Open
Conversation
Added SDK Version Pin Agent documentation outlining its role, actions, scope, constraints, and examples for managing SDK dependencies across multiple repositories.
- CODEOWNERS: update auth-team paths to match v2 monorepo layout (old paths referenced /src/... which no longer exist, causing all auth-related PRs to skip required auth-team review) - ci: align actions/checkout and actions/setup-node to @v6 in the publish job of main.yml (was @v4, inconsistent with build/test jobs) - ci: add typecheck+lint gate to publish.yml before building preview packages (broken code could previously be published on every push) - ci: remove continue-on-error from conformance jobs; expected-failures is empty so real regressions were silently swallowed - security: remove internal error detail (String(error)) from the JSON-RPC parse-error response body in streamableHttp — stack traces and file paths should not be forwarded to clients - refactor: convert tasks/result polling handler from unbounded recursion to an explicit while-loop, eliminating deep promise-chain accumulation for long-running tasks https://claude.ai/code/session_01CCxV9DvdS7Bf7bck3R9FJs
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Add CodeQL analysis workflow configuration
Updated CodeQL workflow configuration for improved clarity and functionality.
Version Packages
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Updated CodeQL workflow to run on ubuntu-latest and added security queries.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Refactor CodeQL workflow for better readability
|
@modelcontextprotocol/client
@modelcontextprotocol/server
@modelcontextprotocol/express
@modelcontextprotocol/hono
@modelcontextprotocol/node
commit: |
There was a problem hiding this comment.
Pull request overview
This PR appears to finalize a 2.0.0 release across several workspace packages (moving off 2.0.0-alpha.0), adds the corresponding per-package changelogs, tightens CI/release workflows, and includes a small runtime hardening change to avoid leaking parse error details over HTTP.
Changes:
- Bump multiple packages from
2.0.0-alpha.0→2.0.0and addCHANGELOG.mdfiles for the release. - Harden server HTTP parse-error responses to avoid returning raw error details to clients.
- CI/CD updates: add
check:allto publish workflow, update Actions major versions, make conformance non-optional, and add a CodeQL workflow.
Reviewed changes
Copilot reviewed 39 out of 39 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| test/integration/package.json | Bump test integration package version to 2.0.0. |
| test/integration/CHANGELOG.md | Add 2.0.0 changelog for test integration package. |
| packages/server/src/server/streamableHttp.ts | Stop including raw parse error details in JSON-RPC error responses. |
| packages/server/package.json | Bump server package version to 2.0.0. |
| packages/server/CHANGELOG.md | Add 2.0.0 changelog for server package. |
| packages/middleware/node/package.json | Bump node middleware package version to 2.0.0. |
| packages/middleware/node/CHANGELOG.md | Add 2.0.0 changelog for node middleware package. |
| packages/middleware/hono/package.json | Bump hono middleware package version to 2.0.0. |
| packages/middleware/hono/CHANGELOG.md | Add 2.0.0 changelog for hono middleware package. |
| packages/middleware/express/package.json | Bump express middleware package version to 2.0.0. |
| packages/middleware/express/CHANGELOG.md | Add 2.0.0 changelog for express middleware package. |
| packages/core/src/shared/protocol.ts | Replace recursive tasks/result handling with an explicit loop to avoid deep promise chains. |
| packages/core/package.json | Bump core package version to 2.0.0. |
| packages/core/CHANGELOG.md | Add 2.0.0 changelog for core package. |
| packages/client/package.json | Bump client package version to 2.0.0. |
| packages/client/CHANGELOG.md | Add 2.0.0 changelog for client package. |
| .github/workflows/publish.yml | Run pnpm run check:all before building/publishing previews. |
| .github/workflows/main.yml | Update actions/checkout and actions/setup-node to v6. |
| .github/workflows/conformance.yml | Make conformance jobs blocking (continue-on-error: false). |
| .github/workflows/codeql.yml | Add CodeQL Advanced workflow for Actions + JS/TS. |
| .github/agents/sdk-version-pin-agent.agent.md | Add an agent spec doc for monitoring upstream SDK releases and coordinating bumps. |
| .github/CODEOWNERS | Update auth-related ownership paths to match the monorepo layout. |
| .changeset/use-scopes-supported-in-dcr.md | Remove consumed changeset entry. |
| .changeset/twelve-dodos-taste.md | Remove consumed changeset entry. |
| .changeset/tender-snails-fold.md | Remove consumed changeset entry. |
| .changeset/shy-times-learn.md | Remove consumed changeset entry. |
| .changeset/rich-hounds-report.md | Remove consumed changeset entry. |
| .changeset/respect-capability-negotiation.md | Remove consumed changeset entry. |
| .changeset/quick-islands-occur.md | Remove consumed changeset entry. |
| .changeset/oauth-error-http200.md | Remove consumed changeset entry. |
| .changeset/heavy-walls-swim.md | Remove consumed changeset entry. |
| .changeset/funky-baths-attack.md | Remove consumed changeset entry. |
| .changeset/fix-unknown-tool-protocol-error.md | Remove consumed changeset entry. |
| .changeset/fix-task-session-isolation.md | Remove consumed changeset entry. |
| .changeset/expose-auth-server-discovery.md | Remove consumed changeset entry. |
| .changeset/cyan-cycles-pump.md | Remove consumed changeset entry. |
| .changeset/busy-weeks-hang.md | Remove consumed changeset entry. |
| .changeset/brave-lions-glow.md | Remove consumed changeset entry. |
| .changeset/add-hono-peer-dep.md | Remove consumed changeset entry. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
1
to
4
| { | ||
| "name": "@modelcontextprotocol/server", | ||
| "version": "2.0.0-alpha.0", | ||
| "version": "2.0.0", | ||
| "description": "Model Context Protocol implementation for TypeScript - Server package", |
There was a problem hiding this comment.
The repo is partially bumped to 2.0.0 (e.g., this package), but several other workspace package.json files still report 2.0.0-alpha.0 (notably the repo root and some test packages). If this PR is intended to cut a 2.0.0 release across the monorepo, consider bumping the remaining workspace packages too; otherwise, consider adding the intentionally-not-bumped packages to Changesets' ignore list to avoid confusing mixed-version state.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation and Context
How Has This Been Tested?
Breaking Changes
Types of changes
Checklist
Additional context