Resolve NuGet security advisories + upgrade ModelContextProtocol to 1.4.0#485
Open
rockfordlhotka wants to merge 3 commits into
Open
Resolve NuGet security advisories + upgrade ModelContextProtocol to 1.4.0#485rockfordlhotka wants to merge 3 commits into
rockfordlhotka wants to merge 3 commits into
Conversation
… KubernetesClient) - Bump KubernetesClient 16.* -> 17.* (17.0.14) to clear GHSA-w7r3-mgwf-4mqq in RockBot.Scripts.Container and RockBot.Scripts.Tests. - Transitive-pin MessagePack 2.5.302 and Nerdbank.MessagePack 1.2.4 in RockBot.Agent (via ModelContextProtocol) and RockBot.Llm.Copilot (via GitHub.Copilot.SDK/StreamJsonRpc), clearing GHSA-hv8m-jj95-wg3x, GHSA-2cwq-pwfr-wcw3, GHSA-92vj-hp7m-gwcj, GHSA-qjvr-435c-5fjh. Pins stay in-major to remain API-compatible rather than jumping ModelContextProtocol 0.8.0-preview.1 -> 1.4.0. Clean build: 0 advisory warnings (was 40 total). Full test suite green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Bumps both SDK surfaces to the current stable release: - ModelContextProtocol 1.4.0 in RockBot.Agent and RockBot.Tools.Mcp - ModelContextProtocol.AspNetCore 1.4.0 in the three McpServer.* projects The 0.8 -> 1.4 range carries one breaking change that touches this code: ImageContentBlock.Data / AudioContentBlock.Data changed from string to ReadOnlyMemory<byte> (0.9.0-preview.1). McpToolExecutor.MapContentBlocks now base64-encodes the bytes into the (string) ToolContentBlock.Data; the corresponding test constructs byte data and asserts the base64 output. Everything else in the consumed surface (McpClient.CreateAsync, HttpClientTransport, ListTools/CallTool/GetPrompt, ServerInfo, McpClientTool/Prompt, CallToolResult, TextContentBlock, server attributes, AddMcpServer().WithHttpTransport().WithTools<T>(), MapMcp) is unchanged. No TFM/runtime bump. Also corrects the MessagePack pin comment in RockBot.Agent.csproj: that chain enters via RockBot.Llm.Copilot -> GitHub.Copilot.SDK -> StreamJsonRpc, not via ModelContextProtocol, so the pins remain necessary independent of this upgrade. Note (deploy-time): legacy SSE endpoints became opt-in at 1.2.0. The agent connects to the internal MCP servers at root with TransportMode=AutoDetect (negotiates Streamable HTTP), so this should be transparent — verify agent<->server connectivity after deploy. Clean build: 0 errors, 0 advisory warnings. Full test suite green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
rockfordlhotka
changed the title
New feature: ModelContextProtocol upgraded to 1.4.0 (minor bump). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR performs dependency hygiene updates to eliminate NuGet security advisory warnings and upgrades the ModelContextProtocol (MCP) SDK from a preview version to the current stable release, with a small code adjustment to accommodate MCP’s binary content API change.
Changes:
- Upgrades
ModelContextProtocol/ModelContextProtocol.AspNetCoreto 1.4.0 and updates MCP content block mapping to base64-encode image/audio bytes. - Clears NU1902/NU1903 advisories by bumping
KubernetesClientto 17.* and pinning transitiveMessagePack/Nerdbank.MessagePackto patched versions. - Bumps repo/package version to 0.14.0.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/RockBot.Tools.Tests/McpToolExecutorTests.cs | Updates image content test to reflect MCP binary data change (bytes → base64 string). |
| tests/RockBot.Scripts.Tests/RockBot.Scripts.Tests.csproj | Bumps KubernetesClient to 17.* to address advisories. |
| src/RockBot.Tools.Mcp/RockBot.Tools.Mcp.csproj | Upgrades ModelContextProtocol to 1.4.0. |
| src/RockBot.Tools.Mcp/McpToolExecutor.cs | Base64-encodes image/audio ReadOnlyMemory<byte> into ToolContentBlock.Data. |
| src/RockBot.Scripts.Container/RockBot.Scripts.Container.csproj | Bumps KubernetesClient to 17.* to address advisories. |
| src/RockBot.Llm.Copilot/RockBot.Llm.Copilot.csproj | Adds transitive pins for patched MessagePack / Nerdbank.MessagePack. |
| src/RockBot.Agent/RockBot.Agent.csproj | Upgrades MCP SDK + adds transitive pins for patched MessagePack / Nerdbank.MessagePack. |
| src/McpServer.TodoApp/McpServer.TodoApp.csproj | Upgrades ModelContextProtocol.AspNetCore to 1.4.0. |
| src/McpServer.OpenRouter/McpServer.OpenRouter.csproj | Upgrades ModelContextProtocol.AspNetCore to 1.4.0. |
| src/McpServer.Introspection/McpServer.Introspection.csproj | Upgrades ModelContextProtocol.AspNetCore to 1.4.0. |
| Directory.Build.props | Bumps version to 0.14.0. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+81
to
+82
| ImageContentBlock img => new ToolContentBlock { Type = "image", Data = Convert.ToBase64String(img.Data.Span), MimeType = img.MimeType }, | ||
| AudioContentBlock audio => new ToolContentBlock { Type = "audio", Data = Convert.ToBase64String(audio.Data.Span), MimeType = audio.MimeType }, |
| Assert.AreEqual("text", blocks[0].Type); | ||
| Assert.AreEqual("image", blocks[1].Type); | ||
| Assert.AreEqual("abc123", blocks[1].Data); | ||
| Assert.AreEqual(Convert.ToBase64String(imageBytes), blocks[1].Data); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two related dependency-hygiene changes. Originally scoped to the security advisories; the MCP SDK upgrade was folded in afterward.
1. NuGet security advisories
Clears all outstanding advisory warnings (NU1903/NU1902) surfaced during build.
MessagePackNerdbank.MessagePackKubernetesClient16.*→17.*inRockBot.Scripts.ContainerandRockBot.Scripts.Tests.RockBot.Llm.Copilot→GitHub.Copilot.SDK→StreamJsonRpc). Resolved with transitive pins inRockBot.AgentandRockBot.Llm.Copilot, which propagate to their test projects via project reference.2. ModelContextProtocol 0.8.0-preview.1 → 1.4.0
Brings both MCP SDK surfaces to the current stable release:
ModelContextProtocol1.4.0 inRockBot.AgentandRockBot.Tools.McpModelContextProtocol.AspNetCore1.4.0 in the threeMcpServer.*projectsThe 0.8→1.4 range carries one breaking change that touches this code:
ImageContentBlock.Data/AudioContentBlock.Datachanged fromstringtoReadOnlyMemory<byte>(0.9.0-preview.1).McpToolExecutor.MapContentBlocksnow base64-encodes the bytes into the (string)ToolContentBlock.Data; the corresponding test was updated to construct byte data and assert the base64 output. The major API reshaping (McpClient.CreateAsync,ContentBlock/CallToolResult, the.Protocolnamespace) predates 0.8, so the rest of the consumed surface is unchanged. No TFM/runtime bump.Note these two changes are independent: the MessagePack chain enters via Copilot/StreamJsonRpc, not via ModelContextProtocol, so the pins remain necessary regardless of the MCP upgrade.
Verification
CA1416platform notes, unrelated).dotnet list package.Deploy-time follow-up (not covered by tests)
Legacy SSE endpoints became opt-in at MCP 1.2.0. The agent connects to the internal MCP servers at root with
TransportMode=AutoDetect(negotiates Streamable HTTP), so this should be transparent — verify agent↔server connectivity after deploy.🤖 Generated with Claude Code