Bump the minor-dependencies group across 1 directory with 5 updates

[dependabot]

Bumps the minor-dependencies group with 4 updates in the / directory: github.com/Masterminds/semver/v3, github.com/modelcontextprotocol/go-sdk, golang.org/x/crypto and github.com/spf13/pflag.

Updates github.com/Masterminds/semver/v3 from 3.4.0 to 3.5.0

Release notes

Sourced from github.com/Masterminds/semver/v3's releases.

v3.5.0

What's Changed

• Adding more prerelease tests by @​mattfarina in Masterminds/semver#273
• Update constraint error messages by @​mattfarina in Masterminds/semver#278
• Fix edge cases by @​mattfarina in Masterminds/semver#279
• Adding some checks in by @​mattfarina in Masterminds/semver#280
• Updating deps by @​mattfarina in Masterminds/semver#281
• Bump github/codeql-action from 4.35.1 to 4.35.2 by @​dependabot[bot] in Masterminds/semver#282
• Bump actions/cache from 4.2.3 to 5.0.5 by @​dependabot[bot] in Masterminds/semver#283
• Bump golangci/golangci-lint-action from 7.0.1 to 9.2.0 by @​dependabot[bot] in Masterminds/semver#284
• Updating gitignore for devcontainers by @​mattfarina in Masterminds/semver#286
• Fixing some quality issues by @​mattfarina in Masterminds/semver#287

New Contributors

• @​dependabot[bot] made their first contribution in Masterminds/semver#282

Full Changelog: Masterminds/semver@v3.4.0...v3.5.0

Changelog

Sourced from github.com/Masterminds/semver/v3's changelog.

Changelog

Commits

• 8b89c86 Merge pull request #287 from mattfarina/fix-da-issues
• 29d51d0 Fixing some quality issues
• 87f651d Merge pull request #286 from mattfarina/update-devcontainer
• 158a685 Updating gitignore for devcontainers
• 7e83c08 Merge pull request #284 from Masterminds/dependabot/github_actions/golangci/g...
• 697e27f Merge pull request #283 from Masterminds/dependabot/github_actions/actions/ca...
• 1591f8e Merge pull request #282 from Masterminds/dependabot/github_actions/github/cod...
• 3f5ff17 Bump golangci/golangci-lint-action from 7.0.1 to 9.2.0
• 04baa33 Bump actions/cache from 4.2.3 to 5.0.5
• 45939fe Bump github/codeql-action from 4.35.1 to 4.35.2
• Additional commits viewable in compare view

Updates github.com/modelcontextprotocol/go-sdk from 1.4.0 to 1.6.1

Release notes

Sourced from github.com/modelcontextprotocol/go-sdk's releases.

v1.6.1

This release adds an MCPGODEBUG flag to opt out of the Content-Type check on POST requests.

Behavior Changes

Prior to v1.6.0 (v1.4.0...v1.5.0), the Content-Type check on POST requests was gated by the same disablecrossoriginprotection MCPGODEBUG flag as the cross-origin protection. In v1.6.0, the cross-origin protection was disabled by default (replaced by the opt-in enableoriginverification flag), but the Content-Type check was kept on unconditionally, leaving no way to disable it. This release restores an escape hatch for both the Streamable HTTP and SSE transports: setting MCPGODEBUG=disablecontenttypecheck=1 skips the Content-Type: application/json validation on POST requests. See #957.

What's Changed

• mcp: add MCPGPDEBUG for opt-in Content-Type check by @​guglielmo-san in modelcontextprotocol/go-sdk#972

Full Changelog: modelcontextprotocol/go-sdk@v1.6.0...v1.6.1

v1.6.0

This release is equivalent to v1.6.0-pre.1. Thank you to those who tested the pre-release.

In this release we introduce several smaller fixes and improvements, and we started working for release 2026-06-30. The main new feature is the introduction of ClientCredentialsHandler for OAuth client credentials grant.

Add ClientCredentialsHandler for OAuth client credentials grant

Added ClientCredentialsHandler implementing auth.OAuthHandler using the OAuth 2.0 Client Credentials grant (RFC 6749 Section 4.4) for service-to-service authentication with pre-registered credentials.

• extauth: add ClientCredentialsHandler for OAuth client credentials grant by @​ravyg in modelcontextprotocol/go-sdk#895

2026-06-30 Release related PRs

• feat: add automatic application_type inference by @​guglielmo-san in modelcontextprotocol/go-sdk#904

  New application_type field is added to the ClientRegistrationMetadata for DynamicClientRegistration. If not specified, the application_type will be inferred from the RedirectURIs. This implements SEP-837.

• feat: HTTP Header Standardization for method and name by @​guglielmo-san in modelcontextprotocol/go-sdk#907

  By mirroring key fields from the JSON-RPC payload into HTTP headers, network intermediaries such as load balancers, proxies, and observability tools can route and process MCP traffic without deep packet inspection, reducing latency and computational overhead. This partially implements SEP-2243.

Behavior Changes

SetError Behavior Change

Previously the SetError method on CallToolResult always overwrote the Content field with the error text. Now SetError preserves the existing value if it has already been populated. You can restore the previous behavior by setting the environment variable seterroroverwrite=1.

• mcp: preserve existing Content in SetError by @​ravyg in modelcontextprotocol/go-sdk#864

Cross-Origin Protection Default Change

Previously (v1.4.1-v1.5.0) default (zero-value) cross-origin protection was applied when CrossOriginProtection in StreamableHTTPOptions was nil. Now cross-origin protection is not enabled by default when CrossOriginProtection is nil. You can restore the previous behavior (enable by default) by setting enableoriginverification=1.

• mcp: remove default cross origin protection by @​maciej-kisiel in modelcontextprotocol/go-sdk#906

... (truncated)

Commits

• d454bba mcp: add MCPGPDEBUG for opt-in Content-Type check (#972)
• f5f2015 MCPGODEBUG update for 1.6.0 (#893)
• e01639a feat: HTTP Header Standardization for method and name (#907)
• 93a41b2 internal/jsonrpc2: remove unused code (#910)
• 446beae mcp: Upgrade jsonschema-go (#912)
• 2e21834 extauth: add ClientCredentialsHandler for OAuth client credentials grant (#895)
• 2643b22 feat: add automatic application_type inference (#904)
• db50910 mcp: do not re-prompt OAuth after cancelled Authorize (#885)
• 5f2cd8f mcp: preserve transport errors in Write error chain (#888)
• 0edc597 Update README.md (#896)
• Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.48.0 to 0.52.0

Commits

• a1c0d99 go.mod: update golang.org/x dependencies
• 3c7c869 ssh: fix deadlock on unexpected channel responses
• 533fb3f ssh: fix source-address critical option bypass
• abbc44d ssh: fix incorrect operator order
• e052873 ssh: fix infinite loop on large channel writes due to integer overflow
• b61cf85 ssh: enforce user presence verification for security keys
• 9c2cd33 ssh: enforce strict limits on DSA key parameters
• 8907318 ssh: reject RSA keys with excessively large moduli
• ffd87b4 ssh: fix panic when authority callbacks are nil
• 4e7a738 ssh: fix deadlock on unexpected global responses
• Additional commits viewable in compare view

Updates golang.org/x/term from 0.40.0 to 0.43.0

Commits

• 3c3e485 go.mod: update golang.org/x dependencies
• 52b71d3 go.mod: update golang.org/x dependencies
• 9d2dc07 go.mod: update golang.org/x dependencies
• d954e03 all: upgrade go directive to at least 1.25.0 [generated]
• See full diff in compare view

Updates github.com/spf13/pflag from 1.0.9 to 1.0.10

Release notes

Sourced from github.com/spf13/pflag's releases.

v1.0.10

What's Changed

• fix deprecation comment for (FlagSet.)ParseErrorsWhitelist by @​thaJeztah in spf13/pflag#447
• remove uses of errors.Is, which requires go1.13, move go1.16/go1.21 tests to separate file by @​thaJeztah in spf13/pflag#448

New Contributors

• @​thaJeztah made their first contribution in spf13/pflag#447

Full Changelog: spf13/pflag@v1.0.9...v1.0.10

Commits

• 0491e57 Merge pull request #448 from thaJeztah/fix_go_version
• 72abab1 Merge pull request #447 from thaJeztah/fix_deprecation_comment
• 7e4dfb1 Test on Go 1.12
• 18a9d17 move Func, BoolFunc, tests as they require go1.21
• c5b9e98 remove uses of errors.Is, which requires go1.13
• 45a4873 fix deprecation comment for (FlagSet.)ParseErrorsWhitelist
• See full diff in compare view