Bump the "all" group with 7 updates across multiple ecosystems

[dependabot]

Bumps the all group with 1 update: ghcr.io/devcontainers/features/node.

Updates ghcr.io/devcontainers/features/node from 1.7.1 to 2.0.0

Updates the requirements on actions/checkout, actions/setup-node, actions/setup-go, actions/github-script, extractions/setup-just, github/gh-aw-actions, actions/upload-artifact and actions/cache to permit the latest version.
Updates actions/checkout from 4 to 6

Release notes

Sourced from actions/checkout's releases.

v6.0.0

What's Changed

• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248
• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• v6-beta by @​ericsciple in actions/checkout#2298
• update readme/changelog for v6 by @​ericsciple in actions/checkout#2311

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226
• Prepare v5.0.0 release by @​salmanmkc in actions/checkout#2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.1

What's Changed

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

Full Changelog: actions/checkout@v4...v4.3.1

v4.3.0

What's Changed

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043

... (truncated)

Commits

• de0fac2 Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
• 064fe7f Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...
• 8e8c483 Clarify v6 README (#2328)
• 033fa0d Add worktree support for persist-credentials includeIf (#2327)
• c2d88d3 Update all references from v5 and v4 to v6 (#2314)
• 1af3b93 update readme/changelog for v6 (#2311)
• 71cf226 v6-beta (#2298)
• 069c695 Persist creds to a separate file (#2286)
• ff7abcd Update README to include Node.js 24 support details and requirements (#2248)
• 08c6903 Prepare v5.0.0 release (#2238)
• Additional commits viewable in compare view

Updates actions/setup-node from 4 to 6

Release notes

Sourced from actions/setup-node's releases.

v6.0.0

What's Changed

Breaking Changes

• Limit automatic caching to npm, update workflows and documentation by @​priyagupta108 in actions/setup-node#1374

Dependency Upgrades

• Upgrade ts-jest from 29.1.2 to 29.4.1 and document breaking changes in v5 by @​dependabot[bot] in #1336
• Upgrade prettier from 2.8.8 to 3.6.2 by @​dependabot[bot] in #1334
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 by @​dependabot[bot] in #1362

Full Changelog: actions/setup-node@v5...v6.0.0

v5.0.0

What's Changed

Breaking Changes

• Enhance caching in setup-node with automatic package manager detection by @​priya-kinthali in actions/setup-node#1348

This update, introduces automatic caching when a valid packageManager field is present in your package.json. This aims to improve workflow performance and make dependency management more seamless. To disable this automatic caching, set package-manager-cache: false

steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
  with:
    package-manager-cache: false

• Upgrade action to use node24 by @​salmanmkc in actions/setup-node#1325

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades

• Upgrade @​octokit/request-error and @​actions/github by @​dependabot[bot] in actions/setup-node#1227
• Upgrade uuid from 9.0.1 to 11.1.0 by @​dependabot[bot] in actions/setup-node#1273
• Upgrade undici from 5.28.5 to 5.29.0 by @​dependabot[bot] in actions/setup-node#1295
• Upgrade form-data to bring in fix for critical vulnerability by @​gowridurgad in actions/setup-node#1332
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in actions/setup-node#1345

New Contributors

• @​priya-kinthali made their first contribution in actions/setup-node#1348
• @​salmanmkc made their first contribution in actions/setup-node#1325

Full Changelog: actions/setup-node@v4...v5.0.0

v4.4.0

... (truncated)

Commits

• 48b55a0 Update Node.js versions in versions.yml and bump package to v6.4.0 (#1533)
• ab72c7e Upgrade @​actions dependencies (#1525)
• 53b8394 Bump minimatch from 3.1.2 to 3.1.5 (#1498)
• 54045ab Scope test lockfiles by package manager and update cache tests (#1495)
• c882bff Replace uuid with crypto.randomUUID() (#1378)
• 774c1d6 feat(node-version-file): support parsing devEngines field (#1283)
• efcb663 fix: remove hardcoded bearer (#1467)
• d02c89d Fix npm audit issues (#1491)
• 6044e13 Docs: bump actions/checkout from v5 to v6 (#1468)
• 8e49463 Fix README typo (#1226)
• Additional commits viewable in compare view

Updates actions/setup-go from 5 to 6

Release notes

Sourced from actions/setup-go's releases.

v6.0.0

What's Changed

Breaking Changes

• Improve toolchain handling to ensure more reliable and consistent toolchain selection and management by @​matthewhughes934 in actions/setup-go#460
• Upgrade Nodejs runtime from node20 to node 24 by @​salmanmkc in actions/setup-go#624

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades

• Upgrade @​types/jest from 29.5.12 to 29.5.14 by @​dependabot[bot] in actions/setup-go#589
• Upgrade @​actions/tool-cache from 2.0.1 to 2.0.2 by @​dependabot[bot] in actions/setup-go#591
• Upgrade @​typescript-eslint/parser from 8.31.1 to 8.35.1 by @​dependabot[bot] in actions/setup-go#590
• Upgrade undici from 5.28.5 to 5.29.0 by @​dependabot[bot] in actions/setup-go#594
• Upgrade typescript from 5.4.2 to 5.8.3 by @​dependabot[bot] in actions/setup-go#538
• Upgrade eslint-plugin-jest from 28.11.0 to 29.0.1 by @​dependabot[bot] in actions/setup-go#603
• Upgrade form-data to bring in fix for critical vulnerability by @​matthewhughes934 in actions/setup-go#618
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in actions/setup-go#631

New Contributors

• @​matthewhughes934 made their first contribution in actions/setup-go#618
• @​salmanmkc made their first contribution in actions/setup-go#624

Full Changelog: actions/setup-go@v5...v6.0.0

v5.6.0

What's Changed

• Fall back to downloading from go.dev/dl instead of storage.googleapis.com/golang by @​aparnajyothi-y in actions/setup-go#689

Full Changelog: actions/setup-go@v5...v5.6.0

v5.5.0

What's Changed

Bug fixes:

• Update self-hosted environment validation by @​priyagupta108 in actions/setup-go#556
• Add manifest validation and improve error handling by @​priyagupta108 in actions/setup-go#586
• Update template link by @​jsoref in actions/setup-go#527

Dependency updates:

• Upgrade @​action/cache from 4.0.2 to 4.0.3 by @​aparnajyothi-y in actions/setup-go#574
• Upgrade @​actions/glob from 0.4.0 to 0.5.0 by @​dependabot in actions/setup-go#573
• Upgrade ts-jest from 29.1.2 to 29.3.2 by @​dependabot in actions/setup-go#582
• Upgrade eslint-plugin-jest from 27.9.0 to 28.11.0 by @​dependabot in actions/setup-go#537

New Contributors

• @​jsoref made their first contribution in actions/setup-go#527

Full Changelog: actions/setup-go@v5...v5.5.0

... (truncated)

Commits

• 4a36011 docs: fix Microsoft build of Go link (#734)
• 8f19afc feat: add go-download-base-url input for custom Go distributions (#721)
• 27fdb26 Bump minimatch from 3.1.2 to 3.1.5 (#727)
• def8c39 Rearrange README.md, add advanced-usage.md (#724)
• 4b73464 Fix golang download url to go.dev (#469)
• a5f9b05 Update default Go module caching to use go.mod (#705)
• 7a3fe6c Bump qs from 6.14.0 to 6.14.1 (#703)
• b9adafd Bump actions/checkout from 5 to 6 (#686)
• d73f6bc README.md: correct to actions/checkout@v6 (#683)
• ae252ee Bump @​actions/cache to v5 (#695)
• Additional commits viewable in compare view

Updates actions/github-script from 8.0.0 to 9.0.0

Release notes

Sourced from actions/github-script's releases.

v9.0.0

New features:

• getOctokit factory function — Available directly in the script context. Create additional authenticated Octokit clients with different tokens for multi-token workflows, GitHub App tokens, and cross-org access. See Creating additional clients with getOctokit for details and examples.
• Orchestration ID in user-agent — The ACTIONS_ORCHESTRATION_ID environment variable is automatically appended to the user-agent string for request tracing.

Breaking changes:

• require('@actions/github') no longer works in scripts. The upgrade to @actions/github v9 (ESM-only) means require('@actions/github') will fail at runtime. If you previously used patterns like const { getOctokit } = require('@actions/github') to create secondary clients, use the new injected getOctokit function instead — it's available directly in the script context with no imports needed.
• getOctokit is now an injected function parameter. Scripts that declare const getOctokit = ... or let getOctokit = ... will get a SyntaxError because JavaScript does not allow const/let redeclaration of function parameters. Use the injected getOctokit directly, or use var getOctokit = ... if you need to redeclare it.
• If your script accesses other @actions/github internals beyond the standard github/octokit client, you may need to update those references for v9 compatibility.

What's Changed

• Add ACTIONS_ORCHESTRATION_ID to user-agent string by @​Copilot in actions/github-script#695
• ci: use deployment: false for integration test environments by @​salmanmkc in actions/github-script#712
• feat!: add getOctokit to script context, upgrade @​actions/github v9, @​octokit/core v7, and related packages by @​salmanmkc in actions/github-script#700

New Contributors

• @​Copilot made their first contribution in actions/github-script#695

Full Changelog: actions/github-script@v8.0.0...v9.0.0

Commits

• 3a2844b Merge pull request #700 from actions/salmanmkc/expose-getoctokit + prepare re...
• ca10bbd fix: use @​octokit/core/types import for v7 compatibility
• 86e48e2 merge: incorporate main branch changes
• c108472 chore: rebuild dist for v9 upgrade and getOctokit factory
• afff112 Merge pull request #712 from actions/salmanmkc/deployment-false + fix user-ag...
• ff8117e ci: fix user-agent test to handle orchestration ID
• 81c6b78 ci: use deployment: false to suppress deployment noise from integration tests
• 3953caf docs: update README examples from @​v8 to @​v9, add getOctokit docs and v9 brea...
• c17d55b ci: add getOctokit integration test job
• a047196 test: add getOctokit integration tests via callAsyncFunction
• Additional commits viewable in compare view

Updates extractions/setup-just from 3 to 4

Commits

• 53165ef This is 4.0.0
• 3ed9feb Upgrade to latest setup-crate
• cf2bee9 Update setup-crate to Node 24 (#27)
• c261839 Bump actions/checkout from 5 to 6 (#25)
• See full diff in compare view

Updates github/gh-aw-actions to 63aa903fe409698e15e5718ad89366a72bfe6a89

Changelog

Sourced from github/gh-aw-actions's changelog.

Changelog

See https://github.com/github/gh-aw/blob/main/CHANGELOG.md for the changelog of the main gh-aw repository, which includes changes to this repository as well.

Commits

• See full diff in compare view

Updates actions/upload-artifact from 7.0.0 to 7.0.1

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.1

What's Changed

• Update the readme with direct upload details by @​danwkennedy in actions/upload-artifact#795
• Readme: bump all the example versions to v7 by @​danwkennedy in actions/upload-artifact#796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in actions/upload-artifact#797

Full Changelog: actions/upload-artifact@v7...v7.0.1

Commits

• See full diff in compare view

Updates actions/cache from 4 to 5

Release notes

Sourced from actions/cache's releases.

v5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

If you are using self-hosted runners, ensure they are updated before upgrading.

---

What's Changed

• Upgrade to use node24 by @​salmanmkc in actions/cache#1630
• Prepare v5.0.0 release by @​salmanmkc in actions/cache#1684

Full Changelog: actions/cache@v4.3.0...v5.0.0

v4.3.0

What's Changed

• Add note on runner versions by @​GhadimiR in actions/cache#1642
• Prepare v4.3.0 release by @​Link- in actions/cache#1655

New Contributors

• @​GhadimiR made their first contribution in actions/cache#1642

Full Changelog: actions/cache@v4...v4.3.0

v4.2.4

What's Changed

• Update README.md by @​nebuk89 in actions/cache#1620
• Upgrade @actions/cache to 4.0.5 and move @protobuf-ts/plugin to dev depdencies by @​Link- in actions/cache#1634
• Prepare release 4.2.4 by @​Link- in actions/cache#1636

New Contributors

• @​nebuk89 made their first contribution in actions/cache#1620

Full Changelog: actions/cache@v4...v4.2.4

v4.2.3

What's Changed

• Update to use @​actions/cache 4.0.3 package & prepare for new release by @​salmanmkc in actions/cache#1577 (SAS tokens for cache entries are now masked in debug logs)

New Contributors

• @​salmanmkc made their first contribution in actions/cache#1577

Full Changelog: actions/cache@v4.2.2...v4.2.3

... (truncated)

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE]
Relevant for maintainers with write access only.

1. Switch to a new branch from main.
2. Run npm test to ensure all tests are passing.
3. Update the version in https://github.com/actions/cache/blob/main/package.json.
4. Run npm run build to update the compiled files.
5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
6. Run licensed cache to update the license report.
7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
8. Commit your changes and push your branch upstream.
9. Open a pull request against main and get it reviewed and merged.
10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

5.0.4

• Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
• Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
• Bump fast-xml-parser to v5.5.6

5.0.3

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

5.0.2

• Bump @actions/cache to v5.0.3 #1692

5.0.1

• Update @azure/storage-blob to ^12.29.1 via @actions/cache@5.0.1 #1685

5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

... (truncated)

Commits

• 27d5ce7 Merge pull request #1747 from actions/yacaovsnc/update-dependency
• f280785 licensed changes
• 619aeb1 npm run build generated dist files
• bcf16c2 Update ts-http-runtime to 0.3.5
• 6682284 Merge pull request #1738 from actions/prepare-v5.0.4
• e340396 Update RELEASES
• 8a67110 Add licenses
• 1865903 Update dependencies & patch security vulnerabilities
• 5656298 Merge pull request #1722 from RyPeck/patch-1
• 4e380d1 Fix cache key in examples.md for bun.lock
• Additional commits viewable in compare view

Bumps the all group in /test/harness with 7 updates:

Package	From	To
@github/copilot	1.0.41-1	1.0.41
@modelcontextprotocol/sdk	1.26.0	1.29.0
@types/node	25.3.3	25.6.0
openai	6.17.0	6.36.0
typescript	5.9.3	6.0.3
vitest	4.0.18	4.1.5
yaml	2.8.2	2.8.4

Updates @github/copilot from 1.0.41-1 to 1.0.41

Release notes

Sourced from @​github/copilot's releases.

1.0.41

2026-05-05

• CLI starts faster by rendering the UI immediately while authentication resolves in the background
• Shell completions (bash, zsh, fish) are automatically installed on first run and updated after copilot update
• Tab-completing slash commands that accept arguments now adds a trailing space automatically
• Package extraction no longer crashes on Windows when antivirus or filesystem locks cause transient EPERM errors
• Remote session connection errors show your logged-in account and tailored remediation steps
• Markdown formatting renders in ask user prompt questions
• Add experimental MCP Tasks support: MCP tools with taskSupport: "required" run as non-blocking background agents trackable via list_agents and read_agent (available when experimental mode is enabled, e.g. via /experimental on or the --experimental flag)
• Extensions now load in prompt mode (-p). User extensions load by default; project extensions alnd management tools require GITHUB_COPILOT_PROMPT_MODE_EXTENSIONS=true.
• Assistant responses no longer contain spurious system notification XML tags
• Large output guidance correctly references the configured grep tool name
• Adding a plugin marketplace using a git SSH URL (e.g. git@github.com:owner/repo) now works correctly
• Slash command picker searches command descriptions and underlines matched characters
• Memory tool confirmation prompt now shows the scope (repository or user) when requesting permission to store a memory
• SQL todo timeline entries display more accurately for INSERT OR IGNORE/REPLACE and blocked status updates
• Streaming text and shimmer animations stay smooth on slow or busy hosts
• Add --attachment flag in non-interactive (-p/--prompt) mode to attach files (images or native documents) to the initial prompt
• @-mention completion works for ./ paths, no longer adds trailing space on directories, and shows project files before workspace roots
• Improve stability on Windows by working around a V8 crash in Node 24.x
• Session files containing Unicode line separator characters load correctly
• Reasoning effort picker hint text displays "Esc to cancel" with correct spacing
• Improve reliability of file edits by better recovering from fuzzy or misaligned edit blocks

Changelog

Sourced from @​github/copilot's changelog.

1.0.41 - 2026-05-05

• CLI starts faster by rendering the UI immediately while authentication resolves in the background
• Shell completions (bash, zsh, fish) are automatically installed on first run and updated after copilot update
• Tab-completing slash commands that accept arguments now adds a trailing space automatically
• Package extraction no longer crashes on Windows when antivirus or filesystem locks cause transient EPERM errors
• Remote session connection errors show your logged-in account and tailored remediation steps
• Markdown formatting renders in ask user prompt questions
• Add experimental MCP Tasks support: MCP tools with taskSupport: "required" run as non-blocking background agents trackable via list_agents and read_agent (available when experimental mode is enabled, e.g. via /experimental on or the --experimental flag)
• Extensions now load in prompt mode (-p). User extensions load by default; project extensions alnd management tools require GITHUB_COPILOT_PROMPT_MODE_EXTENSIONS=true.
• Assistant responses no longer contain spurious system notification XML tags
• Large output guidance correctly references the configured grep tool name
• Adding a plugin marketplace using a git SSH URL (e.g. git@github.com:owner/repo) now works correctly
• Slash command picker searches command descriptions and underlines matched characters
• Memory tool confirmation prompt now shows the scope (repository or user) when requesting permission to store a memory
• SQL todo timeline entries display more accurately for INSERT OR IGNORE/REPLACE and blocked status updates
• Streaming text and shimmer animations stay smooth on slow or busy hosts
• Add --attachment flag in non-interactive (-p/--prompt) mode to attach files (images or native documents) to the initial prompt
• @-mention completion works for ./ paths, no longer adds trailing space on directories, and shows project files before workspace roots
• Improve stability on Windows by working around a V8 crash in Node 24.x
• Session files containing Unicode line separator characters load correctly
• Reasoning effort picker hint text displays "Esc to cancel" with correct spacing
• Improve reliability of file edits by better recovering from fuzzy or misaligned edit blocks

1.0.40 - 2026-05-01

• PR branch decoration displays correctly in the footer regardless of model name length
• /clear and /new reset the active custom agent selection
• Assistant responses stream with smoother text output
• copilot plugin list shows the correct version after running copilot plugin update
• Add support for client_credentials OAuth grant type for MCP servers, enabling fully headless authentication without a browser
• Subagents correctly evaluate tool search support for their own model instead of inheriting the parent session's settings
• Switching sessions with /new or /resume no longer carries over pending messages to the new session
• CLI no longer hangs at 100% CPU when sending a large file attachment
• Resume session picker no longer shows duplicate entries for the same Mission Control-backed session
• Session resume selector displays summaries on a single line, truncated to fit the column width
• Print "Exiting…" to stderr immediately on Ctrl+C during prompt mode so shutdown progress is visible
• /research uses an orchestrator/subagent model for more thorough and reliable deep research results
• Autopilot mode now limits continuation messages to 5 by default (configurable with --max-autopilot-continues)
• Automatically clean up old CLI package versions from disk during auto-update
• Remote session statusline shows the remote working directory and branch instead of local context
• /update no longer re-submits the original -i prompt after restarting
• Detect Azure DevOps repositories and auto-disable the GitHub MCP server
• Session history, file tracking, and the /chronicle command are now available to all users
• Skills are available as slash commands in ACP clients, matching the CLI experience
• Resuming a session no longer falsely reports it as in use after a previous CLI process exited unexpectedly
• --config-dir now propagates correctly to plugin subcommands; --config-dir is deprecated in favor of COPILOT_HOME
• Mouse selection works while the /ask response dialog is open, so its content can be highlighted and copied
• Improve CLI startup speed by loading custom CA certificates asynchronously
• Remote control link shows the full URL in the timeline instead of 'Open in browser'

... (truncated)

Commits

• See full diff in compare view

Updates @modelcontextprotocol/sdk from 1.26.0 to 1.29.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

v1.29.0

What's Changed

• fix: treat v1.x as primary branch for npm latest tag (backport #1577) by @​felixweinberger in modelcontextprotocol/typescript-sdk#1749
• [v1.x] fix: disallow null (infinite) requested TTL by @​LucaButBoring in modelcontextprotocol/typescript-sdk#1339
• [v1.x] fix: add missing size field to ResourceSchema by @​olaservo in modelcontextprotocol/typescript-sdk#1575
• Add typings exports by @​tdraier in modelcontextprotocol/typescript-sdk#1623
• v1.x npm audit fix by @​KKonstantinov in modelcontextprotocol/typescript-sdk#1780
• v1.x #1623 follow up -add missing types to package.json by @​KKonstantinov in modelcontextprotocol/typescript-sdk#1773
• [v1.x backport] Allow servers / clients to advertise extensions in the capability object by @​localden in modelcontextprotocol/typescript-sdk#1811
• fix(stdio): always set windowsHide on Windows, not just in Electron by @​jnMetaCode in modelcontextprotocol/typescript-sdk#1640
• chore: bump version to 1.29.0 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1820

New Contributors

• @​tdraier made their first contribution in modelcontextprotocol/typescript-sdk#1623
• @​jnMetaCode made their first contribution in modelcontextprotocol/typescript-sdk#1640

Full Changelog: modelcontextprotocol/typescript-sdk@v1.28.0...v1.29.0

v1.28.0

What's Changed

• feat: use scopes_supported from resource metadata by default (fixes #580) by @​antogyn in modelcontextprotocol/typescript-sdk#757
• [v1.x backport] Default to client_secret_basic when server omits token_endpoint_auth_methods_supported by @​pcarleton in modelcontextprotocol/typescript-sdk#1611
• fix: reject plain JSON Schema objects passed as inputSchema by @​tiluckdave in modelcontextprotocol/typescript-sdk#1596
• fix: clear _timeoutInfo in _onclose() and scope .finally() abort controller cleanup by @​pcarleton in modelcontextprotocol/typescript-sdk#1462
• fix(server/auth): RFC 8252 loopback port relaxation by @​poteat in modelcontextprotocol/typescript-sdk#1738
• chore: bump version to 1.28.0 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1746

New Contributors

• @​antogyn made their first contribution in modelcontextprotocol/typescript-sdk#757
• @​tiluckdave made their first contribution in modelcontextprotocol/typescript-sdk#1596
• @​poteat made their first contribution in modelcontextprotocol/typescript-sdk#1738

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.1...v1.28.0

v1.27.1

What's Changed

• feat: implement auth/pre-registration conformance scenario by @​felixweinberger in modelcontextprotocol/typescript-sdk#1545
• docs: add governance documentation for SEP-1730 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1547
• docs: comprehensive feature documentation for SEP-1730 Tier 1 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1548
• fix: prevent command injection in example URL opening (v1.x backport) by @​maxisbey in modelcontextprotocol/typescript-sdk#1579
• fix: call onerror for silently swallowed transport errors by @​qing-ant in modelcontextprotocol/typescript-sdk#1580
• chore: bump version to 1.27.1 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1581

New Contributors

• @​qing-ant made their first contribution in modelcontextprotocol/typescript-sdk#1580

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.0...v1.27.1

v1.27.0

What's Changed

... (truncated)

Commits

• e12cbd7 chore: bump version to 1.29.0 (#1820)
• 3913fd4 fix(stdio): always set windowsHide on Windows, not just in Electron (#1640)
• 5608e78 [v1.x backport] Allow servers / clients to advertise extensions in the capabi...
• 7213816 v1.x #1623 follow up -add missing types to package.json (#1773)
• 364f38c v1.x npm audit fix (#1780)
• c95cc09 Add typings exports (#1623)
• ddadaa6 [v1.x] fix: add missing size field to ResourceSchema (#1575)
• 2a15851 [v1.x] fix: disallow null (infinite) requested TTL (#1339)
• 13e30f1 fix: treat v1.x as primary branch for npm latest tag (backport #1577) (#1749)
• a056569 chore: bump version to 1.28.0 (#1746)
• Additional commits viewable in compare view

Updates @types/node from 25.3.3 to 25.6.0

Commits

• See full diff in compare view

Updates openai from 6.17.0 to 6.36.0

Release notes

Sourced from openai's releases.

v6.36.0

6.36.0 (2026-05-01)

Full Changelog: v6.35.0...v6.36.0

Features

• api: add group_type/user metadata fields, update types across admin resources (cc52f97)
• api: add support for Admin API Keys per endpoint (770d187)
• api: admin API updates (ee2bd2d)
• api: manual updates (6af2b6d)
• api: manual updates (f2dceda)

Bug Fixes

• api: support admin api key auth (e3862a3)
• api: tighten auth header selection (f1203bd)

Chores

• format: run eslint and prettier separately (104543a)
• internal: codegen related update (05d86da)
• internal: codegen related update (f184586)

v6.35.0

6.35.0 (2026-04-28)

Full Changelog: v6.34.0...v6.35.0

Features

• api: ...

  Description has been truncated