build: update all non-major dependencies (main)

[angular-robot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@modelcontextprotocol/sdk (source)	1.23.0 -> 1.24.0
@typescript-eslint/eslint-plugin (source)	8.48.0 -> 8.48.1
@typescript-eslint/parser (source)	8.48.0 -> 8.48.1
express (source)	5.1.0 -> 5.2.1
jasmine (source)	~5.12.0 -> ~5.13.0
jasmine-core (source)	~5.12.0 -> ~5.13.0
vite (source)	7.2.4 -> 7.2.6

---

Release Notes

modelcontextprotocol/typescript-sdk (@​modelcontextprotocol/sdk)

v1.24.0

Compare Source

Summary

This release brings us up to speed with the latest MCP spec 2025-11-25. Take a look at the latest spec as well as the release blog post.

What's Changed

• fix: update spec links from latest to draft by @​domdomegg in #​1171
• Make sure to consume HTTP error response bodies by @​GreenStage in #​1173
• docs: add GET request handling for streamableHttp stateless mode by @​saharis9988 in #​1161
• SEP-1686: Tasks by @​LucaButBoring in #​1041
• Fix JSON parse error on SSE events with empty data by @​felixweinberger in #​1184
• Fix StreamableHTTPClientTransport instantiation by @​yuwzho in #​944
• feat: eslint rule to prefer node protocols by @​mattzcarey in #​1187
• fix: call tasks/result to deliver side-channel messages by @​felixweinberger in #​1185
• Add invalid_target oauth error (rfc 8707) by @​GreenStage in #​1183
• fix(client): use StreamableHTTPError instead of plain Error in send() by @​yamadashy in #​1178
• coerce 'expires_in' to be a number by @​adam-kuhn in #​1111
• Allow HTTP issuer URLs when MCP_DEV_MODE is enabled by @​jerome3o-anthropic in #​1189
• fix: update registerTool signature for proper typed ToolCallback by @​mattzcarey in #​1188
• SEP-1046: Client credentials flow for M2M without user interaction by @​KKonstantinov in #​1157
• adds the transitive @​types/express-serve-static-core dependency as a direct devDependency by @​mgyarmathy in #​1078
• Fix optional argument handling in prompts for Zod V4 by @​filip-bartuska-ipf in #​1199
• fix hanging stdio servers by @​mattzcarey in #​1200
• README refactor by @​KKonstantinov in #​1197
• [Docs] Fix typo by @​koic in #​1067
• feat: add closeSSEStream callback to RequestHandlerExtra by @​felixweinberger in #​1166
• fix: improve SSE reconnection behavior by @​felixweinberger in #​1191
• fix: normalize headers in sse transport by @​marcrasi in #​856
• feat: add closeStandaloneSSEStream for GET stream polling by @​felixweinberger in #​1203
• fix: normalize null to undefined in ElicitResultSchema content field by @​mattzcarey in #​1204
• Modify Origin header validation in validateRequestHeaders (streamableHttp.ts and sse.ts) to allow requests without an Origin, as they are not relevant to server DNS rebinding protection. by @​jacopoc in #​1205
• fix: allow zod 4 transformations by @​mattzcarey in #​1213
• feat: backwards-compatible createMessage overloads for SEP-1577 by @​felixweinberger in #​1212
• chore: bump version for release by @​felixweinberger in #​1215

New Contributors

• @​GreenStage made their first contribution in #​1173
• @​saharis9988 made their first contribution in #​1161
• @​yuwzho made their first contribution in #​944
• @​yamadashy made their first contribution in #​1178
• @​adam-kuhn made their first contribution in #​1111
• @​mgyarmathy made their first contribution in #​1078
• @​filip-bartuska-ipf made their first contribution in #​1199
• @​koic made their first contribution in #​1067
• @​marcrasi made their first contribution in #​856
• @​jacopoc made their first contribution in #​1205

Full Changelog: modelcontextprotocol/typescript-sdk@1.23.0...1.24.0

typescript-eslint/typescript-eslint (@​typescript-eslint/eslint-plugin)

v8.48.1

Compare Source

🩹 Fixes

• eslint-plugin: [restrict-template-expressions] check base types in allow list (#​11764, #​11759)
• eslint-plugin: honor ignored base types on generic classes (#​11767)
• eslint-plugin: [consistent-type-exports] check value flag before resolving alias (#​11769)

❤️ Thank You

• Josh Goldberg
• OleksandraKordonets
• SangheeSon @​Higangssh
• tao

You can read about our versioning strategy and releases on our website.

typescript-eslint/typescript-eslint (@​typescript-eslint/parser)

v8.48.1

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

expressjs/express (express)

v5.2.1

Compare Source

=======================

• Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

v5.2.0

Compare Source

========================

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
• deps: body-parser@^2.2.1
• A deprecation warning was added when using res.redirect with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix.

jasmine/jasmine-npm (jasmine)

v5.13.0

Compare Source

Please see the release notes.

jasmine/jasmine (jasmine-core)

v5.13.0

Compare Source

Please see the release notes.

vitejs/vite (vite)

v7.2.6

Compare Source

7.2.6 (2025-12-01)

---

Configuration

📅 Schedule: Branch creation - "after 6am and before 10am on Monday, Wednesday, Friday" in timezone Europe/Rome, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[alan-agius4]

This PR was merged into the repository. The changes were merged into the following branches:

• main: fe631c0