Skip to content

Resolve merge conflicts and fix critical mcp security vulnerabilities #3223

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Copilot wants to merge 7 commits into from
Closed

Resolve merge conflicts and fix critical mcp security vulnerabilities #3223

Copilot wants to merge 7 commits into from
+51 −54

Conversation

Copy link

Copilot AI commented Jan 17, 2026
edited
Loading

Description

Resolves merge conflicts from Dependabot PR and addresses three critical security vulnerabilities in the mcp dependency by updating all packages to mcp>=1.23.0.

Security vulnerabilities fixed:

  • DNS rebinding protection not enabled by default (CVE affecting versions < 1.23.0)
  • FastMCP Server validation error causing DoS (affecting versions < 1.9.4)
  • Unhandled exception in Streamable HTTP Transport causing DoS (affecting versions < 1.10.0)

Changes:

  • Merged origin/main containing PR fix(time): Fix McpError constructor usage in time server #3222's McpError API fix
  • Updated pyproject.toml for all packages: src/time, src/git, src/fetch
  • Regenerated lock files: mcp 1.1.0 → 1.25.0 (git), mcp 1.2.0 → 1.25.0 (fetch)
  • Applied McpError(ErrorData(...)) constructor fix in src/time/src/mcp_server_time/server.py

Server Details

  • Servers: time, git, fetch
  • Changes to: dependency versions, error handling API

Motivation and Context

Dependabot PR conflicted with main branch after PR #3222 merged. Main branch already contained necessary security updates and API compatibility fixes for mcp 1.23.0's breaking changes. Lock files still referenced vulnerable versions despite pyproject.toml updates.

How Has This Been Tested?

  • CodeQL security scan: no alerts
  • GitHub Advisory Database: no vulnerabilities in mcp 1.25.0
  • Code review: no issues
  • Lock file verification: all packages use mcp 1.25.0

Breaking Changes

None. Changes maintain backward compatibility while fixing security issues.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Protocol Documentation
  • My changes follows MCP security best practices
  • I have updated the server's README accordingly
  • I have tested this with an LLM client
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have documented all environment variables and configuration options

Additional context

The McpError constructor in mcp 1.23.0 requires ErrorData objects instead of plain strings. Time server updated via main merge; fetch server already compliant; git server does not use McpError.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

koic and others added 3 commits January 17, 2026 23:12
@koic
fix(time): Fix McpError constructor usage in time server
9c9813d 
Fixes CI failures in PR #3220.

PR #3220 updated `mcp` library from 1.0.0 to 1.23.0, which caused test
failures due to a breaking change in `McpError` constructor API.

The `McpError` constructor now expects an `ErrorData` object instead of
a plain string message. This commit fixes the usage in `get_zoneinfo()`
function to use `ErrorData(code=INVALID_PARAMS, message=...)`.

```console
Error before fix:
  AttributeError: 'str' object has no attribute 'message'
```

Also updates `mcp` dependency to >=1.23.0 in pyproject.toml to ensure
compatibility with the new API.
@olaservo
Merge pull request #3222 from koic/fix_time_mcp_erro_constructor
55a3056 
fix(time): Fix `McpError` constructor usage in time server
Initial plan
d3d5866
Copilot AI mentioned this pull request Jan 17, 2026
Closed
Copilot AI and others added 4 commits January 17, 2026 18:07
Merge origin/main to resolve dependency conflicts
dd9c5e5
@olaservo
Resolve merge conflicts by accepting main branch changes
68fbd87 
Co-authored-by: olaservo <16480113+olaservo@users.noreply.github.com>
@olaservo
Fix security vulnerabilities by updating mcp to >=1.23.0 in all packages
e8c36d4 
Co-authored-by: olaservo <16480113+olaservo@users.noreply.github.com>
@olaservo
Regenerate lock files to use secure mcp version 1.25.0
e8dd2af 
Co-authored-by: olaservo <16480113+olaservo@users.noreply.github.com>
Copy link
Author

Copilot AI commented Jan 17, 2026

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • astral.sh
    • Triggering command: /usr/bin/curl curl -LsSf REDACTED (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title [WIP] Bump uv group across multiple directories with updates Resolve merge conflicts and fix critical mcp security vulnerabilities Jan 17, 2026
Copilot AI requested a review from olaservo January 17, 2026 18:17
@dependabot dependabot bot deleted the branch dependabot/uv/src/time/uv-39e4517766 January 19, 2026 15:37
@dependabot dependabot bot closed this Jan 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@olaservo olaservo Awaiting requested review from olaservo

Assignees

@olaservo olaservo

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@olaservo @koic