Merge branch 'main' into refactor/split-mcp-tasks-capability-server-client

Author: jayaraman-venkatesan

.devcontainer/devcontainer.json

@@ -1,10 +1,10 @@
 {
 	"name": "C# (.NET SDK)",
-	"image": "mcr.microsoft.com/devcontainers/dotnet:1-8.0-jammy",
+	"image": "mcr.microsoft.com/devcontainers/dotnet:2-10.0",
 	"features": {
 		"ghcr.io/devcontainers/features/dotnet:2": {
-			"version": "10.0",
-			"additionalVersions": "9.0"
+			"version": "9.0",
+			"additionalVersions": "8.0"
 		},
 		"ghcr.io/devcontainers/features/node:1": {}
 	},

.github/dependabot.yml

@@ -38,7 +38,7 @@ updates:
       - dependency-name: "Microsoft.Extensions.Hosting.Abstractions"
       - dependency-name: "Microsoft.Extensions.Logging.Abstractions"
       - dependency-name: "Microsoft.Extensions.AI.OpenAI"
-      - dependency-name: "Microsoft.Extensions.TimeProvider.Testing" 
+      - dependency-name: "Microsoft.Extensions.TimeProvider.Testing"
       - dependency-name: "Microsoft.AspNetCore.*"
       - dependency-name: "Microsoft.IdentityModel.*"
       - dependency-name: "Microsoft.Bcl.*"
@@ -56,7 +56,6 @@ updates:
     # Add labels to dependency update PRs
     labels:
       - "dependencies"
-      - "testing"
 
   # Monitor GitHub Actions
   - package-ecosystem: "github-actions"
@@ -70,4 +69,3 @@ updates:
     # Add labels to GitHub Actions update PRs
     labels:
       - "dependencies"
-      - "github-actions"

.github/workflows/ci-build-test.yml

@@ -50,7 +50,7 @@ jobs:
           9.0.x
 
     - name: 🔧 Set up Node.js
-      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
       with:
         node-version: '20'
 
@@ -76,7 +76,7 @@ jobs:
 
     - name: 📤 Upload test results artifact
       if: always()
-      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
       with:
         name: testresults-${{ matrix.os }}-${{ matrix.configuration }}
         path: artifacts/testresults/**

.github/workflows/ci-code-coverage.yml

@@ -24,7 +24,7 @@ jobs:
           pattern: testresults-*
 
       - name: Combine coverage reports
-        uses: danielpalme/ReportGenerator-GitHub-Action@5.5.4
+        uses: danielpalme/ReportGenerator-GitHub-Action@5.5.5
         with:
           reports: "**/*.cobertura.xml"
           targetdir: "${{ github.workspace }}/report"
@@ -36,7 +36,7 @@ jobs:
           toolpath: "reportgeneratortool"
 
       - name: Upload combined coverage XML
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: coverage
           path: ${{ github.workspace }}/report
@@ -56,7 +56,7 @@ jobs:
           thresholds: "60 80"
 
       - name: Upload combined coverage markdown
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: coverage-markdown
           path: ${{ github.workspace }}/code-coverage-results.md

.github/workflows/docs.yml

@@ -40,7 +40,7 @@ jobs:
       run: make generate-docs
 
     - name: Upload Pages artifact
-      uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
+      uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0
       with:
         path: 'artifacts/_site'
 

.github/workflows/release.yml

@@ -91,7 +91,7 @@ jobs:
           --output "${{ github.workspace }}/artifacts/packages"
 
       - name: Upload artifact
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: ${{ !cancelled() }}
         with:
           name: build-artifacts

Directory.Packages.props

@@ -3,8 +3,8 @@
     <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
     <System8Version>8.0.22</System8Version>
     <System9Version>9.0.11</System9Version>
-    <System10Version>10.0.5</System10Version>
-    <MicrosoftExtensionsVersion>10.4.1</MicrosoftExtensionsVersion>
+    <System10Version>10.0.7</System10Version>
+    <MicrosoftExtensionsVersion>10.5.2</MicrosoftExtensionsVersion>
   </PropertyGroup>
 
   <!-- Product dependencies shared -->
@@ -62,8 +62,8 @@
 
   <!-- Testing dependencies -->
   <ItemGroup>
-    <PackageVersion Include="Anthropic" Version="12.9.0" />
-    <PackageVersion Include="coverlet.collector" Version="8.0.1">
+    <PackageVersion Include="Anthropic" Version="12.17.0" />
+    <PackageVersion Include="coverlet.collector" Version="10.0.0">
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
       <PrivateAssets>all</PrivateAssets>
     </PackageVersion>
@@ -74,14 +74,14 @@
     <PackageVersion Include="Microsoft.Extensions.Logging.Console" Version="$(System10Version)" />
     <PackageVersion Include="Microsoft.Extensions.Options" Version="$(System10Version)" />
     <PackageVersion Include="Microsoft.Extensions.TimeProvider.Testing" Version="10.1.0" />
-    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="18.3.0" />
+    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="18.5.1" />
     <PackageVersion Include="Moq" Version="4.20.72" />
-    <PackageVersion Include="OpenTelemetry" Version="1.15.1" />
-    <PackageVersion Include="OpenTelemetry.Exporter.InMemory" Version="1.15.1" />
-    <PackageVersion Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.15.1" />
-    <PackageVersion Include="OpenTelemetry.Instrumentation.Http" Version="1.15.0" />
-    <PackageVersion Include="OpenTelemetry.Extensions.Hosting" Version="1.15.1" />
-    <PackageVersion Include="OpenTelemetry.Instrumentation.AspNetCore" Version="1.15.1" />
+    <PackageVersion Include="OpenTelemetry" Version="1.15.3" />
+    <PackageVersion Include="OpenTelemetry.Exporter.InMemory" Version="1.15.3" />
+    <PackageVersion Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.15.3" />
+    <PackageVersion Include="OpenTelemetry.Instrumentation.Http" Version="1.15.1" />
+    <PackageVersion Include="OpenTelemetry.Extensions.Hosting" Version="1.15.3" />
+    <PackageVersion Include="OpenTelemetry.Instrumentation.AspNetCore" Version="1.15.2" />
     <PackageVersion Include="Serilog.Extensions.Hosting" Version="10.0.0" />
     <PackageVersion Include="Serilog.Extensions.Logging" Version="10.0.0" />
     <PackageVersion Include="Serilog.Sinks.Console" Version="6.1.1" />
@@ -92,6 +92,6 @@
     <PackageVersion Include="xunit.v3" Version="3.2.2" />
     <PackageVersion Include="xunit.runner.visualstudio" Version="3.1.5" />
     <PackageVersion Include="System.Net.Http" Version="4.3.4" />
-    <PackageVersion Include="JsonSchema.Net" Version="9.1.3" />
+    <PackageVersion Include="JsonSchema.Net" Version="9.2.0" />
   </ItemGroup>
 </Project>

docs/concepts/getting-started.md

@@ -101,6 +101,20 @@ public static class EchoTool
 }
 ```
 
+#### Host name validation
+
+For local HTTP servers, keep the set of accepted host names limited to loopback values. This helps protect against DNS rebinding, where a browser reaches a local server through an attacker-controlled DNS name while sending that DNS name in the HTTP `Host` header. ASP.NET Core's Kestrel server doesn't validate `Host` headers by default, so configure `AllowedHosts` with known host names rather than `"*"`.
+
+For production servers, configure the exact public host names for the deployment, and validate the host name at the proxy or load balancer when one is responsible for forwarding client requests. This also avoids reflecting untrusted host names through ASP.NET Core features such as absolute URL generation. See [Host filtering with ASP.NET Core Kestrel web server | Microsoft Learn](https://learn.microsoft.com/aspnet/core/fundamentals/servers/kestrel/host-filtering) and [URL generation concepts | Microsoft Learn](https://learn.microsoft.com/aspnet/core/fundamentals/routing#url-generation-concepts).
+
+#### Browser cross-origin access
+
+**Only** enable CORS if you intentionally want browser-based cross-origin access to this server.
+
+CORS is not a substitute for host name validation. When browser-based cross-origin access is required, limit which browser origins can call the MCP endpoint by using the most restrictive ASP.NET Core CORS policy possible. See [Enable Cross-Origin Requests (CORS) in ASP.NET Core | Microsoft Learn](https://learn.microsoft.com/aspnet/core/security/cors). 
+
+For the full HTTP security examples, including `AllowedHosts` and restrictive CORS on `MapMcp`, see [Streamable HTTP transport](transports/transports.md#browser-cross-origin-access).
+
 ### Building an MCP client
 
 Create a new console app, add the package, and replace `Program.cs` with the code below. This client connects to the MCP "everything" reference server, lists its tools, and calls one:

docs/concepts/httpcontext/samples/appsettings.json

@@ -5,5 +5,5 @@
       "Microsoft.AspNetCore": "Warning"
     }
   },
-  "AllowedHosts": "*"
+  "AllowedHosts": "localhost;127.0.0.1;[::1]"
 }

docs/concepts/logging/samples/server/appsettings.json

@@ -5,5 +5,5 @@
       "Microsoft.AspNetCore": "Warning"
     }
   },
-  "AllowedHosts": "*"
+  "AllowedHosts": "localhost;127.0.0.1;[::1]"
 }