Bump io.modelcontextprotocol.sdk:mcp from 0.11.2 to 0.13.1

[dependabot]

Bumps io.modelcontextprotocol.sdk:mcp from 0.11.2 to 0.13.1.

Release notes

Sourced from io.modelcontextprotocol.sdk:mcp's releases.

v0.13.1

Full Changelog: modelcontextprotocol/java-sdk@v0.13.0...v0.13.1

v0.13.0

Release Notes

🚀 Major Features & Enhancements

Protocol Version Support

• Added MCP protocol version 2025-06-18 support for streamable-http and stateless transports (#558)
  • Set MCP_2025_06_18 as upper supported protocol version
  • Updated LATEST_PROTOCOL_VERSION constant to reflect new upper bound

Module Restructuring

• Extracted mcp-core module (#557) - ⚠️ BREAKING CHANGE

  • Created new mcp-core module free of Jackson dependencies
  • mcp module now serves as an umbrella module bringing together mcp-json-jackson2 and mcp-core
  • Classes are now in different JARs, which may affect classpath dependencies

• Jackson decoupling (#543) - Related to (#557)

  • Abstract away Jackson usage with SPI interfaces Creates two modules, mcp-json and mcp-json-jackson. It removes the com.fasterxml.jackson.core:jackson-databind and com.networknt:json-schema-validator dependencies from the mcp (now mcp-core) module. The mcp-core (mcp previously) module now only depends on com.fasterxml.jackson.core:jackson-annotations. To use Jackson, you have to add mcp-jackson to your dependencies in addition to mcp-core. I added the dependency mcp-jackson to both mcp-spring-mvc and mcp-spring-webflux to avoid a breaking change in those modules.

Enhanced Tool Output Support

• Support for array-type structured content in tools (#551) - ⚠️ BREAKING CHANGE
  • Changed CallToolResult.structuredContent type from Map<String,Object> to Object
  • Now supports both objects and arrays as structured content output
  • Updated JsonSchemaValidator to validate any Object type
  • Deprecated CallToolResult constructors in favor of builder pattern
  • Aligns with MCP specification requirements for array-type output schemas

🐛 Bug Fixes

Session Management

• Fixed LifecycleInitializer error recovery (#549)
  • Initializer can now recover from errors during doInitialize (e.g., HTTP errors)
  • Prevents getting stuck in error state and allows subsequent initialization calls to work
  • Particularly beneficial for OAuth2 token fetch scenarios

Serialization Improvements

• Added JsonInclude annotation to notification records (#552)
  • Enhanced proper JSON serialization for ResourcesUpdatedNotification and LoggingMessageNotification
  • Excludes absent (null/Optional.empty()) fields from serialized output
  • Ensures consistent serialization behavior across all notification types

Test Infrastructure

• Standardized test parameterization (#556)
  • Replaced @​ValueSource with @​MethodSource for parameterized tests

... (truncated)

Commits

• e54bb50 Release version 0.13.1
• 8d3e733 fix: typo MCP_SESSION_ID, keep consistent style with other identifiers (#564)
• 20b5dc8 feat: add optional lastModified field to Annotations record with backward com...
• e5bcb49 fix: handle resource not found according to spec (#567)
• 1158c13 Next development version
• 4b435d2 Release version 0.13.0
• 7525a99 simplify the mcp module pom
• 3d86539 fix(mcp): skip source/javadoc generation for aggregator module (#559)
• 8159bcb feat: add MCP protocol version 2025-06-18 support for streamable-http and sta...
• 8ac7eae refactor: standardize test parameterization and fix package naming (#556)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #691.