chore(deps): bump the npm_and_yarn group across 3 directories with 4 updates

Open

Number: #2194
Type: Pull Request
State: Open

Author:

dependabot[bot]
Association: Unknown
Comments: 3

Created: December 04, 2025 at 09:31 PM UTC
(6 months ago)

Updated: December 29, 2025 at 12:01 PM UTC
(5 months ago)

Labels:
dependencies javascript

Description:

Bumps the npm_and_yarn group with 3 updates in the / directory: @modelcontextprotocol/sdk, better-auth and js-yaml.
Bumps the npm_and_yarn group with 2 updates in the /apps/sim directory: better-auth and js-yaml.
Bumps the npm_and_yarn group with 1 update in the /scripts directory: glob.

Updates @modelcontextprotocol/sdk from 1.20.2 to 1.24.0

Release notes

Sourced from @modelcontextprotocol/sdk's releases.

1.24.0

Summary

This release brings us up to speed with the latest MCP spec 2025-11-25. Take a look at the latest spec as well as the release blog post.

What's Changed

fix: update spec links from latest to draft by @domdomegg in modelcontextprotocol/typescript-sdk#1171

Make sure to consume HTTP error response bodies by @GreenStage in modelcontextprotocol/typescript-sdk#1173

docs: add GET request handling for streamableHttp stateless mode by @saharis9988 in modelcontextprotocol/typescript-sdk#1161

SEP-1686: Tasks by @LucaButBoring in modelcontextprotocol/typescript-sdk#1041

Fix JSON parse error on SSE events with empty data by @felixweinberger in modelcontextprotocol/typescript-sdk#1184

Fix StreamableHTTPClientTransport instantiation by @yuwzho in modelcontextprotocol/typescript-sdk#944

feat: eslint rule to prefer node protocols by @mattzcarey in modelcontextprotocol/typescript-sdk#1187

fix: call tasks/result to deliver side-channel messages by @felixweinberger in modelcontextprotocol/typescript-sdk#1185

Add invalid_target oauth error (rfc 8707) by @GreenStage in modelcontextprotocol/typescript-sdk#1183

fix(client): use StreamableHTTPError instead of plain Error in send() by @yamadashy in modelcontextprotocol/typescript-sdk#1178

coerce 'expires_in' to be a number by @adam-kuhn in modelcontextprotocol/typescript-sdk#1111

Allow HTTP issuer URLs when MCP_DEV_MODE is enabled by @jerome3o-anthropic in modelcontextprotocol/typescript-sdk#1189

fix: update registerTool signature for proper typed ToolCallback by @mattzcarey in modelcontextprotocol/typescript-sdk#1188

SEP-1046: Client credentials flow for M2M without user interaction by @KKonstantinov in modelcontextprotocol/typescript-sdk#1157

adds the transitive @types/express-serve-static-core dependency as a direct devDependency by @mgyarmathy in modelcontextprotocol/typescript-sdk#1078

Fix optional argument handling in prompts for Zod V4 by @filip-bartuska-ipf in modelcontextprotocol/typescript-sdk#1199

fix hanging stdio servers by @mattzcarey in modelcontextprotocol/typescript-sdk#1200

README refactor by @KKonstantinov in modelcontextprotocol/typescript-sdk#1197

[Docs] Fix typo by @koic in modelcontextprotocol/typescript-sdk#1067

feat: add closeSSEStream callback to RequestHandlerExtra by @felixweinberger in modelcontextprotocol/typescript-sdk#1166

fix: improve SSE reconnection behavior by @felixweinberger in modelcontextprotocol/typescript-sdk#1191

fix: normalize headers in sse transport by @marcrasi in modelcontextprotocol/typescript-sdk#856

feat: add closeStandaloneSSEStream for GET stream polling by @felixweinberger in modelcontextprotocol/typescript-sdk#1203

fix: normalize null to undefined in ElicitResultSchema content field by @mattzcarey in modelcontextprotocol/typescript-sdk#1204

Modify Origin header validation in validateRequestHeaders (streamableHttp.ts and sse.ts) to allow requests without an Origin, as they are not relevant to server DNS rebinding protection. by @jacopoc in modelcontextprotocol/typescript-sdk#1205

fix: allow zod 4 transformations by @mattzcarey in modelcontextprotocol/typescript-sdk#1213

feat: backwards-compatible createMessage overloads for SEP-1577 by @felixweinberger in modelcontextprotocol/typescript-sdk#1212

chore: bump version for release by @felixweinberger in modelcontextprotocol/typescript-sdk#1215

New Contributors

@GreenStage made their first contribution in modelcontextprotocol/typescript-sdk#1173

@saharis9988 made their first contribution in modelcontextprotocol/typescript-sdk#1161

@yuwzho made their first contribution in modelcontextprotocol/typescript-sdk#944

@yamadashy made their first contribution in modelcontextprotocol/typescript-sdk#1178

@adam-kuhn made their first contribution in modelcontextprotocol/typescript-sdk#1111

@mgyarmathy made their first contribution in modelcontextprotocol/typescript-sdk#1078

@filip-bartuska-ipf made their first contribution in modelcontextprotocol/typescript-sdk#1199

@koic made their first contribution in modelcontextprotocol/typescript-sdk#1067

@marcrasi made their first contribution in modelcontextprotocol/typescript-sdk#856

@jacopoc made their first contribution in modelcontextprotocol/typescript-sdk#1205

Full Changelog: https://github.com/modelcontextprotocol/typescript-sdk/compare/1.23.0...1.24.0

1.23.1

Fixed:

... (truncated)

Commits

356b7e6 chore: bump version for release (#1215)
09623e2 Merge commit from fork
cf51343 feat: backwards-compatible createMessage overloads for SEP-1577 (#1212)
8204126 fix: allow zod 4 transformations (#1213)
6083600 Modify Origin header validation in validateRequestHeaders (streamableHttp.ts ...
a6ee2cb fix: normalize null to undefined in ElicitResultSchema content field (#1204)
4b651b8 feat: add closeStandaloneSSEStream for GET stream polling (#1203)
5ceabfb fix: normalize headers in sse transport (#856)
f67fc2f fix: improve SSE reconnection behavior (#1191)
fab7e1e feat: add closeSSEStream callback to RequestHandlerExtra (#1166)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by pcarleton, a new releaser for @modelcontextprotocol/sdk since your current version.

Updates better-auth from 1.3.12 to 1.4.2

Release notes

Sourced from better-auth's releases.

v1.4.2

   🚀 Features

cli: Check /auth for auth.ts - by @ping-maxwell in better-auth/better-auth#6273 (53a74)

github: Add PKCE support for Github - by @Shridhad in better-auth/better-auth#6276 (deb62)

jwt: Allow custom jwks endpoint - by @luist18 in better-auth/better-auth#6269 (1c45f)

   🐞 Bug Fixes

Support @tanstack/solid-start in tanstackStartCookies plugin - by @jakst in better-auth/better-auth#6235 (c69b3)

SignIn/signUp API returns user additional field - by @himself65 in better-auth/better-auth#6287 (5ea36)

cli:

Kysely migration fails due to chaining addIndex and addColumn on the same alterTable builder - by @ping-maxwell in better-auth/better-auth#6214 (b8a73)

Prevent duplicate index creation in Prisma schema generation - by @rovertrack in better-auth/better-auth#6234 (0bbd8)

client:

Get-session gets triggered twice on foucs - by @Bekacru in better-auth/better-auth#6186 (54852)

email-otp:

Sign-in email-otp bugs with capitalized emails - by @ping-maxwell in better-auth/better-auth#6237 (fd010)

oidc-provider:

Session shouldn't be required - by @Bekacru in better-auth/better-auth#6282 (201a7)

organization:

Have deleteOrganization use adapter.deleteMany instead of delete - by @kefimoto in better-auth/better-auth#6226 (32d3f)

    View changes on GitHub

v1.4.2-beta.5

   🚀 Features

cli: Check /auth for auth.ts - by @ping-maxwell in better-auth/better-auth#6273 (519ef)

github: Add PKCE support for Github - by @Shridhad in better-auth/better-auth#6276 (39c84)

jwt: Allow custom jwks endpoint - by @luist18 in better-auth/better-auth#6269 (92218)

   🐞 Bug Fixes

SignIn/signUp API returns user additional field - by @himself65 in better-auth/better-auth#6287 (93606)

docs: Fix Next.js 16 proxy build error issue - by @DimplesY in better-auth/better-auth#6302 (a1f1c)

oidc-provider: Session shouldn't be required - by @Bekacru in better-auth/better-auth#6282 (84ad3)

    View changes on GitHub

v1.4.2-beta.4

No significant changes

    View changes on GitHub

v1.4.2-beta.3

No significant changes

    View changes on GitHub

... (truncated)

Commits

f2c28dd chore: release v1.4.2
7e7a4ca chore: release v1.4.2-beta.2
a2e6a8a Revert "chore: lint (#6290)"
5ea36ab fix: signIn/signUp API returns user additional field (#6287)
205c294 chore(email-otp): unit tests for sign-in with capitalizations (#6238)
201a7c2 fix(oidc-provider): session shouldn't be required (#6282)
1c1c913 chore: more join tests for missing data scenarios (#6166)
1c45f37 feat(jwt): allow custom jwks endpoint (#6269)
fc662c5 chore: remove incorrect auth cli (#6242)
fabf8dc docs: updated og image and add merch link to community section (#6251)
Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

Fix prototype pollution issue in yaml merge (<<) operator.

Commits

cc482e7 4.1.1 released
50968b8 dist rebuild
d092d86 lint fix
383665f fix prototype pollution in merge (<<)
0d3ca7a README.md: HTTP => HTTPS (#678)
49baadd doc: 'empty' style option for !!null
ba3460e Fix demo link (#618)
See full diff in compare view

Updates better-auth from 1.3.12 to 1.4.2

Release notes

Sourced from better-auth's releases.

v1.4.2

   🚀 Features

cli: Check /auth for auth.ts - by @ping-maxwell in better-auth/better-auth#6273 (53a74)

github: Add PKCE support for Github - by @Shridhad in better-auth/better-auth#6276 (deb62)

jwt: Allow custom jwks endpoint - by @luist18 in better-auth/better-auth#6269 (1c45f)

   🐞 Bug Fixes

Support @tanstack/solid-start in tanstackStartCookies plugin - by @jakst in better-auth/better-auth#6235 (c69b3)

SignIn/signUp API returns user additional field - by @himself65 in better-auth/better-auth#6287 (5ea36)

cli:

Kysely migration fails due to chaining addIndex and addColumn on the same alterTable builder - by @ping-maxwell in better-auth/better-auth#6214 (b8a73)

Prevent duplicate index creation in Prisma schema generation - by @rovertrack in better-auth/better-auth#6234 (0bbd8)

client:

Get-session gets triggered twice on foucs - by @Bekacru in better-auth/better-auth#6186 (54852)

email-otp:

Sign-in email-otp bugs with capitalized emails - by @ping-maxwell in better-auth/better-auth#6237 (fd010)

oidc-provider:

Session shouldn't be required - by @Bekacru in better-auth/better-auth#6282 (201a7)

organization:

Have deleteOrganization use adapter.deleteMany instead of delete - by @kefimoto in better-auth/better-auth#6226 (32d3f)

    View changes on GitHub

v1.4.2-beta.5

   🚀 Features

cli: Check /auth for auth.ts - by @ping-maxwell in better-auth/better-auth#6273 (519ef)

github: Add PKCE support for Github - by @Shridhad in better-auth/better-auth#6276 (39c84)

jwt: Allow custom jwks endpoint - by @luist18 in better-auth/better-auth#6269 (92218)

   🐞 Bug Fixes

SignIn/signUp API returns user additional field - by @himself65 in better-auth/better-auth#6287 (93606)

docs: Fix Next.js 16 proxy build error issue - by @DimplesY in better-auth/better-auth#6302 (a1f1c)

oidc-provider: Session shouldn't be required - by @Bekacru in better-auth/better-auth#6282 (84ad3)

    View changes on GitHub

v1.4.2-beta.4

No significant changes

    View changes on GitHub

v1.4.2-beta.3

No significant changes

    View changes on GitHub

... (truncated)

Commits

f2c28dd chore: release v1.4.2
7e7a4ca chore: release v1.4.2-beta.2
a2e6a8a Revert "chore: lint (#6290)"
5ea36ab fix: signIn/signUp API returns user additional field (#6287)
205c294 chore(email-otp): unit tests for sign-in with capitalizations (#6238)
201a7c2 fix(oidc-provider): session shouldn't be required (#6282)
1c1c913 chore: more join tests for missing data scenarios (#6166)
1c45f37 feat(jwt): allow custom jwks endpoint (#6269)
fc662c5 chore: remove incorrect auth cli (#6242)
fabf8dc docs: updated og image and add merch link to community section (#6251)
Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

Fix prototype pollution issue in yaml merge (<<) operator.

Commits

cc482e7 4.1.1 released
50968b8 dist rebuild
d092d86 lint fix
383665f fix prototype pollution in merge (<<)
0d3ca7a README.md: HTTP => HTTPS (#678)
49baadd doc: 'empty' style option for !!null
ba3460e Fix demo link (#618)
See full diff in compare view

Updates better-auth from 1.3.12 to 1.4.2

Release notes

Sourced from better-auth's releases.

v1.4.2

   🚀 Features

cli: Check /auth for auth.ts - by @ping-maxwell in better-auth/better-auth#6273 (53a74)

github: Add PKCE support for Github - by @Shridhad in better-auth/better-auth#6276 (deb62)

jwt: Allow custom jwks endpoint - by @luist18 in better-auth/better-auth#6269 (1c45f)

   🐞 Bug Fixes

Support @tanstack/solid-start in tanstackStartCookies plugin - by @jakst in better-auth/better-auth#6235 (c69b3)

SignIn/signUp API returns user additional field - by @himself65 in better-auth/better-auth#6287 (5ea36)

cli:

Kysely migration fails due to chaining addIndex and addColumn on the same alterTable builder - by @ping-maxwell in better-auth/better-auth#6214 (b8a73)

Prevent duplicate index creation in Prisma schema generation - by @rovertrack in better-auth/better-auth#6234 (0bbd8)

client:

Get-session gets triggered twice on foucs - by @Bekacru in better-auth/better-auth#6186 (54852)

email-otp:

Sign-in email-otp bugs with capitalized emails - by @ping-maxwell in better-auth/better-auth#6237 (fd010)

oidc-provider:

Session shouldn't be required - by @Bekacru in better-auth/better-auth#6282 (201a7)

organization:

Have deleteOrganization use adapter.deleteMany instead of delete - by @kefimoto in better-auth/better-auth#6226 (32d3f)

    View changes on GitHub

v1.4.2-beta.5

   🚀 Features

cli: Check /auth for auth.ts - by @ping-maxwell in better-auth/better-auth#6273 (519ef)

github: Add PKCE support for Github - by @Shridhad in better-auth/better-auth#6276 (39c84)

jwt: Allow custom jwks endpoint - by @luist18 in better-auth/better-auth#6269 (92218)

   🐞 Bug Fixes

SignIn/signUp API returns user additional field - by @himself65 in better-auth/better-auth#6287 (93606)

docs: Fix Next.js 16 proxy build error issue - by @DimplesY in better-auth/better-auth#6302 (a1f1c)

oidc-provider: Session shouldn't be required - by @Bekacru in better-auth/better-auth#6282 (84ad3)

    View changes on GitHub

v1.4.2-beta.4

No significant changes

    View changes on GitHub

v1.4.2-beta.3

No significant changes

    View changes on GitHub

... (truncated)

Commits

f2c28dd chore: release v1.4.2
7e7a4ca chore: release v1.4.2-beta.2
a2e6a8a Revert "chore: lint (#6290)"
5ea36ab fix: signIn/signUp API returns user additional field (#6287)
205c294 chore(email-otp): unit tests for sign-in with capitalizations (#6238)
201a7c2 fix(oidc-provider): session shouldn't be required (#6282)
1c1c913 chore: more join tests for missing data scenarios (#6166)
1c45f37 feat(jwt): allow custom jwks endpoint (#6269)
fc662c5 chore: remove incorrect auth cli (#6242)
fabf8dc docs: updated og image and add merch link to community section (#6251)
Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

Fix prototype pollution issue in yaml merge (<<) operator.

Commits

cc482e7 4.1.1 released
50968b8 dist rebuild
d092d86 lint fix
383665f fix prototype pollution in merge (<<)
0d3ca7a README.md: HTTP => HTTPS (#678)
49baadd doc: 'empty' style option for !!null
ba3460e Fix demo link (#618)
See full diff in compare view

Updates better-auth from 1.3.12 to 1.4.2

Release notes

Sourced from better-auth's releases.

v1.4.2

   🚀 Features

cli: Check /auth for auth.ts - by @ping-maxwell in better-auth/better-auth#6273 (53a74)

github: Add PKCE support for Github - by @Shridhad in better-auth/better-auth#6276 (deb62)

jwt: Allow custom jwks endpoint - by @luist18 in better-auth/better-auth#6269 (1c45f)

   🐞 Bug Fixes

Support @tanstack/solid-start in tanstackStartCookies plugin - by @jakst in better-auth/better-auth#6235 (c69b3)

SignIn/signUp API returns user additional field - by @himself65 in better-auth/better-auth#6287 (5ea36)

cli:

Kysely migration fails due to chaining addIndex and addColumn on the same alterTable builder - by @ping-maxwell in better-auth/better-auth#6214 (b8a73)

Prevent duplicate index creation in Prisma schema generation - by @rovertrack in better-auth/better-auth#6234 (0bbd8)

client:

Get-session gets triggered twice on foucs - by @Bekacru in better-auth/better-auth#6186 (54852)

email-otp:

Sign-in email-otp bugs with capitalized emails - by @ping-maxwell in better-auth/better-auth#6237 (fd010)

oidc-provider:

Session shouldn't be required - by @Bekacru in better-auth/better-auth#6282 (201a7)

organization:

Have deleteOrganization use adapter.deleteMany instead of delete - by @kefimoto in better-auth/better-auth#6226 (32d3f)

    View changes on GitHub

v1.4.2-beta.5

   🚀 Features

cli: Check /auth for auth.ts - by @ping-maxwell in better-auth/better-auth#6273 (519ef)

github: Add PKCE support for Github - by @Shridhad in better-auth/better-auth#6276 (39c84)

jwt: Allow custom jwks endpoint - by @luist18 in better-auth/better-auth#6269 (92218)

   🐞 Bug Fixes

SignIn/signUp API returns user additional field - by @himself65 in better-auth/better-auth#6287 (93606)

docs: Fix Next.js 16 proxy build error issue - by @DimplesY in better-auth/better-auth#6302 (a1f1c)

oidc-provider: Session shouldn't be required - by @Bekacru in better-auth/better-auth#6282 (84ad3)

    View changes on GitHub

v1.4.2-beta.4

No significant changes

    View changes on GitHub

v1.4.2-beta.3

No significant changes

    View changes on GitHub

... (truncated)

Commits

f2c28dd chore: release v1.4.2
7e7a4ca chore: release v1.4.2-beta.2
a2e6a8a Revert "chore: lint (#6290)"
5ea36ab fix: signIn/signUp API returns user additional field (#6287)
205c294 chore(email-otp): unit tests for sign-in with capitalizations (#6238)
201a7c2 fix(oidc-provider): session shouldn't be required (#6282)
1c1c913 chore: more join tests for missing data scenarios (#6166)
1c45f37 feat(jwt): allow custom jwks endpoint (#6269)
fc662c5 chore: remove incorrect auth cli (#6242)
fabf8dc docs: updated og image and add merch link to community section (#6251)
Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

Fix prototype pollution issue in yaml merge (<<) operator.

Commits

cc482e7 4.1.1 released
50968b8 dist rebuild
d092d86 lint fix
383665f fix prototype pollution in merge (<<)
0d3ca7a README.md: HTTP => HTTPS (#678)
49baadd doc: 'empty' style option for !!null
ba3460e Fix demo link (#618)
See full diff in compare view

Updates glob from 11.0.2 to 11.1.0

Changelog

Sourced from glob's changelog.

changeglob

13

Move the CLI program out to a separate package, glob-bin. Install that if you'd like to continue using glob from the command line.

12

Remove the unsafe --shell option. The --shell option is now ONLY supported on known shells where the behavior can be implemented safely.

11.1

GHSA-5j98-mcp5-4vw2

Add the --shell option for the command line, with a warning that this is unsafe. (It will be removed in v12.)

Add th...
Description has been truncated

Package Dependencies

Package:
glob

Ecosystem:
npm

Version Change:
11.0.2 → 11.1.0

Update Type:
Minor

Package:
better-auth

Ecosystem:
npm

Version Change:
1.3.12 → 1.4.2

Update Type:
Minor

Package:
js-yaml

Ecosystem:
npm

Version Change:
4.1.0 → 4.1.1

Update Type:
Patch

Package:
@modelcontextprotocol/sdk

Ecosystem:
npm

Version Change:
1.20.2 → 1.24.0

Update Type:
Minor

Security Advisories

glob CLI: Command injection via -c/--cmd executes matches with shell:true

GHSA-5j98-mcp5-4vw2 CVE-2025-64756 HIGH

### Summary The glob CLI contains a command injection vulnerability in its `-c/--cmd` option that allows arbitrary command execution when processing files with malicious names. When `glob -c <comm...

Actions

View on GitHub View Repository All Dependabot PRs

Technical Details

ID:	`11754248`
UUID:	`3696685215`
Node ID:	`PR_kwDONmSNmM63LWsl`
Host:	GitHub
Repository:	simstudioai/sim