chore: update all dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
github.com/modelcontextprotocol/go-sdk	v1.6.0 → v1.6.1			require	patch
github/codeql-action	v4.35.5 → v4.36.0			action	minor
golang.org/x/sys	v0.44.0 → v0.45.0			require	minor
step-security/harden-runner	v2.19.3 → v2.19.4			action	patch
step-security/setup-uv	v7.3.0 → v8.1.0			action	major

---

Release Notes

modelcontextprotocol/go-sdk (github.com/modelcontextprotocol/go-sdk)

v1.6.1

Compare Source

This release adds an MCPGODEBUG flag to opt out of the Content-Type check on POST requests.

Behavior Changes

Prior to v1.6.0 (v1.4.0...v1.5.0), the Content-Type check on POST requests was gated by the same disablecrossoriginprotection MCPGODEBUG flag as the cross-origin protection. In v1.6.0, the cross-origin protection was disabled by default (replaced by the opt-in enableoriginverification flag), but the Content-Type check was kept on unconditionally, leaving no way to disable it.
This release restores an escape hatch for both the Streamable HTTP and SSE transports: setting MCPGODEBUG=disablecontenttypecheck=1 skips the Content-Type: application/json validation on POST requests.
See #​957.

What's Changed

• mcp: add MCPGPDEBUG for opt-in Content-Type check by @​guglielmo-san in #​972

Full Changelog: modelcontextprotocol/go-sdk@v1.6.0...v1.6.1

github/codeql-action (github/codeql-action)

v4.36.0

Compare Source

• Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #​3894
• Add support for SHA-256 Git object IDs. #​3893
• Update default CodeQL bundle version to 2.25.5. #​3926

step-security/harden-runner (step-security/harden-runner)

v2.19.4

Compare Source

What's Changed

• Improvements for HTTPS Monitoring for the Enterprise tier of Harden Runner

Full Changelog: step-security/harden-runner@v2.19.3...v2.19.4

step-security/setup-uv (step-security/setup-uv)

v8.1.0

Compare Source

What's Changed

• fix: Security updates by @​github-actions[bot] in #​64
• fix: Security updates by @​github-actions[bot] in #​81
• fix: Security updates by @​github-actions[bot] in #​82
• fix: upgrade packages to fix vulnerabilities by @​Raj-StepSecurity in #​83
• chore: Cherry-picked changes from upstream by @​github-actions[bot] in #​84
• chore: Cherry-picked changes from upstream by @​github-actions[bot] in #​88
• Delete .github/workflows/guarddog.yml by @​Raj-StepSecurity in #​91
• chore: Cherry-picked changes from upstream by @​github-actions[bot] in #​89
• fix: Security updates by @​github-actions[bot] in #​87
• chore: Cherry-picked changes from upstream by @​github-actions[bot] in #​92
• fix: Security updates by @​github-actions[bot] in #​95
• chore: Cherry-picked changes from upstream by @​github-actions[bot] in #​94
• chore: Cherry-picked changes from upstream by @​github-actions[bot] in #​97
• feat: added banner and update subscription check to make maintained actions free for public repos by @​Raj-StepSecurity in #​98
• fix: Security updates by @​github-actions[bot] in #​99

Full Changelog: step-security/setup-uv@v7...v8.1.0

v8

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "before 4am on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: mcp/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
golang.org/x/sys	v0.44.0 -> v0.45.0