chore(deps-dev): bump the bundled group across 1 directory with 3 updates

[dependabot]

Bumps the bundled group with 3 updates in the / directory: @modelcontextprotocol/sdk, core-js and puppeteer.

Updates @modelcontextprotocol/sdk from 1.27.1 to 1.28.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

v1.28.0

What's Changed

• feat: use scopes_supported from resource metadata by default (fixes #580) by @​antogyn in modelcontextprotocol/typescript-sdk#757
• [v1.x backport] Default to client_secret_basic when server omits token_endpoint_auth_methods_supported by @​pcarleton in modelcontextprotocol/typescript-sdk#1611
• fix: reject plain JSON Schema objects passed as inputSchema by @​tiluckdave in modelcontextprotocol/typescript-sdk#1596
• fix: clear _timeoutInfo in _onclose() and scope .finally() abort controller cleanup by @​pcarleton in modelcontextprotocol/typescript-sdk#1462
• fix(server/auth): RFC 8252 loopback port relaxation by @​poteat in modelcontextprotocol/typescript-sdk#1738
• chore: bump version to 1.28.0 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1746

New Contributors

• @​antogyn made their first contribution in modelcontextprotocol/typescript-sdk#757
• @​tiluckdave made their first contribution in modelcontextprotocol/typescript-sdk#1596
• @​poteat made their first contribution in modelcontextprotocol/typescript-sdk#1738

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.1...v1.28.0

Commits

• a056569 chore: bump version to 1.28.0 (#1746)
• 897bc25 fix(server/auth): RFC 8252 loopback port relaxation (#1738)
• 398dc70 fix: clear _timeoutInfo in _onclose() and scope .finally() abort controller c...
• 93640d3 fix: reject plain JSON Schema objects passed as inputSchema (#1596)
• 4cbcec0 [v1.x backport] Default to client_secret_basic when server omits token_endpoi...
• c9b58d1 feat: use scopes_supported from resource metadata by default (fixes #580) (#757)
• 351e124 docs: add links to hosted V1 and V2 API reference docs
• See full diff in compare view

Updates core-js from 3.48.0 to 3.49.0

Changelog

Sourced from core-js's changelog.

3.49.0 - 2026.03.16

• Changes v3.48.0...v3.49.0 (373 commits)
• Iterator.range updated following the actual spec version
  • Throw a RangeError on NaN start / end / step
  • Allow null as optionOrStep
• Improved accuracy of Math.{ asinh, atanh } polyfills with big and small values
• Improved accuracy of Number.prototype.toExponential polyfills with big and small values
• Improved performance of atob, btoa, Uint8Array.fromHex, Uint8Array.prototype.setFromHex, and Uint8Array.prototype.toHex, #1503, #1464, #1510, thanks @​johnzhou721
• Minor performance optimization polyfills of methods from Map upsert proposal
• Polyfills of methods from Map upsert proposal from the pure version made generic to make it work with polyfilled and native collections
• Wrap Symbol.for in Symbol.prototype.description polyfill for correct handling of empty string descriptions
• Fixed a modern Safari bug in Array.prototype.includes with sparse arrays and fromIndex
• Fixed one more case (Iterator.prototype.take) of a V8 ~ Chromium < 126 bug
• Forced replacement of Iterator.{ concat, zip, zipKeyed } in the pure version for ensuring proper wrapped Iterator instances as the result
• Fixed proxying .return() on exhausted iterator from some methods of iterator helpers polyfill to the underlying iterator
• Fixed double .return() calling in case of throwing error in this method in the internal iterate helper that affected some polyfills
• Fixed closing iterator on IteratorValue errors in the internal iterate helper that affected some polyfills
• Fixed iterator closing in Array.from polyfill on failure to create array property
• Fixed order of arguments validation in Array.fromAsync polyfill
• Fixed a lack of counter validation on MAX_SAFE_INTEGER in Array.fromAsync polyfill
• Fixed order of arguments validation in Array.prototype.flat polyfill
• Fixed handling strings as iterables in Iterator.{ zip, zipKeyed } polyfills
• Fixed some cases of iterators closing in Iterator.{ zip, zipKeyed } polyfills
• Fixed validation of iterators .next() results an objects in Iterator.{ zip, zipKeyed } polyfills
• Fixed a lack of early error in Iterator.concat polyfill on primitive as an iterator
• Fixed buffer mutation exposure in Iterator.prototype.windows polyfill
• Fixed iterator closing in Set.prototype.{ isDisjointFrom, isSupersetOf } polyfill
• Fixed (updated following the final spec) one more case Set.prototype.difference polyfill with updating this
• Fixed DataView.prototype.setFloat16 polyfill in (0, 1) range
• Fixed order of arguments validation in String.prototype.{ padStart, padEnd } polyfills
• Fixed order of arguments validation in String.prototype.{ startsWith, endsWith } polyfills
• Fixed some cases of Infinity handling in String.prototype.substr polyfill
• Fixed String.prototype.repeat polyfill with a counter exceeding 2 ** 32
• Fixed some cases of chars case in escape polyfill
• Fixed named backreferences in RegExp NCG polyfill
• Fixed some cases of RegExp NCG polyfill in combination with other types of groups
• Fixed some cases of RegExp NCG polyfill in combination with dotAll
• Fixed String.prototype.replace with sticky polyfill, #810, #1514
• Fixed RegExp sticky polyfill with alternation
• Fixed handling of some line terminators in case of multiline + sticky mode in RegExp polyfill
• Fixed .input slicing on result object with RegExp sticky mode polyfill
• Fixed handling of empty groups with global and unicode modes in polyfills
• Fixed URLSearchParam.prototype.delete polyfill with duplicate key-value pairs
• Fixed possible removal of unnecessary entries in URLSearchParam.prototype.delete polyfill with second argument
• Fixed an error in some cases of non-special URLs without a path in the URL polyfill
• Fixed some percent encode cases / character sets in the URL polyfill
• Fixed parsing of non-IPv4 hosts ends in a number in the URL polyfill
• Fixed some cases of '' and null host handling in the URL polyfill
• Fixed host parsing with hostname = host:port in the URL polyfill
• Fixed host inheritance in some cases of file scheme in the URL polyfill

... (truncated)

Commits

• 80adfc4 v3.49.0
• 0ad3e00 fix a modern Safari bug in Array.prototype.includes with sparse arrays and ...
• 853bfa4 update some links
• b4d723f fix a lack of counter validation on MAX_SAFE_INTEGER in Array.fromAsync p...
• e276676 fix parsing of non-IPv4 hosts ends in a number in the URL polyfill
• dd1cfba fix order of arguments validation in String.prototype.{ padStart, padEnd } ...
• b952c5f add an extra protection to configurator
• e490caf Fix for #810 (#1514)
• 10b4e86 drop an unneeded comment
• 28cf2e9 feat: Improve performance of Uint8Array Hex functions (#1510)
• Additional commits viewable in compare view

Updates puppeteer from 24.39.1 to 24.40.0

Release notes

Sourced from puppeteer's releases.

puppeteer-core: v24.40.0

24.40.0 (2026-03-19)

🎉 Features

• support PUPPETEER_DANGEROUS_NO_SANDBOX environment variable (#14756) (2a8276e)

🛠️ Fixes

• roll to Chrome 146.0.7680.153 (#14787) (443e87f)
• roll to Chrome 146.0.7680.80 (#14778) (14685a0)

puppeteer: v24.40.0

24.40.0 (2026-03-19)

♻️ Chores

• puppeteer: Synchronize puppeteer versions

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • puppeteer-core bumped from 24.39.1 to 24.40.0

Changelog

Sourced from puppeteer's changelog.

24.40.0 (2026-03-19)

♻️ Chores

• puppeteer: Synchronize puppeteer versions

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • puppeteer-core bumped from 24.39.1 to 24.40.0

🎉 Features

• support PUPPETEER_DANGEROUS_NO_SANDBOX environment variable (#14756) (2a8276e)

🛠️ Fixes

• roll to Chrome 146.0.7680.153 (#14787) (443e87f)
• roll to Chrome 146.0.7680.80 (#14778) (14685a0)

Commits

• 2f17622 chore: release main (#14783)
• 443e87f fix: roll to Chrome 146.0.7680.153 (#14787)
• 2a8276e feat: support PUPPETEER_DANGEROUS_NO_SANDBOX environment variable (#14756)
• 14685a0 fix: roll to Chrome 146.0.7680.80 (#14778)
• 7a8b8e6 chore(deps): bump the all group with 2 updates (#14780)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions