Skip to content

build(deps): bump github.com/modelcontextprotocol/go-sdk from 1.5.1-0.20260403154220-27f29c1cef3b to 1.6.0#2498

Open
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/go_modules/github.com/modelcontextprotocol/go-sdk-1.6.0
Open

build(deps): bump github.com/modelcontextprotocol/go-sdk from 1.5.1-0.20260403154220-27f29c1cef3b to 1.6.0#2498
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/go_modules/github.com/modelcontextprotocol/go-sdk-1.6.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 19, 2026

Bumps github.com/modelcontextprotocol/go-sdk from 1.5.1-0.20260403154220-27f29c1cef3b to 1.6.0.

Release notes

Sourced from github.com/modelcontextprotocol/go-sdk's releases.

v1.6.0

This release is equivalent to v1.6.0-pre.1. Thank you to those who tested the pre-release.

In this release we introduce several smaller fixes and improvements, and we started working for release 2026-06-30. The main new feature is the introduction of ClientCredentialsHandler for OAuth client credentials grant.

Add ClientCredentialsHandler for OAuth client credentials grant

Added ClientCredentialsHandler implementing auth.OAuthHandler using the OAuth 2.0 Client Credentials grant (RFC 6749 Section 4.4) for service-to-service authentication with pre-registered credentials.

2026-06-30 Release related PRs

  • feat: add automatic application_type inference by @​guglielmo-san in modelcontextprotocol/go-sdk#904

    New application_type field is added to the ClientRegistrationMetadata for DynamicClientRegistration. If not specified, the application_type will be inferred from the RedirectURIs. This implements SEP-837.

  • feat: HTTP Header Standardization for method and name by @​guglielmo-san in modelcontextprotocol/go-sdk#907

    By mirroring key fields from the JSON-RPC payload into HTTP headers, network intermediaries such as load balancers, proxies, and observability tools can route and process MCP traffic without deep packet inspection, reducing latency and computational overhead. This partially implements SEP-2243.

Behavior Changes

SetError Behavior Change

Previously the SetError method on CallToolResult always overwrote the Content field with the error text. Now SetError preserves the existing value if it has already been populated. You can restore the previous behavior by setting the environment variable seterroroverwrite=1.

Cross-Origin Protection Default Change

Previously (v1.4.1-v1.5.0) default (zero-value) cross-origin protection was applied when CrossOriginProtection in StreamableHTTPOptions was nil. Now cross-origin protection is not enabled by default when CrossOriginProtection is nil. You can restore the previous behavior (enable by default) by setting enableoriginverification=1.

disablecrossoriginprotection was replaced by enableoriginverification after the default was changed to not enable cross-origin protection.

jsonescaping option was removed, according to plan.

Other Changes to the SDK

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
build(deps): bump github.com/modelcontextprotocol/go-sdk
97503e4 
Bumps [github.com/modelcontextprotocol/go-sdk](https://github.com/modelcontextprotocol/go-sdk) from 1.5.1-0.20260403154220-27f29c1cef3b to 1.6.0.
- [Release notes](https://github.com/modelcontextprotocol/go-sdk/releases)
- [Commits](https://github.com/modelcontextprotocol/go-sdk/commits/v1.6.0)

---
updated-dependencies:
- dependency-name: github.com/modelcontextprotocol/go-sdk
  dependency-version: 1.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels May 19, 2026
@dependabot dependabot Bot requested a review from a team as a code owner May 19, 2026 02:03
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels May 19, 2026
@github-actions
chore: regenerate license files
0a771ca 
Auto-generated by license-check workflow
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants