[deps] Update github.com/modelcontextprotocol/go-sdk from v1.4.1 to v1.5.0

[github-actions]

Summary

Update the github.com/modelcontextprotocol/go-sdk dependency from v1.4.1 to v1.5.0. This is a minor version update that stabilizes client-side OAuth APIs, introduces backwards-incompatible changes in the auth package, and adds Enterprise Managed Authorization support.

Current State

• Package: github.com/modelcontextprotocol/go-sdk
• Current Version: v1.4.1
• Proposed Version: v1.5.0
• Update Type: Minor version update

Why Separate Issue

⚠️ Minor version update with backwards-incompatible API changes

• Minor version update (v1.4.1 → v1.5.0)
• The auth package has breaking changes:
  • auth.AuthorizationCodeHandlerConfig.AuthorizationCodeFetcher type changed
  • auth.AuthorizationCodeHandlerConfig.PreregisteredClientConfig was removed and replaced with auth.AuthorizationCodeHandlerConfig.PreregisteredClient using the new oauthex.ClientCredentials type
  • auth.PreregisteredClientConfig type has been removed
  • Deprecated functionality removed from auth and oauthex packages
• New feature: Enterprise Managed Authorization support
• Needs individual review to assess impact on this repository's usage of the SDK

Safety Assessment

⚠️ Requires careful review

• The mcp_go_client_oauth build tag is no longer required (stabilized), which may change compilation behavior
• Breaking changes in the auth and oauthex packages require auditing current usage
• Data race fixes improve reliability but may subtly change concurrent behavior
• Tool input validation errors now return as tool results instead of JSON-RPC errors — this is a behavior change
• Security improvement: now verifies Origin and Content-Type headers

Changes

New Features:

• Stabilized client-side OAuth APIs (no longer requires mcp_go_client_oauth build tag)
• Enterprise Managed Authorization support (auth/extauth package)
• Accept parameterized Accept media types

Breaking Changes (in auth package):

• AuthorizationCodeHandlerConfig.AuthorizationCodeFetcher type changed to reusable auth.AuthorizationCodeFetcher
• PreregisteredClientConfig removed → replaced with PreregisteredClient using oauthex.ClientCredentials
• Deprecated auth/oauthex functionality removed

Bug Fixes & Improvements:

• Fix setProgressToken when Meta is nil
• Fix Unicode zero character handling
• Fix data races (re-enabled race test)
• Handle empty chunks in MemoryEventStore
• Verify Origin and Content-Type headers (security)
• Tool input validation errors returned as tool results (not JSON-RPC errors)
• Use http.ResponseController to ensure writes are flushed
• Protocol version updated to 2025-11-25
• Fix mutex protection on ioConn.protocolVersion

Links

• v1.5.0 Release Notes
• Full Changelog v1.4.1...v1.5.0
• Package Repository
• Go Package

Recommended Action

go get -u github.com/modelcontextprotocol/go-sdk@v1.5.0
go mod tidy

After updating, search for usage of removed/changed types:

# Check for usage of removed/changed auth types
grep -r "PreregisteredClientConfig\|mcp_go_client_oauth\|AuthorizationCodeFetcher" ./...

Testing Notes

• Run all tests: make test-unit
• Verify MCP server integration continues to work
• Check that any OAuth-related code compiles and functions correctly
• Test MCP tool error handling (input validation errors now return as tool results)
• Verify that HTTP header verification doesn't break existing clients

References:

• §24128986377

Generated by Dependabot Dependency Checker · ● 530K · ◷

• expires on Apr 10, 2026, 9:51 AM UTC

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot coding agent.

The Copilot coding agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

🍪 Om nom nom by Issue Monster · ● 397.4K · ◷