build(deps): bump github.com/modelcontextprotocol/go-sdk from 1.5.1-0.20260403154220-27f29c1cef3b to 1.6.0

[dependabot]

Bumps github.com/modelcontextprotocol/go-sdk from 1.5.1-0.20260403154220-27f29c1cef3b to 1.6.0.

Release notes

Sourced from github.com/modelcontextprotocol/go-sdk's releases.

v1.6.0

This release is equivalent to v1.6.0-pre.1. Thank you to those who tested the pre-release.

In this release we introduce several smaller fixes and improvements, and we started working for release 2026-06-30. The main new feature is the introduction of ClientCredentialsHandler for OAuth client credentials grant.

Add ClientCredentialsHandler for OAuth client credentials grant

Added ClientCredentialsHandler implementing auth.OAuthHandler using the OAuth 2.0 Client Credentials grant (RFC 6749 Section 4.4) for service-to-service authentication with pre-registered credentials.

• extauth: add ClientCredentialsHandler for OAuth client credentials grant by @​ravyg in modelcontextprotocol/go-sdk#895

2026-06-30 Release related PRs

• feat: add automatic application_type inference by @​guglielmo-san in modelcontextprotocol/go-sdk#904

  New application_type field is added to the ClientRegistrationMetadata for DynamicClientRegistration. If not specified, the application_type will be inferred from the RedirectURIs. This implements SEP-837.

• feat: HTTP Header Standardization for method and name by @​guglielmo-san in modelcontextprotocol/go-sdk#907

  By mirroring key fields from the JSON-RPC payload into HTTP headers, network intermediaries such as load balancers, proxies, and observability tools can route and process MCP traffic without deep packet inspection, reducing latency and computational overhead. This partially implements SEP-2243.

Behavior Changes

SetError Behavior Change

Previously the SetError method on CallToolResult always overwrote the Content field with the error text. Now SetError preserves the existing value if it has already been populated. You can restore the previous behavior by setting the environment variable seterroroverwrite=1.

• mcp: preserve existing Content in SetError by @​ravyg in modelcontextprotocol/go-sdk#864

Cross-Origin Protection Default Change

Previously (v1.4.1-v1.5.0) default (zero-value) cross-origin protection was applied when CrossOriginProtection in StreamableHTTPOptions was nil. Now cross-origin protection is not enabled by default when CrossOriginProtection is nil. You can restore the previous behavior (enable by default) by setting enableoriginverification=1.

• mcp: remove default cross origin protection by @​maciej-kisiel in modelcontextprotocol/go-sdk#906

disablecrossoriginprotection was replaced by enableoriginverification after the default was changed to not enable cross-origin protection.

jsonescaping option was removed, according to plan.

Other Changes to the SDK

• internal: remove unused util functions by @​alexandear in modelcontextprotocol/go-sdk#871
• build(deps): bump github/codeql-action from 4.32.4 to 4.35.1 by @​dependabot[bot] in modelcontextprotocol/go-sdk#873
• build(deps): bump actions/setup-go from 6.3.0 to 6.4.0 by @​dependabot[bot] in modelcontextprotocol/go-sdk#874
• build(deps): bump actions/setup-node from 6.2.0 to 6.3.0 by @​dependabot[bot] in modelcontextprotocol/go-sdk#875
• build(deps): bump dominikh/staticcheck-action from 1.4.0 to 1.4.1 by @​dependabot[bot] in modelcontextprotocol/go-sdk#872
• oauthex: accept 200 in client registration by @​MatyasVondraOutreach in modelcontextprotocol/go-sdk#877
• mcp: allow Content-Type parameters in streamable transport by @​rafaeljusto in modelcontextprotocol/go-sdk#878
• mcp: preserve existing Content in SetError by @​ravyg in modelcontextprotocol/go-sdk#864

... (truncated)

Commits

• See full diff in compare view

[SamMorrowDrums]

Approving go-sdk 1.6.0 bump. Verified our code is safe: we explicitly construct http.NewCrossOriginProtection() in pkg/http/handler.go (so the changed default of nil/off does not affect us), and we do not use SetError (whose semantics changed to preserve Content).

[SamMorrowDrums]

@dependabot rebase

[dependabot]

Looks like this PR has been edited by someone other than Dependabot. That means Dependabot can't rebase it - sorry!

If you're happy for Dependabot to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

[SamMorrowDrums]

@dependabot rebase

[dependabot]

Looks like this PR has been edited by someone other than Dependabot. That means Dependabot can't rebase it - sorry!

If you're happy for Dependabot to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

[SamMorrowDrums]

@dependabot recreate

[SamMorrowDrums]

Re-approving after recreate. Verified our code is safe with the go-sdk 1.6.0 behavior changes: we explicitly construct http.NewCrossOriginProtection() in pkg/http/handler.go (default change to nil/off does not affect us), and we do not use SetError (whose semantics changed to preserve Content).

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.