build(deps): bump github.com/modelcontextprotocol/go-sdk from 1.3.1-0.20260220105450-b17143f71798 to 1.4.1 in the go_modules group across 1 directory

[dependabot]

Bumps the go_modules group with 1 update in the / directory: github.com/modelcontextprotocol/go-sdk.

Updates github.com/modelcontextprotocol/go-sdk from 1.3.1-0.20260220105450-b17143f71798 to 1.4.1

Release notes

Sourced from github.com/modelcontextprotocol/go-sdk's releases.

v1.4.1

This release is a patch release for v1.4.0.

It contains cherry-picks for several security improvements. Security advisories will follow.

Fixes

Update of the segmentio/encoding module version

The JSON parsing library that was adopted to avoid attacks taking advantage of the Go's standard parser being case insensitive turned out to contain an issue itself. We have submitted the fix upstream and this release updates the dependency to the patched version.

Cross-origin requests protection

We have added additional protection against cross origin requests. From now on, we verify that Content-Type for JSON-RPC POST requests is set to application/json and use the new http.CrossOriginProtection functionality to verify the origin of the request. Usage of this functionality required increasing the required Go version to 1.25, which is in line with our Go version policy of supporting two newest Go versions. The behavior can be customized by passing a configured http.CrossOriginProtection object to StreamableHTTPOptions.

Since this is a behavior change, we introduced a compatibility parameter disablecrossoriginprotection that will allow to temporarily disable it. It will be removed in v1.6.0 version of the SDK. See here for more details about behavior changes and a history of compatibility parameters across SDK versions.

Allowing customization of http.Client for client-side OAuth

We have introduced an optional http.Client parameter to AuthorizationCodeHandlerConfig. This allows customization of the transport, for example implementing environment specific protection against Server-Side Request Forgery.

Pull requests

• internal: fix Unicode zero character handling by @​maciej-kisiel in modelcontextprotocol/go-sdk#841
• auth: allow passing custom http.Client to AuthorizationCodeHandler by @​maciej-kisiel in modelcontextprotocol/go-sdk#840
• mcp: verify 'Origin' and 'Content-Type' headers by @​maciej-kisiel in modelcontextprotocol/go-sdk#842

Full Changelog: modelcontextprotocol/go-sdk@v1.4.0...v1.4.1

v1.4.0

This release marks the completion of the full 2025-11-25 specification implementation, by introducing the support for Sampling with Tools and experimental client-side OAuth support. It also contains multiple bug fixes and improvements. Thanks to all contributors!

Client-side OAuth support

This release introduces experimental support for OAuth on the client side of the SDK. It aims to support the full scope of the current MCP specification for authorization. To use it, you need to compile the SDK with the -tags mcp_go_client_oauth flag. Some changes may still be applied to this new API, based on developer feedback. The functionality is planned to become stable in v1.5.0 release, expected by the end of March 2026. More details can be found at https://github.com/modelcontextprotocol/go-sdk/blob/main/docs/protocol.md#client.

• all: client side OAuth support by @​maciej-kisiel in modelcontextprotocol/go-sdk#785

Sampling with Tools

Starting from this release, the server use the new CreateMessageWithTools method to create a sampling request to the client that contains tools that can be used by the client. On the client side, CreateMessageWithToolsHandler may be used to handle such requests and issue ToolUse responses to the server.

• mcp: implement sampling with tools by @​findleyr in modelcontextprotocol/go-sdk#699

Behavior changes

We have two important behavior changes that were introduced to fix a bug or improve security posture. They can be temporarily turned off by specifying a special MCPGODEBUG environment variable when running the SDK. Different options can be added together, separated by a comma.

Introduced DNS rebinding protection

The requests arriving via a localhost address (127.0.0.1, [::1]) that have a non-localhost Host header will be rejected to protect against DNS rebinding attacks. The protection can be disabled by specifying StreamableHTTPOptions.DisableLocalhostProtection, but it should be done only if security implications are understood (see documentation for the option).

This protection is a behavior change, as the protection is now enabled by default. Because of that, we have introduced an MCPGODEBUG option to bring back the previous default behavior for users that need more time to adjust. However, if possible, we recommend specifying DisableLocalhostProtection described above, as it is a more future-proof solution. The MCPGODEBUG option to remove this protection (disablelocalhostprotection=1) will be removed in v1.6.0.

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.