Skip to content

chore(deps): bump @agentclientprotocol/sdk from 0.28.1 to 1.0.0#415

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/agentclientprotocol/sdk-1.0.0
Closed

chore(deps): bump @agentclientprotocol/sdk from 0.28.1 to 1.0.0#415
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/agentclientprotocol/sdk-1.0.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps @agentclientprotocol/sdk from 0.28.1 to 1.0.0.

Release notes

Sourced from @​agentclientprotocol/sdk's releases.

v1.0.0

1.0.0 (2026-06-24)

Features

  • schema: Update to v1.16.0 of the schema (#199) (de58791)

Miscellaneous Chores

v0.29.0

0.29.0 (2026-06-22)

Features

  • unstable: Add support for request cancellation (#195) (d5197f9)
Changelog

Sourced from @​agentclientprotocol/sdk's changelog.

1.0.0 (2026-06-24)

Features

  • schema: Update to v1.16.0 of the schema (#199) (de58791)

Miscellaneous Chores

0.29.0 (2026-06-22)

Features

  • unstable: Add support for request cancellation (#195) (d5197f9)
Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 29, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 29, 2026 13:27
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 29, 2026
@clawsweeper

clawsweeper Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Codex review: needs maintainer review before merge. Reviewed June 30, 2026, 8:10 PM ET / 00:10 UTC.

Summary
The PR updates the direct production @agentclientprotocol/sdk dependency from ^0.28.1 to ^1.0.0 and refreshes the matching lockfile entries.

Reproducibility: not applicable. this is a dependency maintenance PR, not a bug report. The useful validation path is full CI plus focused live ACP prompt/session smoke testing.

Review metrics: 3 noteworthy metrics.

  • Changed files: 2 modified. The patch is narrow, but both files control production dependency resolution.
  • Production dependency bump: 1 direct dependency, semver-major. The SDK is on the core ACP client runtime path, so this needs compatibility review beyond routine dependency churn.
  • CI status: 9 succeeded, 1 skipped, 1 neutral. Full repository validation is no longer pending, which reduces process risk but does not prove live ACP interop.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • [P2] Run or attach a focused live acpx session and prompt smoke against a supported ACP agent before merge.

Risk before merge

  • [P1] This is a semver-major update of a direct production dependency used by the core ACP runtime path, so green static checks do not fully prove live-agent protocol compatibility.
  • [P1] The upstream SDK update includes schema v1.16.0 plus ACP and JSON-RPC implementation/type changes, which can affect runtime interop even though the local diff is narrow.

Maintainer options:

  1. Accept After Live ACP Smoke (recommended)
    Run a maintainer-owned live acpx session and prompt smoke against a supported ACP agent before merging the major SDK bump.
  2. Accept CI-Only Dependency Risk
    Maintainers can merge after the now-green CI if they explicitly own the remaining runtime compatibility risk from the protocol SDK major update.
  3. Pause If Adapter Drift Appears
    If live validation exposes SDK 1.0.0 or schema v1.16.0 incompatibility, pause this bump until acpx or affected adapters are updated together.

Next step before merge

  • [P2] Maintainers need to decide whether to accept or live-validate the SDK 1.0.0 compatibility risk; there is no narrow automated code repair indicated by the current diff.

Security
Cleared: No concrete security or supply-chain issue was found; the diff changes only the named SDK package version and matching lockfile resolution.

Review details

Best possible solution:

Land the SDK 1.0.0 bump only after maintainers accept the semver-major compatibility risk and, ideally, run a focused live acpx prompt/session smoke against a supported ACP agent.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is a dependency maintenance PR, not a bug report. The useful validation path is full CI plus focused live ACP prompt/session smoke testing.

Is this the best way to solve the issue?

Yes: changing package.json and pnpm-lock.yaml is the narrow implementation path for consuming SDK 1.0.0. Because it is a semver-major production protocol dependency, final acceptance needs maintainer compatibility review.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 1d882575e34e.

Label changes

Label justifications:

  • P2: This is a normal-priority dependency maintenance PR with core runtime blast radius but no confirmed regression.
  • merge-risk: 🚨 compatibility: The PR changes the direct production ACP SDK used by AcpClient, so live agent compatibility needs maintainer review beyond green checks.
  • rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Dependabot bot PRs are exempt from the external contributor real-behavior proof gate, though maintainer live runtime proof remains recommended for this major dependency bump.
Evidence reviewed

What I checked:

  • Repository policy read: AGENTS.md says package.json changes are code-scope changes whose normal validation path is pnpm run check; that policy applies to this dependency PR. (AGENTS.md:264, 1d882575e34e)
  • Current main dependency state: Current main still declares @agentclientprotocol/sdk as ^0.28.1, so the dependency bump is not already implemented on the default branch. (package.json:83, 1d882575e34e)
  • PR diff scope: The PR head changes only package.json and pnpm-lock.yaml, replacing SDK 0.28.1 with 1.0.0 in 6 additions and 6 deletions. (package.json:83, 568611d46870)
  • Lockfile resolution: The PR lockfile resolves @agentclientprotocol/sdk to 1.0.0(zod@4.4.3) and keeps the same zod peer dependency shape. (pnpm-lock.yaml:17, 568611d46870)
  • Core runtime dependency path: AcpClient imports ClientSideConnection, PROTOCOL_VERSION, RequestError, and many ACP request/response types from the SDK, then uses the SDK connection for initialize, session, prompt, cancellation, close, and list flows. (src/acp/client.ts:3, 1d882575e34e)
  • CI state: GitHub reports the PR clean/mergeable with success for scope, Format, Typecheck, Lint, Build, Conformance Smoke, Test, Mutation, and Slophammer; Docs was skipped and CodeQL was neutral. (568611d46870)

Likely related people:

  • vincentkoc: Git blame attributes the current SDK dependency line to commit 4dd3222, and recent log history shows adjacent ACP runtime fixes in src/acp/client.ts and src/acp/jsonrpc.ts. (role: recent dependency and ACP runtime contributor; confidence: high; commits: 4dd322232403, de042d12cd63, f29a0e5ae133; files: package.json, pnpm-lock.yaml, src/acp/client.ts)
  • steipete: GitHub commit metadata and blame show the v0.11.0 release commit introduced the current baseline package files and the main SDK import surface in src/acp/client.ts. (role: baseline release author; confidence: medium; commits: 9149b26f4971; files: package.json, pnpm-lock.yaml, src/acp/client.ts)
  • zhangguiping-xydt: Recent merged work changed src/acp/client.ts and session agent option plumbing adjacent to SDK-backed session and child-process behavior. (role: recent adjacent session/spawn contributor; confidence: medium; commits: 054cd32cb007; files: src/acp/client.ts, src/types.ts)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@clawsweeper clawsweeper Bot added rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. P2 Normal priority bug or improvement with limited blast radius. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. merge-risk: 🚨 other 🚨 Merging this PR has meaningful risk outside the owned taxonomy. labels Jun 29, 2026
Bumps [@agentclientprotocol/sdk](https://github.com/agentclientprotocol/typescript-sdk) from 0.28.1 to 1.0.0.
- [Release notes](https://github.com/agentclientprotocol/typescript-sdk/releases)
- [Changelog](https://github.com/agentclientprotocol/typescript-sdk/blob/main/CHANGELOG.md)
- [Commits](agentclientprotocol/typescript-sdk@v0.28.1...v1.0.0)

---
updated-dependencies:
- dependency-name: "@agentclientprotocol/sdk"
  dependency-version: 1.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/agentclientprotocol/sdk-1.0.0 branch from a3a8154 to 568611d Compare June 30, 2026 23:53
@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. and removed rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. merge-risk: 🚨 other 🚨 Merging this PR has meaningful risk outside the owned taxonomy. labels Jun 30, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #421.

@dependabot dependabot Bot closed this Jul 2, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/agentclientprotocol/sdk-1.0.0 branch July 2, 2026 13:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. P2 Normal priority bug or improvement with limited blast radius. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants