npm audit reports 4 high-severity transitive vulnerabilities in @modelcontextprotocol/sdk 1.28.0

[jleaders]

Summary

Installing @modelcontextprotocol/sdk@1.28.0 still produces 4 high-severity npm audit findings from transitive dependencies.

Repro

mkdir repro-mcp-sdk-audit
cd repro-mcp-sdk-audit
npm init -y
npm install @modelcontextprotocol/sdk@1.28.0
npm audit

Current vulnerable dependency chain

@modelcontextprotocol/sdk@1.28.0
├─ @hono/node-server@1.19.9
├─ express-rate-limit@8.2.1
├─ hono@4.12.3
└─ express@5.2.1 -> router@2.2.0 -> path-to-regexp@8.3.0

Reported advisories

• @hono/node-server < 1.19.10
• express-rate-limit >= 8.2.0 < 8.2.2
• hono <= 4.12.6
• path-to-regexp >= 8.0.0 < 8.4.0

npm ls

mcp-telegram@1.0.0
└─┬ @modelcontextprotocol/sdk@1.28.0
  ├─┬ @hono/node-server@1.19.9
  │ └── hono@4.12.3 deduped
  ├── express-rate-limit@8.2.1
  ├─┬ express@5.2.1
  │ └─┬ router@2.2.0
  │   └── path-to-regexp@8.3.0
  └── hono@4.12.3

Request

Could the SDK bump these transitive dependencies to patched versions so downstream projects stop inheriting the audit warnings?

I verified this after upgrading from @modelcontextprotocol/sdk@1.27.1 to 1.28.0, and the findings remained unchanged.