chore(deps): bump github.com/modelcontextprotocol/go-sdk from 1.1.0 to 1.4.0

[dependabot]

Bumps github.com/modelcontextprotocol/go-sdk from 1.1.0 to 1.4.0.

Release notes

Sourced from github.com/modelcontextprotocol/go-sdk's releases.

v1.4.0

This release marks the completion of the full 2025-11-25 specification implementation, by introducing the support for Sampling with Tools and experimental client-side OAuth support. It also contains multiple bug fixes and improvements. Thanks to all contributors!

Client-side OAuth support

This release introduces experimental support for OAuth on the client side of the SDK. It aims to support the full scope of the current MCP specification for authorization. To use it, you need to compile the SDK with the -tags mcp_go_client_oauth flag. Some changes may still be applied to this new API, based on developer feedback. The functionality is planned to become stable in v1.5.0 release, expected by the end of March 2026. More details can be found at https://github.com/modelcontextprotocol/go-sdk/blob/main/docs/protocol.md#client.

• all: client side OAuth support by @​maciej-kisiel in modelcontextprotocol/go-sdk#785

Sampling with Tools

Starting from this release, the server use the new CreateMessageWithTools method to create a sampling request to the client that contains tools that can be used by the client. On the client side, CreateMessageWithToolsHandler may be used to handle such requests and issue ToolUse responses to the server.

• mcp: implement sampling with tools by @​findleyr in modelcontextprotocol/go-sdk#699

Behavior changes

We have two important behavior changes that were introduced to fix a bug or improve security posture. They can be temporarily turned off by specifying a special MCPGODEBUG environment variable when running the SDK. Different options can be added together, separated by a comma.

Introduced DNS rebinding protection (MCPGODEBUG=disablelocalhostprotection=1)

The requests arriving via a localhost address (127.0.0.1, [::1]) that have a non-localhost Host header will be rejected to protect against DNS rebinding attacks. The option to remove this protection will be removed in v1.6.0.

• feat: add automatic DNS rebinding protection for localhost servers by @​pcarleton in modelcontextprotocol/go-sdk#760

Removed JSON content escaping when marshaling (MCPGODEBUG=jsonescaping=1):

By default encoding/json escapes the contents of the objects, which causes some servers to fail. We switched to no escaping by default. The option to bring back the escaping will be removed in v1.6.0.

• mcp: update JSON marshaling to not HTML-escape messages by @​maciej-kisiel in modelcontextprotocol/go-sdk#769

Bug fixes

Security vulnerability caused by the case insensitive parsing behavior of encoding/json has been submitted (also release as a cherry pick in v1.3.1). Security advisory has been posted.

• all: use case-sensitive JSON unmarshaling by @​maciej-kisiel in modelcontextprotocol/go-sdk#807

Other fixes:

• mcp: validation only for accept action by @​CocaineCong in modelcontextprotocol/go-sdk#766
• mcp: allow SSE messages with empty data (SEP-1699) by @​maciej-kisiel in modelcontextprotocol/go-sdk#779
• jsonrpc2: fix Content-Length header parsing to be case-insensitive by @​nithinputhenveettil in modelcontextprotocol/go-sdk#789
• mcp: fix multi-select enum elicitation by @​maciej-kisiel in modelcontextprotocol/go-sdk#795
• mcp: return 400 instead of 500 when body read fails in stateless mode by @​roncodingenthusiast in modelcontextprotocol/go-sdk#817

Enhancements

Notably, the SDK now supports the extensions field in client and server capabilities, which should enable creation of MCP Apps.

• mcp: add Extensions field to capabilities per SEP-2133 by @​ymmt2005 in modelcontextprotocol/go-sdk#794

Other enhancements:

• mcp: enforce retry limit when SSE stream makes no progress by @​majiayu000 in modelcontextprotocol/go-sdk#742
• mcp: export session missing error by @​CocaineCong in modelcontextprotocol/go-sdk#771
• fix: add JSON tags to ElicitationCapabilities fields by @​awschmeder in modelcontextprotocol/go-sdk#774
• mcp: improve http transports error handling and make transport work with any size message by @​alexbumbacea in modelcontextprotocol/go-sdk#734
• examples: bind auth-middleware server to localhost by default by @​TheodorNEngoy in modelcontextprotocol/go-sdk#784

... (truncated)

Commits

• c9317fb all: client side OAuth support (#785)
• 4e8b6ca mcp: return 400 instead of 500 when body read fails in stateless mode (#817)
• 0048a18 chore: Configure advanced CodeQL setup (#819)
• 1942036 chore: update the version of the conformance suite. (#814)
• b17143f chore: increase timeout for conformance server start. (#813)
• 86d05a1 chore: update publish-docs permissions to be more targeted. (#812)
• 9f22cf1 chore: configure a simple AGENTS.md file and a skill for fixing GitHu… (#810)
• 51d256c chore: Configure OSSF Scorecard action (#811)
• ac65640 chore: update SECURITY.md to use GitHub Security Advisories (#809)
• 7b8d81c all: use case-sensitive JSON unmarshaling (#807)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)