Skip to content

VULN UPGRADE: minor upgrades — 7 packages (minor: 2 · patch: 5) [proof-of-concept-exploits/postgres-mcp]#35

Open
campaigner-prod[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/minorpatch/npm/postgres-mcp/1-1773069689
Open

VULN UPGRADE: minor upgrades — 7 packages (minor: 2 · patch: 5) [proof-of-concept-exploits/postgres-mcp]#35
campaigner-prod[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/minorpatch/npm/postgres-mcp/1-1773069689

Conversation

@campaigner-prod
Copy link

@campaigner-prod campaigner-prod bot commented Mar 9, 2026

Summary: High-severity security update — 7 packages upgraded (MINOR changes included)

Manifests changed:

  • proof-of-concept-exploits/postgres-mcp (npm)

Updates

Package From To Type Vulnerabilities Fixed
@modelcontextprotocol/sdk 1.15.1 1.27.1 minor 6 HIGH
pg 8.16.3 8.19.0 minor -
@ai-sdk/openai 1.3.23 1.3.24 patch -
@ai-sdk/openai-compatible 0.2.15 0.2.16 patch -
@openrouter/ai-sdk-provider 0.7.2 0.7.5 patch -
ai 4.3.17 4.3.19 patch 2 LOW
dotenv 17.2.0 17.2.4 patch -

Packages marked with "-" are updated due to dependency constraints.

Security Details

🚨 Critical & High Severity (6 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
@modelcontextprotocol/sdk GHSA-8r9q-7v3j-jr4g HIGH Anthropic's MCP TypeScript SDK has a ReDoS vulnerability 1.15.1 1.25.2
@modelcontextprotocol/sdk CVE-2026-0621 HIGH - 1.15.1 -
@modelcontextprotocol/sdk GHSA-345p-7cg4-v4c7 HIGH @modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse 1.15.1 1.26.0
@modelcontextprotocol/sdk CVE-2026-25536 HIGH @modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse 1.15.1 -
@modelcontextprotocol/sdk GHSA-w48q-cv73-mx4w HIGH Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default 1.15.1 1.24.0
@modelcontextprotocol/sdk CVE-2025-66414 HIGH DNS Rebinding Protection Disabled by Default in Model Context Protocol TypeScript SDK for Servers Running on Localhost 1.15.1 -
ℹ️ Other Vulnerabilities (2)
Package CVE Severity Summary Unsafe Version Fixed In
ai GHSA-rwvc-j5jr-mgvh LOW Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files 4.3.17 5.0.52
ai CVE-2025-48985 LOW - 4.3.17 -

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

@campaigner-prod campaigner-prod bot marked this pull request as ready for review March 11, 2026 20:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-dependency-update adms-high-severity adms-low-severity adms-minor-update adms-mode-all-updates adms-npm campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants