chore(deps): bump conformance to 0.1.15, port auth/pre-registration from v1.x#1650
chore(deps): bump conformance to 0.1.15, port auth/pre-registration from v1.x#1650felixweinberger merged 6 commits intomainfrom
Conversation
|
@modelcontextprotocol/client
@modelcontextprotocol/server
@modelcontextprotocol/express
@modelcontextprotocol/hono
@modelcontextprotocol/node
commit: |
Pulls sdk@^1.26.0 (resolves to 1.27.1), clearing the Dependabot alert for GHSA-345p-7cg4-v4c7 (cross-client data leak, fixed in 1.26.0). Also removes stale minimumReleaseAgeExclude entries for hono@4.11.4 and @hono/node-server@1.19.9 (both well past 7 days).
felixweinberger
force-pushed
the
chore/hono-lockfile-refresh
branch
from
5c7fbed to
113caa2
Compare
felixweinberger
changed the title
…cenarios Conformance 0.1.15 added three scenarios the v2 SDK doesn't implement yet: - client: auth/pre-registration (OAuth without DCR) - client: auth/cross-app-access-complete-flow (SEP-990) - server: dns-rebinding-protection Baseline them via --expected-failures so CI exits 0 on expected failures, 1 on regressions or stale entries (scenario starts passing → must update file).
The SDK has localhostHostValidation() middleware; the conformance test server just wasn't using it. Add it so the dns-rebinding-protection scenario passes instead of baselining it as an expected failure.
Forward-ports PR #1545 from v1.x. The SDK already skips DCR when clientInformation() returns pre-populated credentials; only the conformance adapter wiring was missing. - withOAuthRetry: accept optional existingProvider - everythingClient: register auth/pre-registration handler - expected-failures: drop now-passing scenario
felixweinberger
changed the title
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — test-harness dependency bump with corresponding fixture updates, no production code touched.
Extended reasoning...
Overview
This PR bumps the @modelcontextprotocol/conformance dev dependency from 0.1.10 to 0.1.15 and makes the test harness changes needed to pass the new conformance suite version. All code changes are confined to test/conformance/ (a private test-only package):
pnpm-lock.yaml/package.json— the version bump itself, pulling sdk@1.27.1 transitively (clears a Dependabot alert for express-rate-limit)pnpm-workspace.yaml— drops staleminimumReleaseAgeExcludeentries for hono/@hono/node-server now that the fix versions are past the 7-day windowexpected-failures.yaml— new baseline listingauth/cross-app-access-complete-flowas not-yet-implemented, wired into the test scripts via--expected-failureseverythingClient.ts— adds theauth/pre-registrationscenario, following the same pattern as existing auth scenarios; uses a pre-populatedConformanceOAuthProviderto skip dynamic client registrationeverythingServer.ts— enableslocalhostHostValidation()middleware so the DNS-rebinding-protection scenario passeswithOAuthRetry.ts— adds an optionalexistingProviderparameter with??fallback, fully backwards-compatible
Security risks
None. No production or published code is modified. The lockfile changes are transitive deps of a dev-only test package. The localhostHostValidation() addition improves the security posture of the test server (though it's only ever bound to localhost anyway).
Level of scrutiny
Low. This is test infrastructure maintenance — a dependency bump with the minimal fixture changes needed to keep CI green on the new suite version. No package exports, no API changes, no logic in shipped code. The shell script at scripts/run-server-conformance.sh already forwards "$@", so the new --expected-failures flag is correctly plumbed through.
Other factors
Verified that localhostHostValidation is exported from @modelcontextprotocol/express (packages/middleware/express/src/middleware/hostHeaderValidation.ts:50) and that ConformanceOAuthProvider.saveClientInformation exists (test/conformance/src/helpers/conformanceOAuthProvider.ts:38). The PR description mentions three new scenarios but only one is in expected-failures.yaml — this is consistent, since the other two (pre-registration and dns-rebinding) are implemented by this PR rather than marked as expected failures. No changeset is needed since @modelcontextprotocol/test-conformance is private.
There was a problem hiding this comment.
LGTM — test-infrastructure-only dep bump and conformance scenario port, no SDK changes.
Extended reasoning...
Overview
This PR bumps the conformance test tool from 0.1.10 to 0.1.15 and forward-ports the auth/pre-registration scenario from v1.x (#1545). All changes are confined to test infrastructure:
pnpm-lock.yaml/pnpm-workspace.yaml: lockfile refresh, removal of staleminimumReleaseAgeExcludeentries for hono packages that are now past the 7-day age windowtest/conformance/expected-failures.yaml: new baseline listingauth/cross-app-access-complete-flowas a known-failing scenario (blocked on #1531)test/conformance/package.json: dep bump and--expected-failuresflag wiring into test scriptstest/conformance/src/everythingClient.ts: adds a new scenario handler following the exact pattern ofrunClientCredentialsBasic— parses context, pre-populates the OAuth provider viasaveClientInformation, runs connect/listTools/callTooltest/conformance/src/everythingServer.ts: addslocalhostHostValidation()middleware (DNS rebinding protection) — already landed in62ff4c2, appears here as merge artifacttest/conformance/src/helpers/withOAuthRetry.ts: adds optionalexistingProviderparameter with??fallback to the existing constructor call — fully backward-compatible
No changes to any published SDK package under packages/. The changeset bot correctly notes no changeset needed.
Security risks
None introduced; this PR is net-positive on security:
- Clears Dependabot alert #44 (GHSA-345p-7cg4-v4c7) by pulling
sdk@1.27.1as a transitive dev-dependency of the conformance tool - Adds DNS rebinding protection to the test server (already merged separately)
- New
@octokit/*andundici@7.22.0deps are transitive dev-dependencies of the conformance CLI only, never shipped to consumers
The auth/pre-registration scenario code is test-adapter code that pre-populates client credentials into a mock OAuth provider — it exercises SDK paths but contains no auth logic itself.
Level of scrutiny
Low. This is a test/** + workspace-config change with zero impact on published packages. The new scenario handler is a near-verbatim copy of existing handlers (runClientCredentialsBasic) with the one difference that it pre-populates client info instead of letting the SDK dynamically register. The run-server-conformance.sh script already uses "$@" pass-through, so the new --expected-failures flag plumbs through correctly.
Other factors
- No bugs flagged by the bug hunting system
- No outstanding reviewer comments
- CODEOWNERS: the auth-team-owned paths (
/src/server/auth/,/src/client/auth*, etc.) are not touched —test/conformance/falls under the default team ConformanceOAuthProvider.saveClientInformationis an existing method atconformanceOAuthProvider.ts:38, so the new callsite is valid
Conflicts:
test/conformance/src/everythingClient.ts
- kept both pre-registration (from modelcontextprotocol#1650) and cross-app-access
discriminated union variants
Also: drop unused OAuthClientInformation import from crossAppAccess.ts
(lint failure from ef35f0b).
There was a problem hiding this comment.
LGTM — test-only conformance harness updates with a transitive dep bump that clears a security advisory.
Extended reasoning...
Overview
This PR bumps the @modelcontextprotocol/conformance dev dependency from 0.1.10 to 0.1.15, which transitively pulls sdk@1.27.1 and clears Dependabot alert GHSA-345p-7cg4-v4c7. All non-lockfile changes are confined to test/conformance/ (test harness code, not shipped) plus a two-line cleanup of stale minimumReleaseAgeExclude entries in pnpm-workspace.yaml. The new auth/pre-registration scenario in everythingClient.ts follows the established pattern of other scenarios in the file, and the withOAuthRetry helper gets a backwards-compatible optional existingProvider param. The server gains localhostHostValidation() middleware (DNS rebinding protection), which is a defensive addition for a test-only server.
Security risks
None introduced; the PR is net-positive security-wise. It resolves a known advisory in the transitive v1 SDK dep and adds Host-header validation to the conformance test server. No production SDK code paths are touched. The new transitive deps (@octokit/*, undici@7.22, ip-address, etc.) are all well-known packages pulled in by the conformance runner, not by the published packages.
Level of scrutiny
Low. This is test-infrastructure and workspace-config hygiene. The conformance harness is private: true and not published. The script changes (adding --expected-failures ./expected-failures.yaml) are mechanical and the shell script correctly forwards args via "$@". The minimumReleaseAgeExclude removals are safe because those pinned versions (hono@4.11.4, @hono/node-server@1.19.9) are now well past the 7-day age threshold.
Other factors
No changeset is needed since no published package is affected (changeset-bot correctly notes this). No outstanding reviewer comments. The saveClientInformation method and localhostHostValidation export both exist in the current codebase. The run-server-conformance.sh script passes through --expected-failures via "$@" at line 43.
2 participants
Bumps conformance
0.1.10→0.1.15. Pullssdk@^1.26.0(resolves to 1.27.1), clearing Dependabot alert #44 (GHSA-345p-7cg4-v4c7).Forward-ports #1545 from v1.x so
auth/pre-registrationpasses (adapter-only, no SDK changes). Addsexpected-failures.yamlbaseline forcross-app-access-complete-flow(SEP-990, blocked on #1531).Also drops stale
minimumReleaseAgeExcludeentries.