build(deps): bump SamMorrowDrums/mcp-server-diff from 2.3.5 to 3.0.0

[dependabot]

Bumps SamMorrowDrums/mcp-server-diff from 2.3.5 to 3.0.0.

Release notes

Sourced from SamMorrowDrums/mcp-server-diff's releases.

v3.0.0

Highlights

mcp-server-diff 3.0 is a major dependency refresh and a forward-compatibility pass for the upcoming MCP draft spec. The headline feature is clean cross-spec-version diffs: when a server upgrades its SDK across MCP spec revisions (2025-06-18 → 2025-11-25 → draft), the probe now normalizes away protocol envelope churn so the diff highlights intentional API surface changes only.

⚠️ Breaking changes

• Node.js 20 dropped. Node 20 reached LTS end-of-life on 2026-04-30, and undici v8 requires Node 22+ (uses webidl.util.markAsUncloneable). package.json now declares "engines": { "node": ">=22" }. The composite action's setup_node input default is now 22 (was 20); workflows passing an explicit node_version of 20 must bump.
• CI matrix is now [22, 24] (current LTS + current Current).

✨ New features

Cross-spec-version diff cleanliness

During the draft-spec rollout it's normal for the base ref and the branch to be on different protocol revisions. The diff should highlight intentional changes, not protocol churn. Now normalized away before snapshotting:

• CacheableResult hints (SEP-2461) — top-level ttlMs / cacheScope stripped from tools/list, prompts/list, resources/list, resources/templates/list results.
• _meta protocol plumbing — exact-key denylist (io.modelcontextprotocol/protocolVersion, clientInfo, clientCapabilities, subscriptionId, logLevel) stripped from every _meta at any depth.
• W3C trace context inside _meta — traceparent, tracestate, baggage stripped.
• initialize envelope churn — protocolVersion and capabilities.experimental excluded from the initialize diff body.

Not normalized (intentionally): serverInfo.version, nested cache hints inside tool/prompt/resource definitions, and the entire MCP Apps surface (_meta.ui per SEP-1865) plus vendor extensions (x.acme/* etc.) which all round-trip cleanly.

Protocol-version capture + reporter banner

The negotiated MCP protocol version is now captured per probe (via a transport.setProtocolVersion(...) hook, since the SDK doesn't expose a public getter). When base vs branch negotiated different versions, the report annotates the affected configuration with:

ℹ️ MCP protocol version changed: 2025-11-25 → draft. Protocol-level plumbing is normalized away; any diff below reflects real public-surface changes.

The PR summary surfaces the same drift at the very top so reviewers immediately know the diff was taken across spec revisions even when the diff body is empty.

Endpoint rename forward-compat

A new CANONICAL_SNAPSHOT_NAMES table in probe.ts maps both initialize and the upcoming server/discover (SEP-2575) to the same initialize snapshot file. When SDK v2 ships and servers move across the rename, the change surfaces as a content diff on one file instead of "removed + added".

One-sided startup failures diff against empty baseline (#58)

When exactly one side fails to start (e.g. a PR introduces a new server configuration behind a CLI flag that doesn't exist on the compare ref), the failed side is now treated as an empty ProbeResult and the working side's full surface renders as added/removed. New config-missing diff category renders a 🚫 callout in both the markdown report and PR summary. Only genuine both-sides probe failures still hard-error under fail_on_error.

Tool metadata diff coverage (#60)

First direct unit tests for the diff engine confirm that tool-level description changes AND nested inputSchema.properties.<arg>.description changes both surface under the tools endpoint diff. Thanks to @​kigland.

📦 Major dependency bumps

• zod ^3 → ^4 (breaking z.record signature handled internally)
• undici ^6 → ^8
• @actions/core ^1 → ^3, @actions/exec ^1 → ^3, @actions/io ^1 → ^3
• typescript ^5 → ^6, eslint ^9 → ^10, jest ^29 → ^30
• @types/node ^22 → ^24, @vercel/ncc ^0.38 → ^0.44, diff ^8 → ^9

... (truncated)

Commits

• 40d992e chore: release 3.0.0
• 7c2673e fix(runner,reporter): address PR #66 review
• ff90eef build: regenerate dist after folding #60 + #58
• fcf2b5e feat: diff one-sided startup failures against an empty baseline
• d8d0647 test: cover tool metadata diffs
• 74c0058 fix(probe,cli): address PR #56 review
• bc4d89d build!: require Node.js 22+, drop Node 20 support
• 82891c5 chore: in-range bumps + dist rebuild
• 5cb3b10 docs(probe): reframe discover-omits-instructions as difference, not regression
• ec68daa test(probe): pin real-wire fixtures from github-mcp-server v1.6.1 / v1.7.0-pre.1
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)