fix: update rmcp to resolve CVE-2026-42559#10486
Open
Conversation
Co-Authored-By: Oz <oz-agent@warp.dev>
danielpeng2
approved these changes
May 8, 2026
Contributor
|
I'm starting a first review of this pull request. You can view the conversation on Warp. I completed the review and no human review was requested for this pull request. Comment Powered by Oz |
![oz-for-oss[bot]](https://avatars.githubusercontent.com/in/3450139?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Overview
This PR updates the workspace rmcp dependency from 0.10.0 to 1.6.0, removes the obsolete SSE reqwest feature from the app dependency declaration, and refreshes the resulting lockfile entries.
Concerns
- No blocking concerns found in the annotated diff. The dependency remains pinned to an explicit fork revision and the lockfile updates are consistent with the
rmcpupgrade.
Verdict
Found: 0 critical, 0 important, 0 suggestions
Approve
Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).
Powered by Oz
- Implement StreamableHttpClient for McpHttpClient wrapper (reqwest 0.12 compat) - Remove legacy SSE transport references (SseClientTransport removed in rmcp 1.6) - Use builder patterns for non-exhaustive structs (CallToolRequestParams, etc.) - Add wildcard arms for non-exhaustive enum matches (RmcpError, ServiceError) - Fix register_client call signature (added scopes parameter) - Update type aliases for deprecated types (CallToolRequestParam -> Params) Co-Authored-By: Oz <oz-agent@warp.dev>
- Simplify Transport enum to use Option<reqwest::Client> instead of AuthClient wrapper - Fix error_to_user_message to add wildcard arm for non-exhaustive RmcpError - Remove duplicate function signature line - Run cargo fmt Co-Authored-By: Oz <oz-agent@warp.dev>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Updates
rmcpfrom 0.10.0 to 1.6.0 in thewarpdotdev/rmcpfork to resolve CVE-2026-42559.Vulnerability
Dependabot alerts resolved
Changes
Cargo.tomlworkspace dependency forrmcpto point to the latest fork commit (321ab14f67da), which is at version 1.6.0 and includes the DNS rebinding fix (PR #764) plus additional Host/Origin validation (PR #823, PR #826).transport-sse-client-reqwestfeature fromapp/Cargo.toml— this feature was renamed upstream and is now included transitively viatransport-streamable-http-client-reqwest→client-side-sse.Cargo.lockaccordingly.Verification
cargo check -p aipasses — the only crate directly using rmcp types (CallToolResult,ResourceContents,RawContent).cargo auditconfirms CVE-2026-42559 no longer appears.Conversation: https://staging.warp.dev/conversation/92b8aa0f-1525-4813-9990-62db7afe9c12
Run: https://oz.staging.warp.dev/runs/019e0851-4c63-74f8-9d5a-ec00d08a7593
This PR was generated with Oz.