, 2026
edited
Loading

Bumps the minor-and-patch group with 3 updates in the / directory: github.com/modelcontextprotocol/go-sdk, github.com/xuri/excelize/v2 and golang.org/x/sys.

Updates github.com/modelcontextprotocol/go-sdk from 1.3.0 to 1.4.0

Release notes

Sourced from github.com/modelcontextprotocol/go-sdk's releases.

v1.4.0

This release marks the completion of the full 2025-11-25 specification implementation, by introducing the support for Sampling with Tools and experimental client-side OAuth support. It also contains multiple bug fixes and improvements. Thanks to all contributors!

Client-side OAuth support

This release introduces experimental support for OAuth on the client side of the SDK. It aims to support the full scope of the current MCP specification for authorization. To use it, you need to compile the SDK with the -tags mcp_go_client_oauth flag. Some changes may still be applied to this new API, based on developer feedback. The functionality is planned to become stable in v1.5.0 release, expected by the end of March 2026. More details can be found at https://github.com/modelcontextprotocol/go-sdk/blob/main/docs/protocol.md#client.

Sampling with Tools

Starting from this release, the server use the new CreateMessageWithTools method to create a sampling request to the client that contains tools that can be used by the client. On the client side, CreateMessageWithToolsHandler may be used to handle such requests and issue ToolUse responses to the server.

Behavior changes

We have two important behavior changes that were introduced to fix a bug or improve security posture. They can be temporarily turned off by specifying a special MCPGODEBUG environment variable when running the SDK. Different options can be added together, separated by a comma.

Introduced DNS rebinding protection

The requests arriving via a localhost address (127.0.0.1, [::1]) that have a non-localhost Host header will be rejected to protect against DNS rebinding attacks. The protection can be disabled by specifying StreamableHTTPOptions.DisableLocalhostProtection, but it should be done only if security implications are understood (see documentation for the option).

This protection is a behavior change, as the protection is now enabled by default. Because of that, we have introduced an MCPGODEBUG option to bring back the previous default behavior for users that need more time to adjust. However, if possible, we recommend specifying DisableLocalhostProtection described above, as it is a more future-proof solution. The MCPGODEBUG option to remove this protection (disablelocalhostprotection=1) will be removed in v1.6.0.

Removed JSON content escaping when marshaling

By default encoding/json escapes the contents of the objects, which causes some servers to fail. We switched to no escaping by default, to be consistent with other SDKs. Since this is a behavior change, we introduced an MCPGODEBUG option to bring back the previous behavior for users that need more time to adjust to it. That option (jsonescaping=1) will be removed in v1.6.0.

Bug fixes

Security vulnerability caused by the case insensitive parsing behavior of encoding/json has been submitted (also release as a cherry pick in v1.3.1). Security advisory has been posted.

Other fixes:

Enhancements

Notably, the SDK now supports the extensions field in client and server capabilities, which should enable creation of MCP Apps.

Other enhancements:

... (truncated)

Commits
  • c9317fb all: client side OAuth support (#785)
  • 4e8b6ca mcp: return 400 instead of 500 when body read fails in stateless mode (#817)
  • 0048a18 chore: Configure advanced CodeQL setup (#819)
  • 1942036 chore: update the version of the conformance suite. (#814)
  • b17143f chore: increase timeout for conformance server start. (#813)
  • 86d05a1 chore: update publish-docs permissions to be more targeted. (#812)
  • 9f22cf1 chore: configure a simple AGENTS.md file and a skill for fixing GitHu… (#810)
  • 51d256c chore: Configure OSSF Scorecard action (#811)
  • ac65640 chore: update SECURITY.md to use GitHub Security Advisories (#809)
  • 7b8d81c all: use case-sensitive JSON unmarshaling (#807)
  • Additional commits viewable in compare view

Updates github.com/xuri/excelize/v2 from 2.10.0 to 2.10.1

Release notes

Sourced from github.com/xuri/excelize/v2's releases.

v2.10.1

We are pleased to announce the release of version 2.10.1. Featured are a handful of new areas of functionality and numerous bug fixes.

A summary of changes is available in the Release Notes. A full list of changes is available in the changelog.

Release Notes

The most notable changes in this release are:

Breaking Change

Removed three exported error variables: ErrStreamSetColStyle, ErrStreamSetColWidth, and ErrStreamSetPanes.

Notable Features

  • Added the ChartDataPoint data type
  • Added the DataPoint field to ChartSeries
  • Added the DropLines and HighLowLines fields to ChartAxis
  • Added the Name field to GraphicOptions
  • Added two constants: MaxGraphicAltTextLength and MaxGraphicNameLength
  • Added 7 exported error variables: ErrFillType, ErrFillGradientColor, ErrFillGradientShading, ErrFillPatternColor, ErrFillPattern, ErrMaxGraphicAltTextLength and ErrMaxGraphicNameLength
  • Added the exported function GetHyperLinkCells to retrieve hyperlink cells, related issue #1607
  • Added the exported function GetSheetProtection to retrieve sheet protection settings
  • The AddComment function now returns an error when adding a comment to a cell that already has one
  • Added support for inserting ICO images, related issue #2234
  • The CalcCellValue function now supports two formula functions: SORTBY and UNIQUE
  • The AddChart and AddChartSheet functions now support setting data point colors for doughnut, pie, and 3D pie charts, related issue #1904
  • The AddChart function now supports configuring font families for East Asian and complex-script fonts
  • The AddChart function now supports drop lines and high-low lines for area and line charts
  • The GetPictures function can now return partial formatting properties, related issue #2157
  • Added the SetColVisible function to the streaming writer to set column visibility, related issue #2075
  • Added the SetColOutlineLevel function to the streaming writer to group columns, related issue #2212
  • The AddShape and AddSlicer functions now support one-cell anchor positioning for shapes and slicers
  • The GetSlicers function now supports retrieving slicers with one-cell anchor positioning
  • The SetConditionalFormat, GetConditionalFormats, and UnsetConditionalFormat functions now support the 3 triangles, 3 stars, and 5 boxes icon set conditional formats, related issue #2038
  • The UnsetConditionalFormat function now supports deleting a conditional format rule or data validation for a specific cell within a cell range
  • The AddPicture and AddPictureFromBytes functions now support setting the picture name
  • The AddChart and AddShape functions now support setting names and alternative text for charts and shapes
  • The AddSlicer function now supports setting alternative text for slicers
  • Added validation for graphic names and alternative text length; returns an error when the length exceeds the limit
  • Added UTF-16-aware length checking and truncation

Improve the Compatibility

  • Removed empty rows on save, reducing the generated workbook file size

Bug Fixes

  • Fixed a v2.10.0 regression where the GetCellValue and GetRows functions returned shared string indexes for empty strings, resolve issue #2240
  • Fixed GetPivotTables panicking when retrieving pivot tables in some cases

... (truncated)

Commits
  • 5ad5ab3 Update GitHub Actions workflow configuration, test on Go 1.26.x (#2262)
  • 52dd99a This closes #2259, add value check for prevent using invalid fill type when c...
  • 4917cff This closes #2254, fixx duplicate style creation when using default font or f...
  • 38eb7c1 Trim single quotes from sheet names to fix calculation engine resolve referen...
  • 2dcfb60 This closes #2240, fix GetCellValue returning shared string index for empty s...
  • f5f68f8 Ref #1607, introduce new functions GetHyperLinkCells and GetSheetProtection
  • 6ad51b2 Support set drop lines and high-low lines for area and line charts (#2250)
  • 37b730a Apply font family settings for east asian and complex script fonts (#2249)
  • 7b57409 Support delete conditional format rule or data validation by specific cell fr...
  • 8b325dc Fix DeleteDataValidation with unordered sqref ranges (#2248)
  • Additional commits viewable in compare view

Updates golang.org/x/sys from 0.41.0 to 0.42.0

Commits
  • eaaaaee windows/registry: correct KeyInfo.ModTime calculation
  • 942780b cpu: darwin/arm64 feature detection
  • acef388 unix/linux: Prefixmsg and PrefixCacheinfo structs
  • 3687fbd cpu: better defaults on darwin ARM64
  • 48062e9 plan9: change Note to alias syscall.Note
  • 4f23f80 windows: change Signal to alias syscall.Signal
  • 7548802 all: upgrade go directive to at least 1.25.0 [generated]
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Mar 9, 2026
@dependabot
chore(deps): bump the minor-and-patch group across 1 directory with 3…
7f300d5 
… updates

Bumps the minor-and-patch group with 3 updates in the / directory: [github.com/modelcontextprotocol/go-sdk](https://github.com/modelcontextprotocol/go-sdk), [github.com/xuri/excelize/v2](https://github.com/xuri/excelize) and [golang.org/x/sys](https://github.com/golang/sys).


Updates `github.com/modelcontextprotocol/go-sdk` from 1.3.0 to 1.4.0
- [Release notes](https://github.com/modelcontextprotocol/go-sdk/releases)
- [Commits](modelcontextprotocol/go-sdk@v1.3.0...v1.4.0)

Updates `github.com/xuri/excelize/v2` from 2.10.0 to 2.10.1
- [Release notes](https://github.com/xuri/excelize/releases)
- [Commits](qax-os/excelize@v2.10.0...v2.10.1)

Updates `golang.org/x/sys` from 0.41.0 to 0.42.0
- [Commits](golang/sys@v0.41.0...v0.42.0)

---
updated-dependencies:
- dependency-name: github.com/modelcontextprotocol/go-sdk
  dependency-version: 1.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: github.com/xuri/excelize/v2
  dependency-version: 2.10.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: golang.org/x/sys
  dependency-version: 0.42.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/go_modules/minor-and-patch-a67af39979 branch from 662d93e to 7f300d5 Compare March 11, 2026 02:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants