Skip to content

Resolve NuGet security advisories + upgrade ModelContextProtocol to 1.4.0#485

Open
rockfordlhotka wants to merge 3 commits into
mainfrom
fix/nuget-advisories
Open

Resolve NuGet security advisories + upgrade ModelContextProtocol to 1.4.0#485
rockfordlhotka wants to merge 3 commits into
mainfrom
fix/nuget-advisories

Conversation

@rockfordlhotka

@rockfordlhotka rockfordlhotka commented Jun 18, 2026

Copy link
Copy Markdown
Member

Two related dependency-hygiene changes. Originally scoped to the security advisories; the MCP SDK upgrade was folded in afterward.

1. NuGet security advisories

Clears all outstanding advisory warnings (NU1903/NU1902) surfaced during build.

Package Was Now Advisory
MessagePack 2.5.198 2.5.302 GHSA-hv8m-jj95-wg3x (high)
Nerdbank.MessagePack 1.0.2 1.2.4 GHSA-2cwq-pwfr-wcw3 (high), GHSA-92vj-hp7m-gwcj, GHSA-qjvr-435c-5fjh (moderate)
KubernetesClient 16.0.7 17.0.14 GHSA-w7r3-mgwf-4mqq (moderate)
  • KubernetesClient is a direct reference — bumped 16.*17.* in RockBot.Scripts.Container and RockBot.Scripts.Tests.
  • MessagePack / Nerdbank.MessagePack are transitive (via RockBot.Llm.CopilotGitHub.Copilot.SDKStreamJsonRpc). Resolved with transitive pins in RockBot.Agent and RockBot.Llm.Copilot, which propagate to their test projects via project reference.

2. ModelContextProtocol 0.8.0-preview.1 → 1.4.0

Brings both MCP SDK surfaces to the current stable release:

  • ModelContextProtocol 1.4.0 in RockBot.Agent and RockBot.Tools.Mcp
  • ModelContextProtocol.AspNetCore 1.4.0 in the three McpServer.* projects

The 0.8→1.4 range carries one breaking change that touches this code: ImageContentBlock.Data / AudioContentBlock.Data changed from string to ReadOnlyMemory<byte> (0.9.0-preview.1). McpToolExecutor.MapContentBlocks now base64-encodes the bytes into the (string) ToolContentBlock.Data; the corresponding test was updated to construct byte data and assert the base64 output. The major API reshaping (McpClient.CreateAsync, ContentBlock/CallToolResult, the .Protocol namespace) predates 0.8, so the rest of the consumed surface is unchanged. No TFM/runtime bump.

Note these two changes are independent: the MessagePack chain enters via Copilot/StreamJsonRpc, not via ModelContextProtocol, so the pins remain necessary regardless of the MCP upgrade.

Verification

  • Clean rebuild: 0 errors, 0 advisory warnings (was 40 total; the only remaining 2 are pre-existing Windows-only CA1416 platform notes, unrelated).
  • Resolved versions confirmed patched via dotnet list package.
  • Full test suite green — no failures, including every project whose dependency graph changed.

Deploy-time follow-up (not covered by tests)

Legacy SSE endpoints became opt-in at MCP 1.2.0. The agent connects to the internal MCP servers at root with TransportMode=AutoDetect (negotiates Streamable HTTP), so this should be transparent — verify agent↔server connectivity after deploy.

🤖 Generated with Claude Code

rockfordlhotka and others added 2 commits June 18, 2026 14:17
… KubernetesClient)

- Bump KubernetesClient 16.* -> 17.* (17.0.14) to clear GHSA-w7r3-mgwf-4mqq
  in RockBot.Scripts.Container and RockBot.Scripts.Tests.
- Transitive-pin MessagePack 2.5.302 and Nerdbank.MessagePack 1.2.4 in
  RockBot.Agent (via ModelContextProtocol) and RockBot.Llm.Copilot (via
  GitHub.Copilot.SDK/StreamJsonRpc), clearing GHSA-hv8m-jj95-wg3x,
  GHSA-2cwq-pwfr-wcw3, GHSA-92vj-hp7m-gwcj, GHSA-qjvr-435c-5fjh.

Pins stay in-major to remain API-compatible rather than jumping
ModelContextProtocol 0.8.0-preview.1 -> 1.4.0. Clean build: 0 advisory
warnings (was 40 total). Full test suite green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Bumps both SDK surfaces to the current stable release:
- ModelContextProtocol 1.4.0 in RockBot.Agent and RockBot.Tools.Mcp
- ModelContextProtocol.AspNetCore 1.4.0 in the three McpServer.* projects

The 0.8 -> 1.4 range carries one breaking change that touches this code:
ImageContentBlock.Data / AudioContentBlock.Data changed from string to
ReadOnlyMemory<byte> (0.9.0-preview.1). McpToolExecutor.MapContentBlocks now
base64-encodes the bytes into the (string) ToolContentBlock.Data; the
corresponding test constructs byte data and asserts the base64 output.

Everything else in the consumed surface (McpClient.CreateAsync, HttpClientTransport,
ListTools/CallTool/GetPrompt, ServerInfo, McpClientTool/Prompt, CallToolResult,
TextContentBlock, server attributes, AddMcpServer().WithHttpTransport().WithTools<T>(),
MapMcp) is unchanged. No TFM/runtime bump.

Also corrects the MessagePack pin comment in RockBot.Agent.csproj: that chain
enters via RockBot.Llm.Copilot -> GitHub.Copilot.SDK -> StreamJsonRpc, not via
ModelContextProtocol, so the pins remain necessary independent of this upgrade.

Note (deploy-time): legacy SSE endpoints became opt-in at 1.2.0. The agent
connects to the internal MCP servers at root with TransportMode=AutoDetect
(negotiates Streamable HTTP), so this should be transparent — verify
agent<->server connectivity after deploy.

Clean build: 0 errors, 0 advisory warnings. Full test suite green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@rockfordlhotka rockfordlhotka changed the title Resolve NuGet security advisories (MessagePack, Nerdbank.MessagePack, KubernetesClient) Resolve NuGet security advisories + upgrade ModelContextProtocol to 1.4.0 Jun 18, 2026
New feature: ModelContextProtocol upgraded to 1.4.0 (minor bump).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR performs dependency hygiene updates to eliminate NuGet security advisory warnings and upgrades the ModelContextProtocol (MCP) SDK from a preview version to the current stable release, with a small code adjustment to accommodate MCP’s binary content API change.

Changes:

  • Upgrades ModelContextProtocol / ModelContextProtocol.AspNetCore to 1.4.0 and updates MCP content block mapping to base64-encode image/audio bytes.
  • Clears NU1902/NU1903 advisories by bumping KubernetesClient to 17.* and pinning transitive MessagePack / Nerdbank.MessagePack to patched versions.
  • Bumps repo/package version to 0.14.0.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
tests/RockBot.Tools.Tests/McpToolExecutorTests.cs Updates image content test to reflect MCP binary data change (bytes → base64 string).
tests/RockBot.Scripts.Tests/RockBot.Scripts.Tests.csproj Bumps KubernetesClient to 17.* to address advisories.
src/RockBot.Tools.Mcp/RockBot.Tools.Mcp.csproj Upgrades ModelContextProtocol to 1.4.0.
src/RockBot.Tools.Mcp/McpToolExecutor.cs Base64-encodes image/audio ReadOnlyMemory<byte> into ToolContentBlock.Data.
src/RockBot.Scripts.Container/RockBot.Scripts.Container.csproj Bumps KubernetesClient to 17.* to address advisories.
src/RockBot.Llm.Copilot/RockBot.Llm.Copilot.csproj Adds transitive pins for patched MessagePack / Nerdbank.MessagePack.
src/RockBot.Agent/RockBot.Agent.csproj Upgrades MCP SDK + adds transitive pins for patched MessagePack / Nerdbank.MessagePack.
src/McpServer.TodoApp/McpServer.TodoApp.csproj Upgrades ModelContextProtocol.AspNetCore to 1.4.0.
src/McpServer.OpenRouter/McpServer.OpenRouter.csproj Upgrades ModelContextProtocol.AspNetCore to 1.4.0.
src/McpServer.Introspection/McpServer.Introspection.csproj Upgrades ModelContextProtocol.AspNetCore to 1.4.0.
Directory.Build.props Bumps version to 0.14.0.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +81 to +82
ImageContentBlock img => new ToolContentBlock { Type = "image", Data = Convert.ToBase64String(img.Data.Span), MimeType = img.MimeType },
AudioContentBlock audio => new ToolContentBlock { Type = "audio", Data = Convert.ToBase64String(audio.Data.Span), MimeType = audio.MimeType },
Assert.AreEqual("text", blocks[0].Type);
Assert.AreEqual("image", blocks[1].Type);
Assert.AreEqual("abc123", blocks[1].Data);
Assert.AreEqual(Convert.ToBase64String(imageBytes), blocks[1].Data);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants