security: dependabot alert triage

[nicktrn]

• Upgrade @modelcontextprotocol/sdk to 1.24.3
• Override jws to 3.2.3

[changeset-bot]

🦋 Changeset detected

Latest commit: 6334449

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 26 packages

Name	Type
trigger.dev	Patch
d3-chat	Patch
references-d3-openai-agents	Patch
references-nextjs-realtime	Patch
references-realtime-hooks-test	Patch
references-realtime-streams	Patch
references-telemetry	Patch
@trigger.dev/build	Patch
@trigger.dev/core	Patch
@trigger.dev/python	Patch
@trigger.dev/react-hooks	Patch
@trigger.dev/redis-worker	Patch
@trigger.dev/rsc	Patch
@trigger.dev/schema-to-json	Patch
@trigger.dev/sdk	Patch
@trigger.dev/database	Patch
@trigger.dev/otlp-importer	Patch
@internal/cache	Patch
@internal/clickhouse	Patch
@internal/redis	Patch
@internal/replication	Patch
@internal/run-engine	Patch
@internal/schedule-engine	Patch
@internal/testcontainers	Patch
@internal/tracing	Patch
@internal/zod-worker	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Walkthrough

This PR adds a changeset entry documenting a patch release for the trigger.dev package and updates the @modelcontextprotocol/sdk dependency from ^1.17.0 to ^1.24.0 in packages/cli-v3. Additionally, a new dependency override is introduced in the root package.json to pin jws to version 3.2.3 for versions below 3.2.3.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• The @modelcontextprotocol/sdk version jump spans 7 minor versions (1.17.0 → 1.24.0) — verify release notes and changelog for any breaking changes or migration requirements
• The jws@<3.2.3 dependency override appears to address a security concern — verify the motivation and that the pinned version resolves the underlying issue
• Confirm the changeset entry accurately reflects the dependencies being updated

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is incomplete, missing required sections from the template including issue reference, testing steps, and changelog details; only a brief bullet-point list of changes is provided.	Follow the template structure: add issue reference (Closes #), describe testing steps in the Testing section, and provide a detailed changelog entry.
Title check	❓ Inconclusive	The title 'security: dependabot alert triage' is vague and generic, using non-descriptive language that doesn't convey the specific changes (dependency upgrades) being made in the PR.	Consider a more specific title like 'chore: upgrade @modelcontextprotocol/sdk to 1.24.3 and override jws to 3.2.3' to clearly indicate the main changes.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch security/dependabot-triage

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cf63fc9 and 6334449.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (3)

• .changeset/ninety-cougars-remember.md (1 hunks)
• package.json (1 hunks)
• packages/cli-v3/package.json (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{js,ts,jsx,tsx,json,md,css,scss}

📄 CodeRabbit inference engine (AGENTS.md)

Format code using Prettier

Files:

• package.json
• packages/cli-v3/package.json

🧠 Learnings (3)

📓 Common learnings

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: .cursor/rules/writing-tasks.mdc:0-0
Timestamp: 2025-11-27T16:27:35.304Z
Learning: Applies to **/trigger/**/*.{ts,tsx,js,jsx} : Use `trigger.dev/sdk/v3` for all imports in Trigger.dev tasks

📚 Learning: 2025-11-27T16:27:48.109Z

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-27T16:27:48.109Z
Learning: pnpm version `10.23.0` and Node.js version `20.11.1` are required for development

Applied to files:

• package.json
• packages/cli-v3/package.json

📚 Learning: 2025-11-27T16:27:35.304Z

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: .cursor/rules/writing-tasks.mdc:0-0
Timestamp: 2025-11-27T16:27:35.304Z
Learning: Applies to **/trigger/**/*.{ts,tsx,js,jsx} : Use `trigger.dev/sdk/v3` for all imports in Trigger.dev tasks

Applied to files:

• .changeset/ninety-cougars-remember.md

🔇 Additional comments (3)

packages/cli-v3/package.json (1)

86-86: Verify compatibility of @modelcontextprotocol/sdk upgrade (^1.17.0 → ^1.24.0).

The upgrade spans multiple minor versions. Verify that this upgrade doesn't introduce any breaking changes or incompatibilities with other dependencies in the workspace.

package.json (1)

93-94: Security fix for jws CVE-2025-65945 is appropriately implemented.

The jws override addresses an HMAC signature bypass vulnerability where improper verification occurs in HMAC-based algorithms, allowing attackers to manipulate key lookup logic. The pnpm override correctly pins all versions below 3.2.3 to the patched version.

.changeset/ninety-cougars-remember.md (1)

1-5: Changeset entry properly documents the dependency upgrade.

The changeset correctly records the patch release with the @modelcontextprotocol/sdk upgrade. The version 1.24.3 aligns with the ^1.24.0 constraint in packages/cli-v3/package.json.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}