Skip to content

chore: Pin @modelcontextprotocol/sdk to exact 1.29.0#789

Merged
MQ37 merged 1 commit intomasterfrom
chore/pin-sdk-version
May 5, 2026
Merged

chore: Pin @modelcontextprotocol/sdk to exact 1.29.0#789
MQ37 merged 1 commit intomasterfrom
chore/pin-sdk-version

Conversation

@MQ37
Copy link
Copy Markdown
Contributor

@MQ37 MQ37 commented May 4, 2026

Context

Recent SDK upgrade from 1.25.2 → 1.29.0 happened transitively in #770 via @modelcontextprotocol/ext-apps@1.7.0, whose peer dep tightened to ^1.29.0. There was no explicit version-bump commit, so the change wasn't visible in PR review.

The new SDK ships a behavior change in `WebStandardStreamableHTTPServerTransport` (SDK PR #1580, released in v1.27.1): previously-silent 4xx paths now call `transport.onerror`, which surfaces as new `[MCP Error]` log spam in production. Already mitigated for the SSE-conflict case in #787.

Solution

Pin `@modelcontextprotocol/sdk` to exact `1.29.0` and add an `overrides` entry so transitive peer deps can't bump it. Future SDK bumps now require an explicit, reviewable edit.

Worth your attention

  • No runtime change — lockfile was already at 1.29.0; only the npm semver range narrows.
  • Affects published consumers — `@apify/actors-mcp-server` will require exactly 1.29.0. Consumers wanting a different SDK must use their own `overrides`. The internal repo is being pinned in lockstep (apify-mcp-server-internal PR).
  • Lockfile cleanup — `peer: true` flags removed from packages that were only peer-marked because the SDK was previously resolved as a transitive peer of ext-apps; structural-only, no functional impact.

@MQ37
chore: Pin @modelcontextprotocol/sdk to exact 1.29.0
1c59563 
Recent SDK upgrade from 1.25.2 to 1.29.0 happened transitively (via
@modelcontextprotocol/ext-apps@1.7.0 peer dep ^1.29.0) without an
explicit version-bump diff, shipping a behavior change in
WebStandardStreamableHTTPServerTransport (now calls onerror on
previously-silent 4xx paths) that surfaced as new [MCP Error] log
spam in prod.

Pin the direct dep to exact 1.29.0 and add overrides so transitive
peer deps cannot bump it. Future bumps require an explicit edit and
PR review.

No runtime change: lockfile was already resolving to 1.29.0; only
the npm semver range narrows.
@github-actions github-actions Bot added the t-ai Issues owned by the AI team. label May 4, 2026
@MQ37 MQ37 requested a review from jirispilka May 4, 2026 14:26
@MQ37 MQ37 merged commit a8513b8 into master May 5, 2026
9 checks passed
@MQ37 MQ37 deleted the chore/pin-sdk-version branch May 5, 2026 11:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jirispilka jirispilka jirispilka approved these changes

Assignees

@MQ37 MQ37

Labels

t-ai Issues owned by the AI team.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MQ37 @jirispilka @apify-service-account