build(deps): bump github.com/modelcontextprotocol/go-sdk from 1.2.0 to 1.4.0

[dependabot]

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

---

Bumps github.com/modelcontextprotocol/go-sdk from 1.2.0 to 1.4.0.

Release notes

Sourced from github.com/modelcontextprotocol/go-sdk's releases.

v1.4.0

This release marks the completion of the full 2025-11-25 specification implementation, by introducing the support for Sampling with Tools and experimental client-side OAuth support. It also contains multiple bug fixes and improvements. Thanks to all contributors!

Client-side OAuth support

This release introduces experimental support for OAuth on the client side of the SDK. It aims to support the full scope of the current MCP specification for authorization. To use it, you need to compile the SDK with the -tags mcp_go_client_oauth flag. Some changes may still be applied to this new API, based on developer feedback. The functionality is planned to become stable in v1.5.0 release, expected by the end of March 2026. More details can be found at https://github.com/modelcontextprotocol/go-sdk/blob/main/docs/protocol.md#client.

• all: client side OAuth support by @​maciej-kisiel in modelcontextprotocol/go-sdk#785

Sampling with Tools

Starting from this release, the server use the new CreateMessageWithTools method to create a sampling request to the client that contains tools that can be used by the client. On the client side, CreateMessageWithToolsHandler may be used to handle such requests and issue ToolUse responses to the server.

• mcp: implement sampling with tools by @​findleyr in modelcontextprotocol/go-sdk#699

Behavior changes

We have two important behavior changes that were introduced to fix a bug or improve security posture. They can be temporarily turned off by specifying a special MCPGODEBUG environment variable when running the SDK. Different options can be added together, separated by a comma.

Introduced DNS rebinding protection (MCPGODEBUG=disablelocalhostprotection=1)

The requests arriving via a localhost address (127.0.0.1, [::1]) that have a non-localhost Host header will be rejected to protect against DNS rebinding attacks. The option to remove this protection will be removed in v1.6.0.

• feat: add automatic DNS rebinding protection for localhost servers by @​pcarleton in modelcontextprotocol/go-sdk#760

Removed JSON content escaping when marshaling (MCPGODEBUG=jsonescaping=1):

By default encoding/json escapes the contents of the objects, which causes some servers to fail. We switched to no escaping by default. The option to bring back the escaping will be removed in v1.6.0.

• mcp: update JSON marshaling to not HTML-escape messages by @​maciej-kisiel in modelcontextprotocol/go-sdk#769

Bug fixes

Security vulnerability caused by the case insensitive parsing behavior of encoding/json has been submitted (also release as a cherry pick in v1.3.1). Security advisory has been posted.

• all: use case-sensitive JSON unmarshaling by @​maciej-kisiel in modelcontextprotocol/go-sdk#807

Other fixes:

• mcp: validation only for accept action by @​CocaineCong in modelcontextprotocol/go-sdk#766
• mcp: allow SSE messages with empty data (SEP-1699) by @​maciej-kisiel in modelcontextprotocol/go-sdk#779
• jsonrpc2: fix Content-Length header parsing to be case-insensitive by @​nithinputhenveettil in modelcontextprotocol/go-sdk#789
• mcp: fix multi-select enum elicitation by @​maciej-kisiel in modelcontextprotocol/go-sdk#795
• mcp: return 400 instead of 500 when body read fails in stateless mode by @​roncodingenthusiast in modelcontextprotocol/go-sdk#817

Enhancements

Notably, the SDK now supports the extensions field in client and server capabilities, which should enable creation of MCP Apps.

• mcp: add Extensions field to capabilities per SEP-2133 by @​ymmt2005 in modelcontextprotocol/go-sdk#794

Other enhancements:

• mcp: enforce retry limit when SSE stream makes no progress by @​majiayu000 in modelcontextprotocol/go-sdk#742
• mcp: export session missing error by @​CocaineCong in modelcontextprotocol/go-sdk#771
• fix: add JSON tags to ElicitationCapabilities fields by @​awschmeder in modelcontextprotocol/go-sdk#774
• mcp: improve http transports error handling and make transport work with any size message by @​alexbumbacea in modelcontextprotocol/go-sdk#734
• examples: bind auth-middleware server to localhost by default by @​TheodorNEngoy in modelcontextprotocol/go-sdk#784

... (truncated)

Commits

• c9317fb all: client side OAuth support (#785)
• 4e8b6ca mcp: return 400 instead of 500 when body read fails in stateless mode (#817)
• 0048a18 chore: Configure advanced CodeQL setup (#819)
• 1942036 chore: update the version of the conformance suite. (#814)
• b17143f chore: increase timeout for conformance server start. (#813)
• 86d05a1 chore: update publish-docs permissions to be more targeted. (#812)
• 9f22cf1 chore: configure a simple AGENTS.md file and a skill for fixing GitHu… (#810)
• 51d256c chore: Configure OSSF Scorecard action (#811)
• ac65640 chore: update SECURITY.md to use GitHub Security Advisories (#809)
• 7b8d81c all: use case-sensitive JSON unmarshaling (#807)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

• Chores
  • Updated key dependencies, including authentication and protocol libraries, to improve stability and performance.

[coderabbitai]

Walkthrough

This pull request updates Go module dependencies in go.mod. The Model Context Protocol SDK is bumped to v1.4.0, JSON schema and OAuth2 libraries are upgraded, and new indirect dependencies for Segmentio packages are added.

Changes

Cohort / File(s)	Summary
Dependency Updates go.mod	Bumped github.com/modelcontextprotocol/go-sdk from v1.2.0 to v1.4.0; upgraded github.com/google/jsonschema-go (v0.3.0→v0.4.2) and golang.org/x/oauth2 (v0.30.0→v0.34.0); added indirect dependencies github.com/segmentio/asm v1.1.3 and github.com/segmentio/encoding v0.5.3.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~4 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change in the PR: bumping the modelcontextprotocol/go-sdk dependency from v1.2.0 to v1.4.0, which is the primary purpose of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	This pull request is purely a dependency version management update affecting only go.mod and go.sum files. None of the 67 test files in the repository are modified by this dependency bump.
Test Structure And Quality	✅ Passed	This PR only modifies go.mod/go.sum files with no test code changes, making test quality requirements not applicable.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch dependabot/go_modules/github.com/modelcontextprotocol/go-sdk-1.4.0

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign samanthajayasinghe for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 53.04%. Comparing base (ca6d232) to head (e34915f).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #903      +/-   ##
==========================================
+ Coverage   53.01%   53.04%   +0.03%     
==========================================
  Files          86       86              
  Lines        6538     6538              
==========================================
+ Hits         3466     3468       +2     
+ Misses       2610     2609       -1     
+ Partials      462      461       -1     

see 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.