Open
Conversation
Added SDK Version Pin Agent documentation outlining its role, actions, scope, constraints, and examples for managing SDK dependencies across multiple repositories.
- CODEOWNERS: update auth-team paths to match v2 monorepo layout (old paths referenced /src/... which no longer exist, causing all auth-related PRs to skip required auth-team review) - ci: align actions/checkout and actions/setup-node to @v6 in the publish job of main.yml (was @v4, inconsistent with build/test jobs) - ci: add typecheck+lint gate to publish.yml before building preview packages (broken code could previously be published on every push) - ci: remove continue-on-error from conformance jobs; expected-failures is empty so real regressions were silently swallowed - security: remove internal error detail (String(error)) from the JSON-RPC parse-error response body in streamableHttp — stack traces and file paths should not be forwarded to clients - refactor: convert tasks/result polling handler from unbounded recursion to an explicit while-loop, eliminating deep promise-chain accumulation for long-running tasks https://claude.ai/code/session_01CCxV9DvdS7Bf7bck3R9FJs
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Add CodeQL analysis workflow configuration
Version Packages
|
@modelcontextprotocol/client
@modelcontextprotocol/server
@modelcontextprotocol/express
@modelcontextprotocol/hono
@modelcontextprotocol/node
commit: |
There was a problem hiding this comment.
Pull request overview
This PR appears to prep the repo for a 2.0.0 release by updating package versions and generating package changelogs, while also tightening CI (pnpm checks, conformance gating) and making a couple of runtime-behavior hardening changes.
Changes:
- Bump multiple workspace packages from
2.0.0-alpha.0to2.0.0and add correspondingCHANGELOG.mdfiles. - Update CI workflows (publish adds
check:all, conformance is no longercontinue-on-error) and add a CodeQL workflow. - Harden/adjust runtime behavior (remove raw parse error details from HTTP JSON-RPC error responses; replace recursive task result polling with an iterative loop).
Reviewed changes
Copilot reviewed 39 out of 39 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| test/integration/package.json | Version bump to 2.0.0 for integration test package. |
| test/integration/CHANGELOG.md | New changelog for @modelcontextprotocol/test-integration v2.0.0. |
| packages/server/src/server/streamableHttp.ts | Stops including raw parse error details in JSON-RPC error responses. |
| packages/server/package.json | Server package version bump to 2.0.0. |
| packages/server/CHANGELOG.md | New changelog for @modelcontextprotocol/server v2.0.0. |
| packages/middleware/node/package.json | Node middleware version bump to 2.0.0. |
| packages/middleware/node/CHANGELOG.md | New changelog for @modelcontextprotocol/node v2.0.0. |
| packages/middleware/hono/package.json | Hono middleware version bump to 2.0.0. |
| packages/middleware/hono/CHANGELOG.md | New changelog for @modelcontextprotocol/hono v2.0.0. |
| packages/middleware/express/package.json | Express middleware version bump to 2.0.0. |
| packages/middleware/express/CHANGELOG.md | New changelog for @modelcontextprotocol/express v2.0.0. |
| packages/core/src/shared/protocol.ts | Refactors tasks/result polling from recursion to an explicit loop. |
| packages/core/package.json | Core package version bump to 2.0.0. |
| packages/core/CHANGELOG.md | New changelog for @modelcontextprotocol/core v2.0.0. |
| packages/client/package.json | Client package version bump to 2.0.0. |
| packages/client/CHANGELOG.md | New changelog for @modelcontextprotocol/client v2.0.0. |
| .github/workflows/publish.yml | Adds pnpm run check:all before building/publishing. |
| .github/workflows/main.yml | Updates checkout/setup-node action versions. |
| .github/workflows/conformance.yml | Makes conformance failures block CI (continue-on-error: false). |
| .github/workflows/codeql.yml | Adds CodeQL scanning workflow (currently has YAML validity issues). |
| .github/agents/sdk-version-pin-agent.agent.md | Adds an agent spec doc for coordinating SDK version pinning across repos. |
| .github/CODEOWNERS | Updates auth-related ownership paths to match the packages/ layout. |
| .changeset/use-scopes-supported-in-dcr.md | Removed changeset (presumably rolled into release changelogs). |
| .changeset/twelve-dodos-taste.md | Removed changeset (presumably rolled into release changelogs). |
| .changeset/tender-snails-fold.md | Removed changeset (presumably rolled into release changelogs). |
| .changeset/shy-times-learn.md | Removed changeset (presumably rolled into release changelogs). |
| .changeset/rich-hounds-report.md | Removed changeset (presumably rolled into release changelogs). |
| .changeset/respect-capability-negotiation.md | Removed changeset (presumably rolled into release changelogs). |
| .changeset/quick-islands-occur.md | Removed changeset (presumably rolled into release changelogs). |
| .changeset/oauth-error-http200.md | Removed changeset (presumably rolled into release changelogs). |
| .changeset/heavy-walls-swim.md | Removed changeset (presumably rolled into release changelogs). |
| .changeset/funky-baths-attack.md | Removed changeset (presumably rolled into release changelogs). |
| .changeset/fix-unknown-tool-protocol-error.md | Removed changeset (presumably rolled into release changelogs). |
| .changeset/fix-task-session-isolation.md | Removed changeset (presumably rolled into release changelogs). |
| .changeset/expose-auth-server-discovery.md | Removed changeset (presumably rolled into release changelogs). |
| .changeset/cyan-cycles-pump.md | Removed changeset (presumably rolled into release changelogs). |
| .changeset/busy-weeks-hang.md | Removed changeset (presumably rolled into release changelogs). |
| .changeset/brave-lions-glow.md | Removed changeset (presumably rolled into release changelogs). |
| .changeset/add-hono-peer-dep.md | Removed changeset (presumably rolled into release changelogs). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+31
to
+68
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Install pnpm | ||
| if: matrix.language == 'javascript-typescript' | ||
| uses: pnpm/action-setup@v4 | ||
| with: | ||
| version: 10.26.1 | ||
| run_install: false | ||
|
|
||
| - name: Setup Node.js | ||
| if: matrix.language == 'javascript-typescript' | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 20 | ||
| # ⚠️ No cache: 'pnpm' here — pnpm/action-setup handles caching | ||
|
|
||
| - name: Install dependencies | ||
| if: matrix.language == 'javascript-typescript' | ||
| run: pnpm install --frozen-lockfile | ||
|
|
||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@v4 | ||
| with: | ||
| languages: ${{ matrix.language }} | ||
| build-mode: ${{ matrix.build-mode }} | ||
|
|
||
| - name: Run manual build steps | ||
| if: matrix.build-mode == 'manual' | ||
| shell: bash | ||
| run: | | ||
| echo 'Replace this with your manual build commands' | ||
| exit 1 | ||
|
|
||
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@v4 | ||
| with: | ||
| category: "/language:${{matrix.language}}" No newline at end of file |
There was a problem hiding this comment.
The steps: list items are not indented under steps, which makes this workflow invalid YAML (the - name: entries need to be nested under steps:). Please indent the step entries so they are children of steps:.
Suggested change
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Install pnpm | |
| if: matrix.language == 'javascript-typescript' | |
| uses: pnpm/action-setup@v4 | |
| with: | |
| version: 10.26.1 | |
| run_install: false | |
| - name: Setup Node.js | |
| if: matrix.language == 'javascript-typescript' | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 20 | |
| # ⚠️ No cache: 'pnpm' here — pnpm/action-setup handles caching | |
| - name: Install dependencies | |
| if: matrix.language == 'javascript-typescript' | |
| run: pnpm install --frozen-lockfile | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: ${{ matrix.build-mode }} | |
| - name: Run manual build steps | |
| if: matrix.build-mode == 'manual' | |
| shell: bash | |
| run: | | |
| echo 'Replace this with your manual build commands' | |
| exit 1 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: "/language:${{matrix.language}}" | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Install pnpm | |
| if: matrix.language == 'javascript-typescript' | |
| uses: pnpm/action-setup@v4 | |
| with: | |
| version: 10.26.1 | |
| run_install: false | |
| - name: Setup Node.js | |
| if: matrix.language == 'javascript-typescript' | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 20 | |
| # ⚠️ No cache: 'pnpm' here — pnpm/action-setup handles caching | |
| - name: Install dependencies | |
| if: matrix.language == 'javascript-typescript' | |
| run: pnpm install --frozen-lockfile | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: ${{ matrix.build-mode }} | |
| - name: Run manual build steps | |
| if: matrix.build-mode == 'manual' | |
| shell: bash | |
| run: | | |
| echo 'Replace this with your manual build commands' | |
| exit 1 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: "/language:${{matrix.language}}" |
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 20 | ||
| # ⚠️ No cache: 'pnpm' here — pnpm/action-setup handles caching |
There was a problem hiding this comment.
This workflow currently doesn't configure dependency caching for pnpm (and the comment says pnpm/action-setup handles caching). If you want caching, add cache: pnpm (and cache-dependency-path) to actions/setup-node, or remove/adjust the comment to avoid implying caching is enabled when it isn't.
Suggested change
| # ⚠️ No cache: 'pnpm' here — pnpm/action-setup handles caching | |
| # Note: dependency caching is not configured here. To enable it, add cache: 'pnpm' and cache-dependency-path to actions/setup-node. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation and Context
How Has This Been Tested?
Breaking Changes
Types of changes
Checklist
Additional context