chore(deps): bump the npm_and_yarn group across 2 directories with 5 updates

[dependabot]

Bumps the npm_and_yarn group with 4 updates in the /apps/sim directory: @modelcontextprotocol/sdk, better-auth, js-yaml and lodash.
Bumps the npm_and_yarn group with 1 update in the /scripts directory: glob.

Updates @modelcontextprotocol/sdk from 1.20.2 to 1.26.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

v1.26.0

Addresses "Sharing server/transport instances can leak cross-client response data" in this GHSA GHSA-345p-7cg4-v4c7

What's Changed

• chore: bump v1.25.3 for backport fixes by @​pcarleton in modelcontextprotocol/typescript-sdk#1412
• fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x backport) by @​samuv in modelcontextprotocol/typescript-sdk#1382
• Fix #1430: Client Credentials providers scopes support (backported) by @​NSeydoux in modelcontextprotocol/typescript-sdk#1442
• chore: bump version to 1.26.0 by @​pcarleton in modelcontextprotocol/typescript-sdk#1479

New Contributors

• @​samuv made their first contribution in modelcontextprotocol/typescript-sdk#1382
• @​NSeydoux made their first contribution in modelcontextprotocol/typescript-sdk#1442

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.3...v1.26.0

v1.25.3

What's Changed

• [v1.x backport] Use correct schema for client sampling validation when tools are present by @​olaservo in modelcontextprotocol/typescript-sdk#1407
• fix: prevent Hono from overriding global Response object (v1.x) by @​mattzcarey in modelcontextprotocol/typescript-sdk#1411

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.2...v1.25.3

v1.25.2

What's Changed

• ci: trigger workflow on v1.x branch by @​felixweinberger in modelcontextprotocol/typescript-sdk#1319
• fix: README badges links destinations by @​antonpk1 in modelcontextprotocol/typescript-sdk#907
• fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport) by @​pcarleton in modelcontextprotocol/typescript-sdk#1365

New Contributors

• @​antonpk1 made their first contribution in modelcontextprotocol/typescript-sdk#907

Full Changelog: modelcontextprotocol/typescript-sdk@1.25.1...v1.25.2

1.25.1

What's Changed

• spec types - backwards compatibility changes by @​KKonstantinov in modelcontextprotocol/typescript-sdk#1306
• chore: bump version for patch fix by @​felixweinberger in modelcontextprotocol/typescript-sdk#1307

Full Changelog: modelcontextprotocol/typescript-sdk@1.25.0...1.25.1

1.25.0

What's Changed

• list changed handlers on client constructor by @​mattzcarey in modelcontextprotocol/typescript-sdk#1206
• Role - moved from inline to reusable type by @​KKonstantinov in modelcontextprotocol/typescript-sdk#1221
• fix: use versioned npm tag for non-main branch releases by @​pcarleton in modelcontextprotocol/typescript-sdk#1236
• No automatic completion support unless needed - Revisited yet again by @​cliffhall in modelcontextprotocol/typescript-sdk#1237
• fix: Support updating output schema by @​vincent0426 in modelcontextprotocol/typescript-sdk#1048

... (truncated)

Commits

• fe9c07b chore: bump version to 1.26.0 (#1479)
• 4f01e7e fix: add non-null assertions for optional setupServer fields in stateful test
• a05be17 Merge commit from fork
• 50d9fa3 Fix #1430: Client Credentials providers scopes support (backported) (#1442)
• aa81a66 fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x back...
• 6aba065 chore: bump v1.25.3 for backport fixes (#1412)
• 6e8f7e1 fix: prevent Hono from overriding global Response object (v1.x) (#1411)
• 12ae856 [v1.x backport] Use correct schema for client sampling validation when tools ...
• b392f02 fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport) (#1365)
• a0c9b13 fix: README badges links destinations (#907)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by pcarleton, a new releaser for @​modelcontextprotocol/sdk since your current version.

Updates better-auth from 1.3.12 to 1.4.5

Release notes

Sourced from better-auth's releases.

v1.4.5-beta.2

   🐞 Bug Fixes

• Add helper types to exports  -  by @​himself65 in better-auth/better-auth#6479 (9b556)

    View changes on GitHub

v1.4.4

   🚀 Features

• cli: Better-auth-command  -  by @​Ridhim-RR in better-auth/better-auth#6362 (5e06f)
• scim: Add support to parse custom scim+json media type  -  by @​jonathansamines in better-auth/better-auth#6365 (6e9ec)

   🐞 Bug Fixes

• Customizing fields should be optional for rate limit options  -  by @​ceolinwill in better-auth/better-auth#6398 (115c9)
• Chunk account data cookie when exceeding limit  -  by @​jslno in better-auth/better-auth#6393 (c9eca)
• Remove applying user-agent by default  -  by @​Bekacru in better-auth/better-auth#6417 (34d7d)
• Additional fields default values should apply when creating session  -  by @​Bekacru in better-auth/better-auth#5763 (d5713)
• Return null early if userid isn't defined  -  by @​Bekacru in better-auth/better-auth#6418 (e4508)
• logger: Log level priority  -  by @​danielfinke in better-auth/better-auth#6411 (4c25b)
• mcp: Return origin url as authorization server  -  by @​jslno in better-auth/better-auth#6397 (594bb)
• multi-session: Endpoints breaks with invalid signatures  -  by @​ping-maxwell in better-auth/better-auth#6342 (9433e)
• oidc-provider: Resolve getSignedCookie return type  -  by @​bytaesu in better-auth/better-auth#6346 (425dd)

    View changes on GitHub

v1.4.4-beta.3

   🚀 Features

• Lint dependencies  -  by @​jonathansamines in better-auth/better-auth#6309 (efaef)
• cli: Better-auth-command  -  by @​Ridhim-RR in better-auth/better-auth#6362 (1abd7)
• one-tap: Add fedcm support  -  by @​jslno in better-auth/better-auth#6380 (fd23c)
• scim: Add support to parse custom scim+json media type  -  by @​jonathansamines in better-auth/better-auth#6365 (a91a8)

   🐞 Bug Fixes

• Customizing fields should be optional for rate limit options  -  by @​ceolinwill in better-auth/better-auth#6398 (9abd8)
• Chunk account data cookie when exceeding limit  -  by @​jslno in better-auth/better-auth#6393 (57d36)
• Remove applying user-agent by default  -  by @​Bekacru in better-auth/better-auth#6417 (0617b)
• Improve error handling for unsupported additionalFields on generate  -  by @​Kinfe123 in better-auth/better-auth#3977 (39eb6)
• Return null early if userid isn't defined  -  by @​Bekacru in better-auth/better-auth#6418 (022ce)
• Additional fields default values should apply when creating session  -  by @​Bekacru in better-auth/better-auth#5763 (76998)
• Preserve user ID in cookie cache during stateless sessions  -  by @​GautamBytes in better-auth/better-auth#6452 (a25fb)
• expo:
  • Dismiss auth session on android to prevent invalid state error  -  by @​GautamBytes in better-auth/better-auth#6388 (3a133)
• logger:
  • Log level priority  -  by @​danielfinke in better-auth/better-auth#6411 (fa01c)
• mcp:
  • Return origin url as authorization server  -  by @​jslno in better-auth/better-auth#6397 (86c8d)

... (truncated)

Commits

• 2000fd6 chore: release v1.4.5
• fcab5a8 fix: add helper types to exports (#6479)
• c666670 chore: release v1.4.5-beta.1
• fd72560 fix(db-adapter): string[] and number[] fieldTypes incorrectly parsed for plug...
• 189dedd chore: release v1.4.4-beta.3
• 6269a33 chore: release v1.4.4-beta.2
• 52c15d4 chore: fix validation errors in unit tests (#6466)
• a25fb65 fix: preserve user ID in cookie cache during stateless sessions (#6452)
• 5cbe0a5 chore: enforce imports to use node: protocol (#6461)
• fbe51c8 chore: add spell checker (#6319)
• Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

Commits

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• See full diff in compare view

Updates lodash from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Updates glob from 11.0.2 to 12.0.0

Changelog

Sourced from glob's changelog.

changeglob

13

• Move the CLI program out to a separate package, glob-bin. Install that if you'd like to continue using glob from the command line.

12

• Remove the unsafe --shell option. The --shell option is now ONLY supported on known shells where the behavior can be implemented safely.

11.1

GHSA-5j98-mcp5-4vw2

• Add the --shell option for the command line, with a warning that this is unsafe. (It will be removed in v12.)
• Add the --cmd-arg/-g as a way to safely add positional arguments to the command provided to the CLI tool.
• Detect commands with space or quote characters on known shells, and pass positional arguments to them safely, avoiding shell:true execution.

11.0

• Drop support for node before v20

10.4

• Add includeChildMatches: false option
• Export the Ignore class

10.3

• Add --default -p flag to provide a default pattern
• exclude symbolic links to directories when follow and nodir are both set

10.2

• Add glob cli

10.1

• Return '.' instead of the empty string '' when the current working directory is returned as a match.
• Add posix: true option to return / delimited paths, even on

... (truncated)

Commits

• 2b03cca 12.0.0
• d56203d prettier config
• bb521e5 Remove --shell option where unsafe to use
• 2551fb5 11.1.0
• 47473c0 bin: Do not expose filenames to shell expansion
• bc33fe1 skip tilde test on systems that lack tilde expansion
• 59bf9ca fix notes
• dde4fa6 docs(README): add #anchor and improve notes
• 0559b0e docs: add better links to path-scurry docs
• c9773c2 fix: correct typos in README.md
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for glob since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	Feb 19, 2026 0:57am

[greptile-apps]

Greptile Summary

This PR updates 5 npm dependencies across 2 directories, with critical security patches for prototype pollution vulnerabilities and data leakage issues.

Key Security Updates:

• js-yaml 4.1.0 → 4.1.1: Fixes prototype pollution in yaml merge operator
• lodash 4.17.21 → 4.17.23: Prevents prototype pollution in baseUnset function
• @modelcontextprotocol/sdk 1.20.2 → 1.26.0: Addresses cross-client response data leakage (GHSA-345p-7cg4-v4c7) and ReDoS vulnerability
• better-auth 1.3.12 → 1.4.5: Bug fixes including multi-session endpoint security improvements
• glob 11.0.2 → 12.0.0: Removes unsafe --shell option

All updates are patch/minor versions with backward-compatible changes. The security fixes address vulnerabilities that could allow attackers to pollute object prototypes or leak sensitive data between clients.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk - it contains essential security updates
• All dependency updates are automated by Dependabot and address known security vulnerabilities. The changes include critical patches for prototype pollution in js-yaml and lodash, cross-client data leakage in @modelcontextprotocol/sdk, and security improvements in glob. These are patch/minor version bumps that maintain backward compatibility while fixing serious security issues.
• No files require special attention - all changes are standard dependency version updates

Important Files Changed

Filename	Overview
apps/sim/package.json	Updated 4 dependencies with important security fixes for prototype pollution (js-yaml, lodash) and cross-client data leakage (@modelcontextprotocol/sdk)
scripts/package.json	Updated glob to v12 which removes unsafe --shell option and improves security

_{Last reviewed commit: d96c1dd}

[greptile-apps]

_{3 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}