fix(deps): resolve pnpm audit vulnerabilities and bump dependencies

[samuv]

Fixes pnpm audit security vulnerabilities and updates dependencies to their latest compatible versions.

Motivation and Context

Running pnpm audit was reporting multiple security vulnerabilities:

1. Hono JWT vulnerabilities (GHSA-3vhc-576x-3qv4, GHSA-f67f-6cw9-8mq4):

   • JWT algorithm confusion when JWK lacks "alg" (untrusted header.alg fallback)
   • JWT Algorithm Confusion via Unsafe Default (HS256) allowing token forgery and auth bypass
   • Affects hono <4.11.4 (via @hono/node-server)
   • Fixed by bumping @hono/node-server to ^1.19.9 and hono to ^4.11.4

2. qs package vulnerability:

   • Security issue in transitive dependency qs
   • Fixed by adding pnpm overrides to force qs@6.14.1

This PR addresses these vulnerabilities and updates dependencies to their latest compatible versions.

How Has This Been Tested?

• ✅ pnpm audit now reports 0 vulnerabilities
• ✅ pnpm lint:all passes
• ✅ pnpm test:all passes (all 245 tests in client package pass)
• ✅ Test assertions updated to match jose library's updated error message format

Breaking Changes

None. All changes are backward compatible.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

• Security fixes:
  • @hono/node-server (^1.19.7 → ^1.19.9) and hono (^4.11.1 → ^4.11.4) - resolves Hono JWT vulnerabilities (GHSA-3vhc-576x-3qv4, GHSA-f67f-6cw9-8mq4)
  • pnpm overrides for qs@6.14.1 - resolves qs CVE vulnerability
• Runtime dependencies bumped: express (^5.0.1 → ^5.2.1), express-rate-limit (^7.5.0 → ^8.2.1), jose (^6.1.1 → ^6.1.3)
• Dev dependencies bumped: eslint (^9.8.0 → ^9.39.2), @eslint/js (^9.39.1 → ^9.39.2), @types/express (^5.0.0 → ^5.0.6)
• Test fix: Updated error message regex in auth-extensions.test.ts to match jose library's updated error output
• Style: Fixed import ordering in taskResumability.test.ts

[changeset-bot]

🦋 Changeset detected

Latest commit: 6e66a48

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@modelcontextprotocol/server	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@1381

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@1381

commit: 6e66a48

[KKonstantinov]

Hi, thank you for this. Believe this is out of date since we've done another set of big refactor - I've opened #1394 for v2, please have a look if you'd like.

Will review your v1 backport branch