fix: prevent command injection in example URL opening (v1.x backport)

[maxisbey]

Backport of #1553 to v1.x.

Removes the use of exec() with string interpolation to open URLs in elicitationUrlExample.ts and simpleOAuthClient.ts, which allowed command injection via crafted URLs.

Rather than adding the open npm package (as #1553 does on main), this takes a simpler approach: remove the auto-open behavior entirely and print the URL for the user to open manually. On v1.x there is no separate examples package, so adding open would introduce a new runtime dependency on the published SDK. Since the examples already handle waiting via HTTP callbacks and MCP notifications (not the browser process), this change has no effect on functionality.

_{AI Disclaimer}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 978b6cc

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/sdk@1579

commit: 978b6cc

[felixweinberger]

Thanks for doing this! LGTM