Skip to content

chore(deps): bump @agentclientprotocol/sdk from 0.28.1 to 1.1.0#421

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/agentclientprotocol/sdk-1.1.0
Open

chore(deps): bump @agentclientprotocol/sdk from 0.28.1 to 1.1.0#421
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/agentclientprotocol/sdk-1.1.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 2, 2026

Copy link
Copy Markdown
Contributor

Bumps @agentclientprotocol/sdk from 0.28.1 to 1.1.0.

Release notes

Sourced from @​agentclientprotocol/sdk's releases.

v1.1.0

1.1.0 (2026-06-29)

Features

  • Expose request ids in handler contexts (#202) (eda849c)

v1.0.0

1.0.0 (2026-06-24)

Features

  • schema: Update to v1.16.0 of the schema (#199) (de58791)

Miscellaneous Chores

v0.29.0

0.29.0 (2026-06-22)

Features

  • unstable: Add support for request cancellation (#195) (d5197f9)
Changelog

Sourced from @​agentclientprotocol/sdk's changelog.

1.1.0 (2026-06-29)

Features

  • Expose request ids in handler contexts (#202) (eda849c)

1.0.0 (2026-06-24)

Features

  • schema: Update to v1.16.0 of the schema (#199) (de58791)

Miscellaneous Chores

0.29.0 (2026-06-22)

Features

  • unstable: Add support for request cancellation (#195) (d5197f9)
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [@agentclientprotocol/sdk](https://github.com/agentclientprotocol/typescript-sdk) from 0.28.1 to 1.1.0.
- [Release notes](https://github.com/agentclientprotocol/typescript-sdk/releases)
- [Changelog](https://github.com/agentclientprotocol/typescript-sdk/blob/main/CHANGELOG.md)
- [Commits](agentclientprotocol/typescript-sdk@v0.28.1...v1.1.0)

---
updated-dependencies:
- dependency-name: "@agentclientprotocol/sdk"
  dependency-version: 1.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 2, 2026
@dependabot dependabot Bot requested a review from a team as a code owner July 2, 2026 13:26
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 2, 2026
@clawsweeper

clawsweeper Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Codex review: needs maintainer review before merge. Reviewed July 2, 2026, 6:08 PM ET / 22:08 UTC.

Summary
The PR updates @agentclientprotocol/sdk from ^0.28.1 to ^1.1.0 in package.json and refreshes the matching pnpm-lock.yaml entries.

Reproducibility: not applicable. this is a dependency maintenance PR, not a bug report. The useful validation path is full CI plus focused live ACP prompt/session smoke testing.

Review metrics: 3 noteworthy metrics.

  • Changed files: 2 modified. The patch is narrow, but both files control production dependency resolution.
  • Production dependency bump: 1 direct dependency, semver-major. The SDK is on the core ACP client runtime path, so this needs compatibility review beyond routine dependency churn.
  • CI status: 9 succeeded, 1 skipped, 1 neutral. Full repository validation is green, which reduces process risk but does not prove live ACP interop.

Root-cause cluster
Relationship: canonical
Canonical: #421
Summary: This PR is the current canonical Dependabot bump for @agentclientprotocol/sdk to 1.1.0; the earlier 1.0.0 PR was closed as superseded by this one.

Members:

Proposal only: this assessment does not dispatch repair, suppress jobs, mutate sibling items, close, or merge anything.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • [P2] Run or attach a focused live acpx session and prompt smoke against a supported ACP agent before merge.

Risk before merge

  • [P1] This is a semver-major update of a direct production dependency used by the core ACP runtime path, so green static checks do not fully prove live-agent protocol compatibility.
  • [P1] The upstream SDK update includes schema v1.16.0 plus JSON-RPC request cancellation and request-id context changes, which could affect runtime interop with supported agents even though the local diff is narrow.

Maintainer options:

  1. Accept After Live ACP Smoke (recommended)
    Run a maintainer-owned live acpx session and prompt smoke against a supported ACP agent before merging the major SDK bump.
  2. Accept CI-Only Dependency Risk
    Maintainers can merge after green CI if they explicitly own the remaining runtime compatibility risk from the protocol SDK major update.
  3. Pause If Adapter Drift Appears
    If live validation exposes SDK 1.1.0 or schema v1.16.0 incompatibility, pause this bump until acpx or affected adapters are updated together.

Next step before merge

  • [P2] Maintainers need to decide whether green CI is enough or run live ACP session/prompt smoke before merging the semver-major SDK bump.

Security
Cleared: No concrete security or supply-chain issue was found; the diff changes only the named SDK package version and matching lockfile resolution.

Review details

Best possible solution:

Land the SDK 1.1.0 bump after maintainers accept the semver-major compatibility risk and preferably run a focused live acpx session and prompt smoke against a supported ACP agent.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is a dependency maintenance PR, not a bug report. The useful validation path is full CI plus focused live ACP prompt/session smoke testing.

Is this the best way to solve the issue?

Yes: changing package.json and pnpm-lock.yaml is the narrow implementation path for consuming SDK 1.1.0. Because it is a semver-major production protocol dependency, final acceptance needs maintainer compatibility review.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 1d882575e34e.

Label changes

Label changes:

  • add P2: This is a normal-priority dependency maintenance PR with core runtime blast radius but no confirmed regression.
  • add merge-risk: 🚨 compatibility: The PR changes the direct production ACP SDK used by AcpClient, so live agent compatibility needs maintainer review beyond green checks.
  • add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Dependabot bot PRs are exempt from the external contributor real-behavior proof gate, though maintainer live runtime proof remains recommended for this major dependency bump.

Label justifications:

  • P2: This is a normal-priority dependency maintenance PR with core runtime blast radius but no confirmed regression.
  • merge-risk: 🚨 compatibility: The PR changes the direct production ACP SDK used by AcpClient, so live agent compatibility needs maintainer review beyond green checks.
  • rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Dependabot bot PRs are exempt from the external contributor real-behavior proof gate, though maintainer live runtime proof remains recommended for this major dependency bump.
Evidence reviewed

Acceptance criteria:

  • [P1] pnpm run check.
  • [P1] Focused live acpx session and prompt smoke against a supported ACP agent.

What I checked:

  • Repository policy read: Full AGENTS.md was read; package.json changes are code-scope changes whose normal validation path is pnpm run check, so that policy applies to this dependency PR. (AGENTS.md:264, 1d882575e34e)
  • Current main dependency state: Current main still declares @agentclientprotocol/sdk as ^0.28.1, so the requested bump is not already implemented on the default branch. (package.json:83, 1d882575e34e)
  • PR diff scope: The PR head changes only package.json and pnpm-lock.yaml, replacing SDK 0.28.1 with 1.1.0 in 6 additions and 6 deletions. (package.json:83, b2b130c4ec61)
  • Core runtime dependency path: AcpClient imports ClientSideConnection, PROTOCOL_VERSION, RequestError, and ACP request/response types from the SDK and uses the SDK connection for session and control flows. (src/acp/client.ts:3, 1d882575e34e)
  • Upstream SDK surface changed: A local tarball comparison of SDK 0.28.1 versus 1.1.0 shows schema/type additions plus JSON-RPC request-id and cancellation behavior, which makes live ACP compatibility worth maintainer review even though the local diff is small.
  • CI state: GitHub reports the PR as clean and mergeable with successful scope, format, typecheck, lint, build, conformance smoke, test, mutation, and Slophammer checks; Docs was skipped and CodeQL was neutral. (b2b130c4ec61)

Likely related people:

  • vincentkoc: Git blame attributes the current SDK dependency line to commit 4dd3222, and recent history shows adjacent ACP runtime fixes in src/acp/client.ts and related paths. (role: recent dependency and ACP runtime contributor; confidence: high; commits: 4dd322232403, de042d12cd63, f29a0e5ae133; files: package.json, pnpm-lock.yaml, src/acp/client.ts)
  • steipete: Blame shows the v0.11.0 release commit introduced the current baseline package files and the main SDK import surface in src/acp/client.ts. (role: baseline release author; confidence: medium; commits: 9149b26f4971; files: package.json, pnpm-lock.yaml, src/acp/client.ts)
  • zhangguiping-xydt: Recent merged work changed src/acp/client.ts and session agent option plumbing adjacent to SDK-backed session and child-process behavior. (role: recent adjacent session/spawn contributor; confidence: medium; commits: 054cd32cb007; files: src/acp/client.ts, src/types.ts)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. P2 Normal priority bug or improvement with limited blast radius. merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. labels Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code merge-risk: 🚨 compatibility 🚨 Merging this PR could break existing users, config, migrations, defaults, or upgrades. P2 Normal priority bug or improvement with limited blast radius. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants