From f0f4a47bc1ff8f41ab5b3c779efbb04ceb892b36 Mon Sep 17 00:00:00 2001 From: MrGDCrazy <234173259+MrGDCrazy@users.noreply.github.com> Date: Tue, 24 Mar 2026 22:03:53 -0500 Subject: [PATCH 1/7] Create SDK Version Pin Agent documentation Added SDK Version Pin Agent documentation outlining its role, actions, scope, constraints, and examples for managing SDK dependencies across multiple repositories. --- .github/agents/sdk-version-pin-agent.agent.md | 101 ++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 .github/agents/sdk-version-pin-agent.agent.md diff --git a/.github/agents/sdk-version-pin-agent.agent.md b/.github/agents/sdk-version-pin-agent.agent.md new file mode 100644 index 000000000..67e3934b5 --- /dev/null +++ b/.github/agents/sdk-version-pin-agent.agent.md @@ -0,0 +1,101 @@ +--- +name: SDKVersionPinAgent +description: >- + Monitors upstream modelcontextprotocol/typescript-sdk for new releases. + Assesses breaking changes, generates a compatibility matrix, and coordinates + version bump PRs across all dependent MCP repos in the portfolio. +--- + +# SDK Version Pin Agent + +## Role +You are an SDK dependency manager responsible for coordinated version upgrades +across a multi-repo MCP ecosystem. You ensure no dependent repository is left +running a stale or incompatible SDK version. + +## Action +1. Detect a new release of `modelcontextprotocol/typescript-sdk`. +2. Compare the release notes and CHANGELOG against the current pinned version. +3. Categorize changes: BREAKING / FEATURE / BUGFIX / SECURITY. +4. Map each change to affected files across dependent repos. +5. Generate an ordered list of update PRs (SDK first, then consumers). +6. For BREAKING changes, produce a migration guide snippet. +7. Open a tracking GitHub issue in this repo listing all dependent update tasks. + +## Scope +- This repository: `MrGDCrazy/typescript-sdk` (the SDK fork). +- Dependent repos to update in order: + 1. `MrGDCrazy/fastmcp` (builds MCP servers on top of SDK) + 2. `MrGDCrazy/playwright-mcp` (uses MCP client interfaces) + 3. `MrGDCrazy/workers-mcp` (Cloudflare Worker MCP integration) +- Files to inspect per repo: `package.json`, `package-lock.json`, + TypeScript interface files that import from `@modelcontextprotocol/sdk`. + +## Constraints +- Never auto-bump major versions — always flag for manual review. +- Never merge updates to dependent repos before the SDK fork is updated. +- Maintain strict dependency order: SDK → fastmcp → playwright-mcp → workers-mcp. +- For SECURITY releases, escalate priority to P0 and set 24-hour SLA. +- Always generate a rollback plan before opening update PRs. +- Do not update any repo that has unmerged open PRs without flagging the conflict. + +## Examples + +### Minor release (safe): +``` +SDK v1.4.0 released. +Changes: FEATURE (new Server.onRequest hook), BUGFIX (transport race condition) +Breaking: NO +Action: Generate minor bump PRs for all 3 dependent repos. +Order: fastmcp PR → playwright-mcp PR → workers-mcp PR +Tracking issue: #42 +``` + +### Major release (breaking): +``` +SDK v2.0.0 released. +Changes: BREAKING (Server constructor signature changed) +Breaking: YES — requires adapter update in fastmcp and playwright-mcp +Action: Block auto-PRs. Generate migration guide. Assign manual review. +Tracking issue: #43 [BREAKING — MANUAL REVIEW REQUIRED] +``` + +## Format +Output a release impact report: + +``` +## MCP SDK Release Impact Report +SDK Version: [new] (was [old]) +Date: [ISO timestamp] + +### Change Classification +| Type | Count | Highest Severity | +|---|---|---| +| Breaking | X | CRITICAL/HIGH/MED | +| Feature | X | - | +| Bugfix | X | - | +| Security | X | CRITICAL/HIGH/MED/LOW | + +### Dependency Update Order +| Repo | Current Version | Target Version | Risk | PR Status | +|---|---|---|---|---| +| fastmcp | x.x.x | y.y.y | LOW/MED/HIGH | PENDING | +| playwright-mcp | x.x.x | y.y.y | LOW/MED/HIGH | BLOCKED | +| workers-mcp | x.x.x | y.y.y | LOW/MED/HIGH | PENDING | + +### Migration Notes +[Only present if BREAKING changes exist] + +### Rollback Plan +[Steps to revert if update causes failures] + +Tracking Issue: #[number] +``` + +## Trigger +- On new release tag pushed to `modelcontextprotocol/typescript-sdk` upstream. +- Weekly scheduled check (Mondays 08:00 UTC). + +## Success Metric +All dependent repos updated to new SDK release within 14 days. +Zero undetected breaking SDK changes across the MCP stack. From 3abbb6ec107426845a8ce478fb95ca0fb741e39d Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 25 Mar 2026 11:40:12 +0000 Subject: [PATCH 2/7] fix: security hardening and CI/CD reliability improvements MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - CODEOWNERS: update auth-team paths to match v2 monorepo layout (old paths referenced /src/... which no longer exist, causing all auth-related PRs to skip required auth-team review) - ci: align actions/checkout and actions/setup-node to @v6 in the publish job of main.yml (was @v4, inconsistent with build/test jobs) - ci: add typecheck+lint gate to publish.yml before building preview packages (broken code could previously be published on every push) - ci: remove continue-on-error from conformance jobs; expected-failures is empty so real regressions were silently swallowed - security: remove internal error detail (String(error)) from the JSON-RPC parse-error response body in streamableHttp — stack traces and file paths should not be forwarded to clients - refactor: convert tasks/result polling handler from unbounded recursion to an explicit while-loop, eliminating deep promise-chain accumulation for long-running tasks https://claude.ai/code/session_01CCxV9DvdS7Bf7bck3R9FJs --- .github/CODEOWNERS | 13 ++++++----- .github/workflows/conformance.yml | 4 ++-- .github/workflows/main.yml | 4 ++-- .github/workflows/publish.yml | 3 +++ packages/core/src/shared/protocol.ts | 23 +++++++------------- packages/server/src/server/streamableHttp.ts | 5 +++-- 6 files changed, 26 insertions(+), 26 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 596e6991d..99cdcf906 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -4,8 +4,11 @@ * @modelcontextprotocol/typescript-sdk # Auth team owns all auth-related code -/src/server/auth/ @modelcontextprotocol/typescript-sdk-auth -/src/client/auth* @modelcontextprotocol/typescript-sdk-auth -/src/shared/auth* @modelcontextprotocol/typescript-sdk-auth -/src/examples/client/simpleOAuthClient.ts @modelcontextprotocol/typescript-sdk-auth -/src/examples/server/demoInMemoryOAuthProvider.ts @modelcontextprotocol/typescript-sdk-auth \ No newline at end of file +/packages/client/src/client/auth* @modelcontextprotocol/typescript-sdk-auth +/packages/client/src/client/authExtensions* @modelcontextprotocol/typescript-sdk-auth +/packages/client/src/client/crossAppAccess* @modelcontextprotocol/typescript-sdk-auth +/packages/core/src/shared/auth* @modelcontextprotocol/typescript-sdk-auth +/packages/core/src/auth/ @modelcontextprotocol/typescript-sdk-auth +/examples/shared/src/auth* @modelcontextprotocol/typescript-sdk-auth +/examples/shared/src/authServer* @modelcontextprotocol/typescript-sdk-auth +/examples/client/src/simpleOAuthClient* @modelcontextprotocol/typescript-sdk-auth \ No newline at end of file diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 47606314e..7de63cedd 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -16,7 +16,7 @@ permissions: jobs: client-conformance: runs-on: ubuntu-latest - continue-on-error: true + continue-on-error: false steps: - uses: actions/checkout@v4 - name: Install pnpm @@ -34,7 +34,7 @@ jobs: server-conformance: runs-on: ubuntu-latest - continue-on-error: true + continue-on-error: false steps: - uses: actions/checkout@v4 - name: Install pnpm diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 4fd4d35e9..7101b3992 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -105,14 +105,14 @@ jobs: id-token: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Install pnpm uses: pnpm/action-setup@v4 id: pnpm-install with: run_install: false - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v6 with: node-version: 24 cache: pnpm diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index a180396b6..6cad7e5b9 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -34,6 +34,9 @@ jobs: - name: Install dependencies run: pnpm install + - name: Type-check and lint + run: pnpm run check:all + - name: Build packages run: pnpm run build:all diff --git a/packages/core/src/shared/protocol.ts b/packages/core/src/shared/protocol.ts index b82731582..1ec957f5b 100644 --- a/packages/core/src/shared/protocol.ts +++ b/packages/core/src/shared/protocol.ts @@ -474,9 +474,12 @@ export abstract class Protocol { }); this.setRequestHandler('tasks/result', async (request, ctx) => { - const handleTaskResult = async (): Promise => { - const taskId = request.params.taskId; + const taskId = request.params.taskId; + // Iterative poll loop: drain the queue and wait for the task to reach a terminal + // state. Using an explicit loop (rather than recursion) avoids building up a + // deep promise chain for long-running tasks. + while (true) { // Deliver queued messages if (this._taskMessageQueue) { let queuedMessage: QueuedMessage | undefined; @@ -528,15 +531,6 @@ export abstract class Protocol { throw new ProtocolError(ProtocolErrorCode.InvalidParams, `Task not found: ${taskId}`); } - // Block if task is not terminal (we've already delivered all queued messages above) - if (!isTerminal(task.status)) { - // Wait for status change or new messages - await this._waitForTaskUpdate(taskId, ctx.mcpReq.signal); - - // After waking up, recursively call to deliver any new messages or result - return await handleTaskResult(); - } - // If task is terminal, return the result if (isTerminal(task.status)) { const result = await this._taskStore!.getTaskResult(taskId, ctx.sessionId); @@ -554,10 +548,9 @@ export abstract class Protocol { } as Result; } - return await handleTaskResult(); - }; - - return await handleTaskResult(); + // Task is not yet terminal — wait for the next poll interval, then loop again + await this._waitForTaskUpdate(taskId, ctx.mcpReq.signal); + } }); this.setRequestHandler('tasks/list', async (request, ctx) => { diff --git a/packages/server/src/server/streamableHttp.ts b/packages/server/src/server/streamableHttp.ts index 74e689892..74e737833 100644 --- a/packages/server/src/server/streamableHttp.ts +++ b/packages/server/src/server/streamableHttp.ts @@ -806,9 +806,10 @@ export class WebStandardStreamableHTTPServerTransport implements Transport { return new Response(readable, { status: 200, headers }); } catch (error) { - // return JSON-RPC formatted error + // return JSON-RPC formatted error — do NOT include raw error details in the response + // to avoid leaking internal implementation information to clients. this.onerror?.(error as Error); - return this.createJsonErrorResponse(400, -32_700, 'Parse error', { data: String(error) }); + return this.createJsonErrorResponse(400, -32_700, 'Parse error'); } } From e9847a7ccde45d6b1b815051b824f8077663d43c Mon Sep 17 00:00:00 2001 From: MrGDCrazy <234173259+MrGDCrazy@users.noreply.github.com> Date: Wed, 25 Mar 2026 07:26:50 -0500 Subject: [PATCH 3/7] Add CodeQL analysis workflow configuration --- .github/workflows/codeql.yml | 101 +++++++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..10c060981 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,101 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL Advanced" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '35 19 * * 5' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: actions + build-mode: none + - language: javascript-typescript + build-mode: none + # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Add any setup steps before running the `github/codeql-action/init` action. + # This includes steps like installing compilers or runtimes (`actions/setup-node` + # or others). This is typically only required for manual builds. + # - name: Setup runtime (example) + # uses: actions/setup-example@v1 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # ℹ️ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + - name: Run manual build steps + if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 + with: + category: "/language:${{matrix.language}}" From 2c26710cff28bb5edf858f60b5dbef36f20b35a5 Mon Sep 17 00:00:00 2001 From: MrGDCrazy <234173259+MrGDCrazy@users.noreply.github.com> Date: Wed, 25 Mar 2026 07:30:22 -0500 Subject: [PATCH 4/7] Update .github/workflows/codeql.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/codeql.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 10c060981..738f5c014 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -43,10 +43,10 @@ jobs: fail-fast: false matrix: include: - - language: actions - build-mode: none - - language: javascript-typescript - build-mode: none + - language: actions + build-mode: none + - language: javascript-typescript + build-mode: none # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' # Use `c-cpp` to analyze code written in C, C++ or both # Use 'java-kotlin' to analyze code written in Java, Kotlin or both From 5b2f62188ad1fda409c16d834ddcfe3f071b1f52 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 25 Mar 2026 12:32:57 +0000 Subject: [PATCH 5/7] Version Packages --- .changeset/add-hono-peer-dep.md | 5 -- .changeset/brave-lions-glow.md | 5 -- .changeset/busy-weeks-hang.md | 6 --- .changeset/cyan-cycles-pump.md | 5 -- .changeset/expose-auth-server-discovery.md | 10 ---- .changeset/fix-task-session-isolation.md | 5 -- .changeset/fix-unknown-tool-protocol-error.md | 15 ------ .changeset/funky-baths-attack.md | 8 ---- .changeset/heavy-walls-swim.md | 5 -- .changeset/oauth-error-http200.md | 7 --- .changeset/quick-islands-occur.md | 10 ---- .changeset/respect-capability-negotiation.md | 14 ------ .changeset/rich-hounds-report.md | 10 ---- .changeset/shy-times-learn.md | 8 ---- .changeset/tender-snails-fold.md | 6 --- .changeset/twelve-dodos-taste.md | 5 -- .changeset/use-scopes-supported-in-dcr.md | 10 ---- packages/client/CHANGELOG.md | 48 +++++++++++++++++++ packages/client/package.json | 2 +- packages/core/CHANGELOG.md | 33 +++++++++++++ packages/core/package.json | 2 +- packages/middleware/express/CHANGELOG.md | 20 ++++++++ packages/middleware/express/package.json | 2 +- packages/middleware/hono/CHANGELOG.md | 17 +++++++ packages/middleware/hono/package.json | 2 +- packages/middleware/node/CHANGELOG.md | 29 +++++++++++ packages/middleware/node/package.json | 2 +- packages/server/CHANGELOG.md | 39 +++++++++++++++ packages/server/package.json | 2 +- test/integration/CHANGELOG.md | 11 +++++ test/integration/package.json | 2 +- 31 files changed, 204 insertions(+), 141 deletions(-) delete mode 100644 .changeset/add-hono-peer-dep.md delete mode 100644 .changeset/brave-lions-glow.md delete mode 100644 .changeset/busy-weeks-hang.md delete mode 100644 .changeset/cyan-cycles-pump.md delete mode 100644 .changeset/expose-auth-server-discovery.md delete mode 100644 .changeset/fix-task-session-isolation.md delete mode 100644 .changeset/fix-unknown-tool-protocol-error.md delete mode 100644 .changeset/funky-baths-attack.md delete mode 100644 .changeset/heavy-walls-swim.md delete mode 100644 .changeset/oauth-error-http200.md delete mode 100644 .changeset/quick-islands-occur.md delete mode 100644 .changeset/respect-capability-negotiation.md delete mode 100644 .changeset/rich-hounds-report.md delete mode 100644 .changeset/shy-times-learn.md delete mode 100644 .changeset/tender-snails-fold.md delete mode 100644 .changeset/twelve-dodos-taste.md delete mode 100644 .changeset/use-scopes-supported-in-dcr.md create mode 100644 packages/client/CHANGELOG.md create mode 100644 packages/core/CHANGELOG.md create mode 100644 packages/middleware/express/CHANGELOG.md create mode 100644 packages/middleware/hono/CHANGELOG.md create mode 100644 packages/middleware/node/CHANGELOG.md create mode 100644 packages/server/CHANGELOG.md create mode 100644 test/integration/CHANGELOG.md diff --git a/.changeset/add-hono-peer-dep.md b/.changeset/add-hono-peer-dep.md deleted file mode 100644 index 25f90bbd8..000000000 --- a/.changeset/add-hono-peer-dep.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -'@modelcontextprotocol/node': patch ---- - -Add missing `hono` peer dependency to `@modelcontextprotocol/node`. The package already depends on `@hono/node-server` which requires `hono` at runtime, but `hono` was only listed in the workspace root, not as a peer dependency of the package itself. diff --git a/.changeset/brave-lions-glow.md b/.changeset/brave-lions-glow.md deleted file mode 100644 index 587183899..000000000 --- a/.changeset/brave-lions-glow.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -'@modelcontextprotocol/node': patch ---- - -Prevent Hono from overriding global Response object by passing `overrideGlobalObjects: false` to `getRequestListener()`. This fixes compatibility with frameworks like Next.js whose response classes extend the native Response. diff --git a/.changeset/busy-weeks-hang.md b/.changeset/busy-weeks-hang.md deleted file mode 100644 index a045aaa41..000000000 --- a/.changeset/busy-weeks-hang.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -'@modelcontextprotocol/core': patch -'@modelcontextprotocol/server': patch ---- - -Fix ReDoS vulnerability in UriTemplate regex patterns (CVE-2026-0621) diff --git a/.changeset/cyan-cycles-pump.md b/.changeset/cyan-cycles-pump.md deleted file mode 100644 index 0f2008a3a..000000000 --- a/.changeset/cyan-cycles-pump.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -'@modelcontextprotocol/server': patch ---- - -missing change for fix(client): replace body.cancel() with text() to prevent hanging diff --git a/.changeset/expose-auth-server-discovery.md b/.changeset/expose-auth-server-discovery.md deleted file mode 100644 index 443dce893..000000000 --- a/.changeset/expose-auth-server-discovery.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -'@modelcontextprotocol/client': minor ---- - -Add `discoverOAuthServerInfo()` function and unified discovery state caching for OAuth - -- New `discoverOAuthServerInfo(serverUrl)` export that performs RFC 9728 protected resource metadata discovery followed by authorization server metadata discovery in a single call. Use this for operations like token refresh and revocation that need the authorization server URL outside of `auth()`. -- New `OAuthDiscoveryState` type and optional `OAuthClientProvider` methods `saveDiscoveryState()` / `discoveryState()` allow providers to persist all discovery results (auth server URL, resource metadata URL, resource metadata, auth server metadata) across sessions. This avoids redundant discovery requests and handles browser redirect scenarios where discovery state would otherwise be lost. -- New `'discovery'` scope for `invalidateCredentials()` to clear cached discovery state. -- New `OAuthServerInfo` type exported for the return value of `discoverOAuthServerInfo()`. diff --git a/.changeset/fix-task-session-isolation.md b/.changeset/fix-task-session-isolation.md deleted file mode 100644 index 722067337..000000000 --- a/.changeset/fix-task-session-isolation.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -'@modelcontextprotocol/core': patch ---- - -Fix InMemoryTaskStore to enforce session isolation. Previously, sessionId was accepted but ignored on all TaskStore methods, allowing any session to enumerate, read, and mutate tasks created by other sessions. The store now persists sessionId at creation time and enforces ownership on all reads and writes. diff --git a/.changeset/fix-unknown-tool-protocol-error.md b/.changeset/fix-unknown-tool-protocol-error.md deleted file mode 100644 index 086158b4b..000000000 --- a/.changeset/fix-unknown-tool-protocol-error.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -"@modelcontextprotocol/core": minor -"@modelcontextprotocol/server": major ---- - -Fix error handling for unknown tools and resources per MCP spec. - -**Tools:** Unknown or disabled tool calls now return JSON-RPC protocol errors with -code `-32602` (InvalidParams) instead of `CallToolResult` with `isError: true`. -Callers who checked `result.isError` for unknown tools should catch rejected promises instead. - -**Resources:** Unknown resource reads now return error code `-32002` (ResourceNotFound) -instead of `-32602` (InvalidParams). - -Added `ProtocolErrorCode.ResourceNotFound`. diff --git a/.changeset/funky-baths-attack.md b/.changeset/funky-baths-attack.md deleted file mode 100644 index f65f1263c..000000000 --- a/.changeset/funky-baths-attack.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -'@modelcontextprotocol/node': patch -'@modelcontextprotocol/test-integration': patch -'@modelcontextprotocol/server': patch -'@modelcontextprotocol/core': patch ---- - -remove deprecated .tool, .prompt, .resource method signatures diff --git a/.changeset/heavy-walls-swim.md b/.changeset/heavy-walls-swim.md deleted file mode 100644 index 7a09cda0d..000000000 --- a/.changeset/heavy-walls-swim.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -'@modelcontextprotocol/server': patch ---- - -reverting application/json in notifications diff --git a/.changeset/oauth-error-http200.md b/.changeset/oauth-error-http200.md deleted file mode 100644 index 1ce4fdd9e..000000000 --- a/.changeset/oauth-error-http200.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -'@modelcontextprotocol/client': patch ---- - -Fix OAuth error handling for servers returning errors with HTTP 200 status - -Some OAuth servers (e.g., GitHub) return error responses with HTTP 200 status instead of 4xx. The SDK now checks for an `error` field in the JSON response before attempting to parse it as tokens, providing users with meaningful error messages. diff --git a/.changeset/quick-islands-occur.md b/.changeset/quick-islands-occur.md deleted file mode 100644 index 2ec83908d..000000000 --- a/.changeset/quick-islands-occur.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -'@modelcontextprotocol/express': patch -'@modelcontextprotocol/hono': patch -'@modelcontextprotocol/node': patch -'@modelcontextprotocol/client': patch -'@modelcontextprotocol/server': patch -'@modelcontextprotocol/core': patch ---- - -remove npm references, use pnpm diff --git a/.changeset/respect-capability-negotiation.md b/.changeset/respect-capability-negotiation.md deleted file mode 100644 index 6a42cf607..000000000 --- a/.changeset/respect-capability-negotiation.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -'@modelcontextprotocol/client': patch ---- - -Respect capability negotiation in list methods by returning empty lists when server lacks capability - -The Client now returns empty lists instead of sending requests to servers that don't advertise the corresponding capability: - -- `listPrompts()` returns `{ prompts: [] }` if server lacks prompts capability -- `listResources()` returns `{ resources: [] }` if server lacks resources capability -- `listResourceTemplates()` returns `{ resourceTemplates: [] }` if server lacks resources capability -- `listTools()` returns `{ tools: [] }` if server lacks tools capability - -This respects the MCP spec requirement that "Both parties SHOULD respect capability negotiation" and avoids unnecessary server warnings and traffic. The existing `enforceStrictCapabilities` option continues to throw errors when set to `true`. diff --git a/.changeset/rich-hounds-report.md b/.changeset/rich-hounds-report.md deleted file mode 100644 index d1736bf72..000000000 --- a/.changeset/rich-hounds-report.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -'@modelcontextprotocol/express': patch -'@modelcontextprotocol/hono': patch -'@modelcontextprotocol/node': patch -'@modelcontextprotocol/client': patch -'@modelcontextprotocol/server': patch -'@modelcontextprotocol/core': patch ---- - -clean up package manager usage, all pnpm diff --git a/.changeset/shy-times-learn.md b/.changeset/shy-times-learn.md deleted file mode 100644 index 99617f8b7..000000000 --- a/.changeset/shy-times-learn.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -'@modelcontextprotocol/node': patch -'@modelcontextprotocol/test-integration': patch -'@modelcontextprotocol/server': patch -'@modelcontextprotocol/core': patch ---- - -deprecated .tool, .prompt, .resource method removal diff --git a/.changeset/tender-snails-fold.md b/.changeset/tender-snails-fold.md deleted file mode 100644 index 138596950..000000000 --- a/.changeset/tender-snails-fold.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -'@modelcontextprotocol/client': patch -'@modelcontextprotocol/server': patch ---- - -Initial 2.0.0-alpha.0 client and server package diff --git a/.changeset/twelve-dodos-taste.md b/.changeset/twelve-dodos-taste.md deleted file mode 100644 index 1b0fdc19d..000000000 --- a/.changeset/twelve-dodos-taste.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@modelcontextprotocol/express": patch ---- - -Add jsonLimit option to createMcpExpressApp diff --git a/.changeset/use-scopes-supported-in-dcr.md b/.changeset/use-scopes-supported-in-dcr.md deleted file mode 100644 index d40da05f0..000000000 --- a/.changeset/use-scopes-supported-in-dcr.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -'@modelcontextprotocol/client': minor ---- - -Apply resolved scope consistently to both DCR and the authorization URL (SEP-835) - -When `scopes_supported` is present in the protected resource metadata (`/.well-known/oauth-protected-resource`), the SDK already uses it as the default scope for the authorization URL. This change applies the same resolved scope to the dynamic client registration request body, ensuring both use a consistent value. - -- `registerClient()` now accepts an optional `scope` parameter that overrides `clientMetadata.scope` in the registration body. -- `auth()` now computes the resolved scope once (WWW-Authenticate → PRM `scopes_supported` → `clientMetadata.scope`) and passes it to both DCR and the authorization request. diff --git a/packages/client/CHANGELOG.md b/packages/client/CHANGELOG.md new file mode 100644 index 000000000..f89f02a1f --- /dev/null +++ b/packages/client/CHANGELOG.md @@ -0,0 +1,48 @@ +# @modelcontextprotocol/client + +## 2.0.0 + +### Minor Changes + +- [#1527](https://github.com/modelcontextprotocol/typescript-sdk/pull/1527) [`dc896e1`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dc896e198bdd1367d93a7c38846fdf9e78d84c6a) Thanks [@felixweinberger](https://github.com/felixweinberger)! - Add + `discoverOAuthServerInfo()` function and unified discovery state caching for OAuth + - New `discoverOAuthServerInfo(serverUrl)` export that performs RFC 9728 protected resource metadata discovery followed by authorization server metadata discovery in a single call. Use this for operations like token refresh and revocation that need the authorization server + URL outside of `auth()`. + - New `OAuthDiscoveryState` type and optional `OAuthClientProvider` methods `saveDiscoveryState()` / `discoveryState()` allow providers to persist all discovery results (auth server URL, resource metadata URL, resource metadata, auth server metadata) across sessions. This + avoids redundant discovery requests and handles browser redirect scenarios where discovery state would otherwise be lost. + - New `'discovery'` scope for `invalidateCredentials()` to clear cached discovery state. + - New `OAuthServerInfo` type exported for the return value of `discoverOAuthServerInfo()`. + +- [#1614](https://github.com/modelcontextprotocol/typescript-sdk/pull/1614) [`1a78b01`](https://github.com/modelcontextprotocol/typescript-sdk/commit/1a78b0138f1f3432968e53e810bac7929833eda2) Thanks [@pcarleton](https://github.com/pcarleton)! - Apply resolved scope consistently + to both DCR and the authorization URL (SEP-835) + + When `scopes_supported` is present in the protected resource metadata (`/.well-known/oauth-protected-resource`), the SDK already uses it as the default scope for the authorization URL. This change applies the same resolved scope to the dynamic client registration request + body, ensuring both use a consistent value. + - `registerClient()` now accepts an optional `scope` parameter that overrides `clientMetadata.scope` in the registration body. + - `auth()` now computes the resolved scope once (WWW-Authenticate → PRM `scopes_supported` → `clientMetadata.scope`) and passes it to both DCR and the authorization request. + +### Patch Changes + +- [#1343](https://github.com/modelcontextprotocol/typescript-sdk/pull/1343) [`4b5fdcb`](https://github.com/modelcontextprotocol/typescript-sdk/commit/4b5fdcba02c20f26d8b0f07acc87248288522842) Thanks [@christso](https://github.com/christso)! - Fix OAuth error handling for servers + returning errors with HTTP 200 status + + Some OAuth servers (e.g., GitHub) return error responses with HTTP 200 status instead of 4xx. The SDK now checks for an `error` field in the JSON response before attempting to parse it as tokens, providing users with meaningful error messages. + +- [#1534](https://github.com/modelcontextprotocol/typescript-sdk/pull/1534) [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e) Thanks [@josefaidt](https://github.com/josefaidt)! - remove npm references, use pnpm + +- [#1386](https://github.com/modelcontextprotocol/typescript-sdk/pull/1386) [`00249ce`](https://github.com/modelcontextprotocol/typescript-sdk/commit/00249ce86dac558fb1089aea46d4d6d14e9a56c6) Thanks [@PederHP](https://github.com/PederHP)! - Respect capability negotiation in list + methods by returning empty lists when server lacks capability + + The Client now returns empty lists instead of sending requests to servers that don't advertise the corresponding capability: + - `listPrompts()` returns `{ prompts: [] }` if server lacks prompts capability + - `listResources()` returns `{ resources: [] }` if server lacks resources capability + - `listResourceTemplates()` returns `{ resourceTemplates: [] }` if server lacks resources capability + - `listTools()` returns `{ tools: [] }` if server lacks tools capability + + This respects the MCP spec requirement that "Both parties SHOULD respect capability negotiation" and avoids unnecessary server warnings and traffic. The existing `enforceStrictCapabilities` option continues to throw errors when set to `true`. + +- [#1534](https://github.com/modelcontextprotocol/typescript-sdk/pull/1534) [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e) Thanks [@josefaidt](https://github.com/josefaidt)! - clean up package manager usage, all + pnpm + +- [#1279](https://github.com/modelcontextprotocol/typescript-sdk/pull/1279) [`71ae3ac`](https://github.com/modelcontextprotocol/typescript-sdk/commit/71ae3acee0203a1023817e3bffcd172d0966d2ac) Thanks [@KKonstantinov](https://github.com/KKonstantinov)! - Initial 2.0.0-alpha.0 + client and server package diff --git a/packages/client/package.json b/packages/client/package.json index a8cd73c3b..43543354e 100644 --- a/packages/client/package.json +++ b/packages/client/package.json @@ -1,6 +1,6 @@ { "name": "@modelcontextprotocol/client", - "version": "2.0.0-alpha.0", + "version": "2.0.0", "description": "Model Context Protocol implementation for TypeScript - Client package", "license": "MIT", "author": "Anthropic, PBC (https://anthropic.com)", diff --git a/packages/core/CHANGELOG.md b/packages/core/CHANGELOG.md new file mode 100644 index 000000000..b4b6a4cb1 --- /dev/null +++ b/packages/core/CHANGELOG.md @@ -0,0 +1,33 @@ +# @modelcontextprotocol/core + +## 2.0.0 + +### Minor Changes + +- [#1389](https://github.com/modelcontextprotocol/typescript-sdk/pull/1389) [`108f2f3`](https://github.com/modelcontextprotocol/typescript-sdk/commit/108f2f3ab6a1267587c7c4f900b6eca3cc2dae51) Thanks [@DePasqualeOrg](https://github.com/DePasqualeOrg)! - Fix error handling for + unknown tools and resources per MCP spec. + + **Tools:** Unknown or disabled tool calls now return JSON-RPC protocol errors with code `-32602` (InvalidParams) instead of `CallToolResult` with `isError: true`. Callers who checked `result.isError` for unknown tools should catch rejected promises instead. + + **Resources:** Unknown resource reads now return error code `-32002` (ResourceNotFound) instead of `-32602` (InvalidParams). + + Added `ProtocolErrorCode.ResourceNotFound`. + +### Patch Changes + +- [#1363](https://github.com/modelcontextprotocol/typescript-sdk/pull/1363) [`0a75810`](https://github.com/modelcontextprotocol/typescript-sdk/commit/0a75810b26e24bae6b9cfb41e12ac770aeaa1da4) Thanks [@DevJanderson](https://github.com/DevJanderson)! - Fix ReDoS vulnerability in + UriTemplate regex patterns (CVE-2026-0621) + +- [#1486](https://github.com/modelcontextprotocol/typescript-sdk/pull/1486) [`65bbcea`](https://github.com/modelcontextprotocol/typescript-sdk/commit/65bbceab773277f056a9d3e385e7e7d8cef54f9b) Thanks [@localden](https://github.com/localden)! - Fix InMemoryTaskStore to enforce + session isolation. Previously, sessionId was accepted but ignored on all TaskStore methods, allowing any session to enumerate, read, and mutate tasks created by other sessions. The store now persists sessionId at creation time and enforces ownership on all reads and writes. + +- [#1419](https://github.com/modelcontextprotocol/typescript-sdk/pull/1419) [`dcf708d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dcf708d892b7ca5f137c74109d42cdeb05e2ee3a) Thanks [@KKonstantinov](https://github.com/KKonstantinov)! - remove deprecated .tool, + .prompt, .resource method signatures + +- [#1534](https://github.com/modelcontextprotocol/typescript-sdk/pull/1534) [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e) Thanks [@josefaidt](https://github.com/josefaidt)! - remove npm references, use pnpm + +- [#1534](https://github.com/modelcontextprotocol/typescript-sdk/pull/1534) [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e) Thanks [@josefaidt](https://github.com/josefaidt)! - clean up package manager usage, all + pnpm + +- [#1419](https://github.com/modelcontextprotocol/typescript-sdk/pull/1419) [`dcf708d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dcf708d892b7ca5f137c74109d42cdeb05e2ee3a) Thanks [@KKonstantinov](https://github.com/KKonstantinov)! - deprecated .tool, .prompt, + .resource method removal diff --git a/packages/core/package.json b/packages/core/package.json index 3b55a71d6..8dac5b874 100644 --- a/packages/core/package.json +++ b/packages/core/package.json @@ -1,7 +1,7 @@ { "name": "@modelcontextprotocol/core", "private": true, - "version": "2.0.0-alpha.0", + "version": "2.0.0", "description": "Model Context Protocol implementation for TypeScript - Core package", "license": "MIT", "author": "Anthropic, PBC (https://anthropic.com)", diff --git a/packages/middleware/express/CHANGELOG.md b/packages/middleware/express/CHANGELOG.md new file mode 100644 index 000000000..891835902 --- /dev/null +++ b/packages/middleware/express/CHANGELOG.md @@ -0,0 +1,20 @@ +# @modelcontextprotocol/express + +## 2.0.0 + +### Patch Changes + +- [#1534](https://github.com/modelcontextprotocol/typescript-sdk/pull/1534) [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e) Thanks [@josefaidt](https://github.com/josefaidt)! - remove npm references, use pnpm + +- [#1534](https://github.com/modelcontextprotocol/typescript-sdk/pull/1534) [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e) Thanks [@josefaidt](https://github.com/josefaidt)! - clean up package manager usage, all + pnpm + +- [#1625](https://github.com/modelcontextprotocol/typescript-sdk/pull/1625) [`1fe9eda`](https://github.com/modelcontextprotocol/typescript-sdk/commit/1fe9eda4a712a5f3a3ba11561e723ec7e6cf5a5b) Thanks [@rameshreddy-adutla](https://github.com/rameshreddy-adutla)! - Add jsonLimit + option to createMcpExpressApp + +- Updated dependencies [[`0a75810`](https://github.com/modelcontextprotocol/typescript-sdk/commit/0a75810b26e24bae6b9cfb41e12ac770aeaa1da4), [`3466a9e`](https://github.com/modelcontextprotocol/typescript-sdk/commit/3466a9e0e5d392824156d9b290863ae08192d87e), + [`108f2f3`](https://github.com/modelcontextprotocol/typescript-sdk/commit/108f2f3ab6a1267587c7c4f900b6eca3cc2dae51), [`dcf708d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dcf708d892b7ca5f137c74109d42cdeb05e2ee3a), + [`f66a55b`](https://github.com/modelcontextprotocol/typescript-sdk/commit/f66a55b5f4eb7ce0f8b3885633bf9a7b1080e0b5), [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e), + [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e), [`dcf708d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dcf708d892b7ca5f137c74109d42cdeb05e2ee3a), + [`71ae3ac`](https://github.com/modelcontextprotocol/typescript-sdk/commit/71ae3acee0203a1023817e3bffcd172d0966d2ac)]: + - @modelcontextprotocol/server@2.0.0 diff --git a/packages/middleware/express/package.json b/packages/middleware/express/package.json index 10805588a..0e2665eb8 100644 --- a/packages/middleware/express/package.json +++ b/packages/middleware/express/package.json @@ -1,7 +1,7 @@ { "name": "@modelcontextprotocol/express", "private": false, - "version": "2.0.0-alpha.0", + "version": "2.0.0", "description": "Express adapters for the Model Context Protocol TypeScript server SDK - Express middleware", "license": "MIT", "author": "Anthropic, PBC (https://anthropic.com)", diff --git a/packages/middleware/hono/CHANGELOG.md b/packages/middleware/hono/CHANGELOG.md new file mode 100644 index 000000000..7b4b1097b --- /dev/null +++ b/packages/middleware/hono/CHANGELOG.md @@ -0,0 +1,17 @@ +# @modelcontextprotocol/hono + +## 2.0.0 + +### Patch Changes + +- [#1534](https://github.com/modelcontextprotocol/typescript-sdk/pull/1534) [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e) Thanks [@josefaidt](https://github.com/josefaidt)! - remove npm references, use pnpm + +- [#1534](https://github.com/modelcontextprotocol/typescript-sdk/pull/1534) [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e) Thanks [@josefaidt](https://github.com/josefaidt)! - clean up package manager usage, all + pnpm + +- Updated dependencies [[`0a75810`](https://github.com/modelcontextprotocol/typescript-sdk/commit/0a75810b26e24bae6b9cfb41e12ac770aeaa1da4), [`3466a9e`](https://github.com/modelcontextprotocol/typescript-sdk/commit/3466a9e0e5d392824156d9b290863ae08192d87e), + [`108f2f3`](https://github.com/modelcontextprotocol/typescript-sdk/commit/108f2f3ab6a1267587c7c4f900b6eca3cc2dae51), [`dcf708d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dcf708d892b7ca5f137c74109d42cdeb05e2ee3a), + [`f66a55b`](https://github.com/modelcontextprotocol/typescript-sdk/commit/f66a55b5f4eb7ce0f8b3885633bf9a7b1080e0b5), [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e), + [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e), [`dcf708d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dcf708d892b7ca5f137c74109d42cdeb05e2ee3a), + [`71ae3ac`](https://github.com/modelcontextprotocol/typescript-sdk/commit/71ae3acee0203a1023817e3bffcd172d0966d2ac)]: + - @modelcontextprotocol/server@2.0.0 diff --git a/packages/middleware/hono/package.json b/packages/middleware/hono/package.json index 262828d22..50e020e17 100644 --- a/packages/middleware/hono/package.json +++ b/packages/middleware/hono/package.json @@ -1,7 +1,7 @@ { "name": "@modelcontextprotocol/hono", "private": false, - "version": "2.0.0-alpha.0", + "version": "2.0.0", "description": "Hono adapters for the Model Context Protocol TypeScript server SDK - Hono middleware", "license": "MIT", "author": "Anthropic, PBC (https://anthropic.com)", diff --git a/packages/middleware/node/CHANGELOG.md b/packages/middleware/node/CHANGELOG.md new file mode 100644 index 000000000..c817682df --- /dev/null +++ b/packages/middleware/node/CHANGELOG.md @@ -0,0 +1,29 @@ +# @modelcontextprotocol/node + +## 2.0.0 + +### Patch Changes + +- [#1504](https://github.com/modelcontextprotocol/typescript-sdk/pull/1504) [`327243c`](https://github.com/modelcontextprotocol/typescript-sdk/commit/327243cebd96e07686c88f7fa9ca22a5a7a7993d) Thanks [@corvid-agent](https://github.com/corvid-agent)! - Add missing `hono` peer + dependency to `@modelcontextprotocol/node`. The package already depends on `@hono/node-server` which requires `hono` at runtime, but `hono` was only listed in the workspace root, not as a peer dependency of the package itself. + +- [#1410](https://github.com/modelcontextprotocol/typescript-sdk/pull/1410) [`9296459`](https://github.com/modelcontextprotocol/typescript-sdk/commit/9296459ac006546499f6b4105ffc528b8c212d88) Thanks [@mattzcarey](https://github.com/mattzcarey)! - Prevent Hono from overriding + global Response object by passing `overrideGlobalObjects: false` to `getRequestListener()`. This fixes compatibility with frameworks like Next.js whose response classes extend the native Response. + +- [#1419](https://github.com/modelcontextprotocol/typescript-sdk/pull/1419) [`dcf708d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dcf708d892b7ca5f137c74109d42cdeb05e2ee3a) Thanks [@KKonstantinov](https://github.com/KKonstantinov)! - remove deprecated .tool, + .prompt, .resource method signatures + +- [#1534](https://github.com/modelcontextprotocol/typescript-sdk/pull/1534) [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e) Thanks [@josefaidt](https://github.com/josefaidt)! - remove npm references, use pnpm + +- [#1534](https://github.com/modelcontextprotocol/typescript-sdk/pull/1534) [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e) Thanks [@josefaidt](https://github.com/josefaidt)! - clean up package manager usage, all + pnpm + +- [#1419](https://github.com/modelcontextprotocol/typescript-sdk/pull/1419) [`dcf708d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dcf708d892b7ca5f137c74109d42cdeb05e2ee3a) Thanks [@KKonstantinov](https://github.com/KKonstantinov)! - deprecated .tool, .prompt, + .resource method removal + +- Updated dependencies [[`0a75810`](https://github.com/modelcontextprotocol/typescript-sdk/commit/0a75810b26e24bae6b9cfb41e12ac770aeaa1da4), [`3466a9e`](https://github.com/modelcontextprotocol/typescript-sdk/commit/3466a9e0e5d392824156d9b290863ae08192d87e), + [`108f2f3`](https://github.com/modelcontextprotocol/typescript-sdk/commit/108f2f3ab6a1267587c7c4f900b6eca3cc2dae51), [`dcf708d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dcf708d892b7ca5f137c74109d42cdeb05e2ee3a), + [`f66a55b`](https://github.com/modelcontextprotocol/typescript-sdk/commit/f66a55b5f4eb7ce0f8b3885633bf9a7b1080e0b5), [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e), + [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e), [`dcf708d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dcf708d892b7ca5f137c74109d42cdeb05e2ee3a), + [`71ae3ac`](https://github.com/modelcontextprotocol/typescript-sdk/commit/71ae3acee0203a1023817e3bffcd172d0966d2ac)]: + - @modelcontextprotocol/server@2.0.0 diff --git a/packages/middleware/node/package.json b/packages/middleware/node/package.json index c13e49646..0ba35e6d6 100644 --- a/packages/middleware/node/package.json +++ b/packages/middleware/node/package.json @@ -1,6 +1,6 @@ { "name": "@modelcontextprotocol/node", - "version": "2.0.0-alpha.0", + "version": "2.0.0", "description": "Model Context Protocol implementation for TypeScript - Node.js middleware", "license": "MIT", "author": "Anthropic, PBC (https://anthropic.com)", diff --git a/packages/server/CHANGELOG.md b/packages/server/CHANGELOG.md new file mode 100644 index 000000000..1fee5ca3b --- /dev/null +++ b/packages/server/CHANGELOG.md @@ -0,0 +1,39 @@ +# @modelcontextprotocol/server + +## 2.0.0 + +### Major Changes + +- [#1389](https://github.com/modelcontextprotocol/typescript-sdk/pull/1389) [`108f2f3`](https://github.com/modelcontextprotocol/typescript-sdk/commit/108f2f3ab6a1267587c7c4f900b6eca3cc2dae51) Thanks [@DePasqualeOrg](https://github.com/DePasqualeOrg)! - Fix error handling for + unknown tools and resources per MCP spec. + + **Tools:** Unknown or disabled tool calls now return JSON-RPC protocol errors with code `-32602` (InvalidParams) instead of `CallToolResult` with `isError: true`. Callers who checked `result.isError` for unknown tools should catch rejected promises instead. + + **Resources:** Unknown resource reads now return error code `-32002` (ResourceNotFound) instead of `-32602` (InvalidParams). + + Added `ProtocolErrorCode.ResourceNotFound`. + +### Patch Changes + +- [#1363](https://github.com/modelcontextprotocol/typescript-sdk/pull/1363) [`0a75810`](https://github.com/modelcontextprotocol/typescript-sdk/commit/0a75810b26e24bae6b9cfb41e12ac770aeaa1da4) Thanks [@DevJanderson](https://github.com/DevJanderson)! - Fix ReDoS vulnerability in + UriTemplate regex patterns (CVE-2026-0621) + +- [#1372](https://github.com/modelcontextprotocol/typescript-sdk/pull/1372) [`3466a9e`](https://github.com/modelcontextprotocol/typescript-sdk/commit/3466a9e0e5d392824156d9b290863ae08192d87e) Thanks [@mattzcarey](https://github.com/mattzcarey)! - missing change for fix(client): + replace body.cancel() with text() to prevent hanging + +- [#1419](https://github.com/modelcontextprotocol/typescript-sdk/pull/1419) [`dcf708d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dcf708d892b7ca5f137c74109d42cdeb05e2ee3a) Thanks [@KKonstantinov](https://github.com/KKonstantinov)! - remove deprecated .tool, + .prompt, .resource method signatures + +- [#1388](https://github.com/modelcontextprotocol/typescript-sdk/pull/1388) [`f66a55b`](https://github.com/modelcontextprotocol/typescript-sdk/commit/f66a55b5f4eb7ce0f8b3885633bf9a7b1080e0b5) Thanks [@mattzcarey](https://github.com/mattzcarey)! - reverting application/json in + notifications + +- [#1534](https://github.com/modelcontextprotocol/typescript-sdk/pull/1534) [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e) Thanks [@josefaidt](https://github.com/josefaidt)! - remove npm references, use pnpm + +- [#1534](https://github.com/modelcontextprotocol/typescript-sdk/pull/1534) [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e) Thanks [@josefaidt](https://github.com/josefaidt)! - clean up package manager usage, all + pnpm + +- [#1419](https://github.com/modelcontextprotocol/typescript-sdk/pull/1419) [`dcf708d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dcf708d892b7ca5f137c74109d42cdeb05e2ee3a) Thanks [@KKonstantinov](https://github.com/KKonstantinov)! - deprecated .tool, .prompt, + .resource method removal + +- [#1279](https://github.com/modelcontextprotocol/typescript-sdk/pull/1279) [`71ae3ac`](https://github.com/modelcontextprotocol/typescript-sdk/commit/71ae3acee0203a1023817e3bffcd172d0966d2ac) Thanks [@KKonstantinov](https://github.com/KKonstantinov)! - Initial 2.0.0-alpha.0 + client and server package diff --git a/packages/server/package.json b/packages/server/package.json index 92eab267d..ed078d282 100644 --- a/packages/server/package.json +++ b/packages/server/package.json @@ -1,6 +1,6 @@ { "name": "@modelcontextprotocol/server", - "version": "2.0.0-alpha.0", + "version": "2.0.0", "description": "Model Context Protocol implementation for TypeScript - Server package", "license": "MIT", "author": "Anthropic, PBC (https://anthropic.com)", diff --git a/test/integration/CHANGELOG.md b/test/integration/CHANGELOG.md new file mode 100644 index 000000000..c1bb300e1 --- /dev/null +++ b/test/integration/CHANGELOG.md @@ -0,0 +1,11 @@ +# @modelcontextprotocol/test-integration + +## 2.0.0 + +### Patch Changes + +- [#1419](https://github.com/modelcontextprotocol/typescript-sdk/pull/1419) [`dcf708d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dcf708d892b7ca5f137c74109d42cdeb05e2ee3a) Thanks [@KKonstantinov](https://github.com/KKonstantinov)! - remove deprecated .tool, + .prompt, .resource method signatures + +- [#1419](https://github.com/modelcontextprotocol/typescript-sdk/pull/1419) [`dcf708d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dcf708d892b7ca5f137c74109d42cdeb05e2ee3a) Thanks [@KKonstantinov](https://github.com/KKonstantinov)! - deprecated .tool, .prompt, + .resource method removal diff --git a/test/integration/package.json b/test/integration/package.json index da21238ed..98bfae36f 100644 --- a/test/integration/package.json +++ b/test/integration/package.json @@ -1,7 +1,7 @@ { "name": "@modelcontextprotocol/test-integration", "private": true, - "version": "2.0.0-alpha.0", + "version": "2.0.0", "description": "Model Context Protocol implementation for TypeScript", "license": "MIT", "author": "Anthropic, PBC (https://anthropic.com)", From 554beb0c60098e59a95997730445824ee4ecfa3e Mon Sep 17 00:00:00 2001 From: MrGDCrazy Date: Wed, 25 Mar 2026 09:44:36 -0500 Subject: [PATCH 6/7] fix: add pnpm setup to CodeQL workflow --- .github/workflows/codeql.yml | 72 ++++++++++-------------------------- 1 file changed, 19 insertions(+), 53 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 738f5c014..409b6c42c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,14 +1,3 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# name: "CodeQL Advanced" on: @@ -22,20 +11,10 @@ on: jobs: analyze: name: Analyze (${{ matrix.language }}) - # Runner size impacts CodeQL analysis time. To learn more, please see: - # - https://gh.io/recommended-hardware-resources-for-running-codeql - # - https://gh.io/supported-runners-and-hardware-resources - # - https://gh.io/using-larger-runners (GitHub.com only) - # Consider using larger runners or machines with greater resources for possible analysis time improvements. runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} permissions: - # required for all workflows security-events: write - - # required to fetch internal or private CodeQL packs packages: read - - # only required for workflows in private repositories actions: read contents: read @@ -47,55 +26,42 @@ jobs: build-mode: none - language: javascript-typescript build-mode: none - # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' - # Use `c-cpp` to analyze code written in C, C++ or both - # Use 'java-kotlin' to analyze code written in Java, Kotlin or both - # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both - # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, - # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. - # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how - # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + steps: - name: Checkout repository uses: actions/checkout@v4 - # Add any setup steps before running the `github/codeql-action/init` action. - # This includes steps like installing compilers or runtimes (`actions/setup-node` - # or others). This is typically only required for manual builds. - # - name: Setup runtime (example) - # uses: actions/setup-example@v1 + - name: Install pnpm + if: matrix.language == 'javascript-typescript' + uses: pnpm/action-setup@v4 + with: + version: 10.26.1 + + - name: Setup Node.js + if: matrix.language == 'javascript-typescript' + uses: actions/setup-node@v4 + with: + node-version: 20 + cache: 'pnpm' + + - name: Install dependencies + if: matrix.language == 'javascript-typescript' + run: pnpm install - # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - # If the analyze step fails for one of the languages you are analyzing with - # "We were unable to automatically build your code", modify the matrix above - # to set the build mode to "manual" for that language. Then modify this step - # to build your code. - # ℹ️ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - name: Run manual build steps if: matrix.build-mode == 'manual' shell: bash run: | - echo 'If you are using a "manual" build mode for one or more of the' \ - 'languages you are analyzing, replace this with the commands to build' \ - 'your code, for example:' - echo ' make bootstrap' - echo ' make release' + echo 'Replace this with your manual build commands' exit 1 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 with: - category: "/language:${{matrix.language}}" + category: "/language:${{matrix.language}}" \ No newline at end of file From 64fcce18f9640d6811c50a5db41ca420269a8a5d Mon Sep 17 00:00:00 2001 From: MrGDCrazy Date: Wed, 25 Mar 2026 09:53:14 -0500 Subject: [PATCH 7/7] fix: remove cache pnpm from setup-node, let pnpm/action-setup handle it --- .github/workflows/codeql.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 409b6c42c..13da1199d 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -36,17 +36,18 @@ jobs: uses: pnpm/action-setup@v4 with: version: 10.26.1 + run_install: false - name: Setup Node.js if: matrix.language == 'javascript-typescript' uses: actions/setup-node@v4 with: node-version: 20 - cache: 'pnpm' + # ⚠️ No cache: 'pnpm' here — pnpm/action-setup handles caching - name: Install dependencies if: matrix.language == 'javascript-typescript' - run: pnpm install + run: pnpm install --frozen-lockfile - name: Initialize CodeQL uses: github/codeql-action/init@v4