Version Packages (beta)#2
Open
github-actions[bot] wants to merge 1 commit into
Open
Conversation
c4cef99 to
631250f
Compare
de5f0c3 to
38a94f4
Compare
f402e81 to
98aa891
Compare
3bdc3fd to
da3f07c
Compare
3ed5d14 to
d3065ed
Compare
c758c4c to
9ce9a06
Compare
307e9d3 to
c089c80
Compare
4036f55 to
c0ac63b
Compare
0c6e599 to
53f40a7
Compare
ce83af3 to
d349e69
Compare
f09a192 to
74bcc12
Compare
74bcc12 to
e7722ca
Compare
f1cf569 to
c4f04f6
Compare
d7efb65 to
960d68c
Compare
c80fcfa to
df8b6d4
Compare
ab65bba to
2c15b18
Compare
2c15b18 to
4b56324
Compare
d118506 to
9785eca
Compare
9785eca to
0db7676
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and publish to npm yourself or setup this action to publish automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.
mainis currently in pre mode so this branch has prereleases rather than normal releases. If you want to exit prereleases, runchangeset pre exitonmain.Releases
@modelcontextprotocol/server@2.0.0-beta.3
Minor Changes
#2420
7635115Thanks @felixweinberger! - Add runtime-neutral Bearer authentication to@modelcontextprotocol/server:requireBearerAuthgates web-standardfetch(request)hosts (CloudflareWorkers, Deno, Bun, Hono), built on the exported
verifyBearerTokenandbearerAuthChallengeResponsepieces, withOAuthTokenVerifiernow definedhere. The Express middleware adapts the same core and is unchanged in
behavior, except that
WWW-Authenticatechallenge values are now RFC 7235quoted-string sanitized (quotes and backslashes escaped, control and
non-ASCII characters replaced);
@modelcontextprotocol/expressre-exportsOAuthTokenVerifieras before.#2422
61866d7Thanks @felixweinberger! - Add runtime-neutral OAuth discovery serving to@modelcontextprotocol/server:oauthMetadataResponseserves the RFC 9728 Protected Resource Metadata andRFC 8414 Authorization Server metadata documents from web-standard
fetch(request)hosts, built on the exportedbuildOAuthProtectedResourceMetadata, withgetOAuthProtectedResourceMetadataUrlnow defined here. The Express metadatarouter adapts the same core and is unchanged in behavior; the insecure-issuer
escape hatch is an explicit
dangerouslyAllowInsecureIssuerUrloption in theneutral core instead of a module-scope environment read. The web-standard
matcher validates lazily so unmatched traffic always falls through, tolerates
a trailing slash, supports HEAD, and marks reflected CORS preflights with
Vary.Patch Changes
#2431
1b90c96Thanks @morluto! - Fix the CommonJSvalidators/ajvsubpath so reading the exportedAjvclass no longer throwsReferenceError: import_ajv is not defined. The subpath now re-exports the bundled provider's concreteAjvvalue in CJS output, matching the existing ESM behavior.#2441
561c6d8Thanks @felixweinberger! - POSTs whoseContent-Typemedia type is notapplication/jsonare nowrejected with
415 Unsupported Media Type; the header is parsed instead ofsubstring-matched. Previously any value merely containing the substring
passed the check (for example
text/plain; a=application/json), casevariants were wrongly rejected, and the 2026-07-28 entry did not inspect
Content-Typeat all — requests with a missing or non-JSON header that usedto be served on that path now also answer 415. Values with parameters
(
application/json; charset=utf-8, including malformed parameter sectionslike
application/json;) continue to work. SDK clients always send thecorrect header and are unaffected.
The new
isJsonContentType(header)helper is exported for transport andframework-adapter authors — custom entries composing the exported building
blocks (
classifyInboundRequest,PerRequestHTTPServerTransport) must applyit themselves. The hono adapter's JSON body pre-parse and the client's
response dispatch now use the same parsed-media-type comparison.
#2384
ce2f65dThanks @felixweinberger! -instanceofon the SDK error classes (ProtocolErrorand its typed subclasses,SdkError/SdkHttpError,OAuthError, and the client'sSseError,UnauthorizedError, and OAuth-client-flow error family —OAuthClientFlowErrorand its subclasses) now works across separately bundled copies of the SDK. The classes match by a stable brand (viaSymbol.hasInstanceand a registry symbol) instead of prototype identity, so a process that uses both@modelcontextprotocol/clientand@modelcontextprotocol/server- a gateway, host, or in-process test - can check errors constructed by either package against the class re-exported by the other. Ordinary prototype-basedinstanceofis preserved as a fallback; user-defined subclasses keep plain prototype semantics. Notes: cross-bundle matching requires both copies to be at or after this release; brands assert identity, not field shape, across versions - keep reading fields defensively. As a side effect, a foreign-bundleSdkErrorused as an abort reason is now rethrown as-is instead of being wrapped as aRequestTimeout. Branded hierarchies additionally expose an explicit static guard,X.isInstance(value), that reads the same brand and narrows in TypeScript — an alternative for codebases that prefer predicate-style checks overinstanceof. Also:UnauthorizedErrornow setserror.nameto'UnauthorizedError'(previously'Error'), and per-package conformance tests enforce that every exported error class participates in branding. Version-negotiation probing now recognizesUnauthorizedError(previously a dead name-string check) and propagates it unchanged, soconnect()on an auth-gated server rejects with the originalUnauthorizedError(previously wrapped as thecauseof anSdkError(EraNegotiationFailed)) — runfinishAuth()and reconnect, and the retry probes with the token.#2451
7e69735Thanks @mattzcarey! - Return JSON-RPC Invalid Params with the original URI and aninvalid_urireason whenresources/readreceives a syntactically malformed URI.#2425
e8de519Thanks @Sehlani042! - Stop advertising validator provider classes from the root client/server type declarations. The provider classes remain available from the explicit validator subpaths.#2453
0ab5d14Thanks @mattzcarey! - Strip RFC 9110 optional whitespace around inboundMCP-Protocol-Version,Mcp-Method, andMcp-Namevalues before classifying and validating modern HTTP requests. This keeps valid requests portable across Fetch runtimes that expose raw leading or trailing SP/HTAB throughHeaders.get().@modelcontextprotocol/client@2.0.0-beta.3
Patch Changes
#2431
1b90c96Thanks @morluto! - Fix the CommonJSvalidators/ajvsubpath so reading the exportedAjvclass no longer throwsReferenceError: import_ajv is not defined. The subpath now re-exports the bundled provider's concreteAjvvalue in CJS output, matching the existing ESM behavior.#2441
561c6d8Thanks @felixweinberger! - POSTs whoseContent-Typemedia type is notapplication/jsonare nowrejected with
415 Unsupported Media Type; the header is parsed instead ofsubstring-matched. Previously any value merely containing the substring
passed the check (for example
text/plain; a=application/json), casevariants were wrongly rejected, and the 2026-07-28 entry did not inspect
Content-Typeat all — requests with a missing or non-JSON header that usedto be served on that path now also answer 415. Values with parameters
(
application/json; charset=utf-8, including malformed parameter sectionslike
application/json;) continue to work. SDK clients always send thecorrect header and are unaffected.
The new
isJsonContentType(header)helper is exported for transport andframework-adapter authors — custom entries composing the exported building
blocks (
classifyInboundRequest,PerRequestHTTPServerTransport) must applyit themselves. The hono adapter's JSON body pre-parse and the client's
response dispatch now use the same parsed-media-type comparison.
#2384
ce2f65dThanks @felixweinberger! -instanceofon the SDK error classes (ProtocolErrorand its typed subclasses,SdkError/SdkHttpError,OAuthError, and the client'sSseError,UnauthorizedError, and OAuth-client-flow error family —OAuthClientFlowErrorand its subclasses) now works across separately bundled copies of the SDK. The classes match by a stable brand (viaSymbol.hasInstanceand a registry symbol) instead of prototype identity, so a process that uses both@modelcontextprotocol/clientand@modelcontextprotocol/server- a gateway, host, or in-process test - can check errors constructed by either package against the class re-exported by the other. Ordinary prototype-basedinstanceofis preserved as a fallback; user-defined subclasses keep plain prototype semantics. Notes: cross-bundle matching requires both copies to be at or after this release; brands assert identity, not field shape, across versions - keep reading fields defensively. As a side effect, a foreign-bundleSdkErrorused as an abort reason is now rethrown as-is instead of being wrapped as aRequestTimeout. Branded hierarchies additionally expose an explicit static guard,X.isInstance(value), that reads the same brand and narrows in TypeScript — an alternative for codebases that prefer predicate-style checks overinstanceof. Also:UnauthorizedErrornow setserror.nameto'UnauthorizedError'(previously'Error'), and per-package conformance tests enforce that every exported error class participates in branding. Version-negotiation probing now recognizesUnauthorizedError(previously a dead name-string check) and propagates it unchanged, soconnect()on an auth-gated server rejects with the originalUnauthorizedError(previously wrapped as thecauseof anSdkError(EraNegotiationFailed)) — runfinishAuth()and reconnect, and the retry probes with the token.#2455
cc70c5eThanks @felixweinberger! - Version negotiation no longer discards transport handlers the caller set beforeconnect(). The probe window now saves any pre-setonmessage/onerror/onclose, forwards error and close events to them while the probe is in flight, and restores them when the window closes — soProtocol.connect()chains them exactly as it does on a plain connect. Previously, connecting withversionNegotiationsilently cleared pre-set handlers (e.g. anonerrorused to detect session-expiry auth failures), leaving them permanently detached for the life of the connection.#2425
e8de519Thanks @Sehlani042! - Stop advertising validator provider classes from the root client/server type declarations. The provider classes remain available from the explicit validator subpaths.@modelcontextprotocol/codemod@2.0.0-beta.3
Patch Changes
#2419
79dc162Thanks @felixweinberger! - Read the v2 package versions the codemod writes into migratedpackage.jsonfiles directly from the workspace manifests at build time, replacing the committed generatedversions.ts(which went stale after every release and made source builds write outdated versions).#2420
7635115Thanks @felixweinberger! - Add runtime-neutral Bearer authentication to@modelcontextprotocol/server:requireBearerAuthgates web-standardfetch(request)hosts (CloudflareWorkers, Deno, Bun, Hono), built on the exported
verifyBearerTokenandbearerAuthChallengeResponsepieces, withOAuthTokenVerifiernow definedhere. The Express middleware adapts the same core and is unchanged in
behavior, except that
WWW-Authenticatechallenge values are now RFC 7235quoted-string sanitized (quotes and backslashes escaped, control and
non-ASCII characters replaced);
@modelcontextprotocol/expressre-exportsOAuthTokenVerifieras before.@modelcontextprotocol/express@2.0.0-beta.3
Patch Changes
#2420
7635115Thanks @felixweinberger! - Add runtime-neutral Bearer authentication to@modelcontextprotocol/server:requireBearerAuthgates web-standardfetch(request)hosts (CloudflareWorkers, Deno, Bun, Hono), built on the exported
verifyBearerTokenandbearerAuthChallengeResponsepieces, withOAuthTokenVerifiernow definedhere. The Express middleware adapts the same core and is unchanged in
behavior, except that
WWW-Authenticatechallenge values are now RFC 7235quoted-string sanitized (quotes and backslashes escaped, control and
non-ASCII characters replaced);
@modelcontextprotocol/expressre-exportsOAuthTokenVerifieras before.#2422
61866d7Thanks @felixweinberger! - Add runtime-neutral OAuth discovery serving to@modelcontextprotocol/server:oauthMetadataResponseserves the RFC 9728 Protected Resource Metadata andRFC 8414 Authorization Server metadata documents from web-standard
fetch(request)hosts, built on the exportedbuildOAuthProtectedResourceMetadata, withgetOAuthProtectedResourceMetadataUrlnow defined here. The Express metadatarouter adapts the same core and is unchanged in behavior; the insecure-issuer
escape hatch is an explicit
dangerouslyAllowInsecureIssuerUrloption in theneutral core instead of a module-scope environment read. The web-standard
matcher validates lazily so unmatched traffic always falls through, tolerates
a trailing slash, supports HEAD, and marks reflected CORS preflights with
Vary.Updated dependencies [
1b90c96,561c6d8,ce2f65d,7e69735,e8de519,0ab5d14,7635115,61866d7]:@modelcontextprotocol/fastify@2.0.0-beta.3
Patch Changes
1b90c96,561c6d8,ce2f65d,7e69735,e8de519,0ab5d14,7635115,61866d7]:@modelcontextprotocol/hono@2.0.0-beta.3
Patch Changes
#2441
561c6d8Thanks @felixweinberger! - POSTs whoseContent-Typemedia type is notapplication/jsonare nowrejected with
415 Unsupported Media Type; the header is parsed instead ofsubstring-matched. Previously any value merely containing the substring
passed the check (for example
text/plain; a=application/json), casevariants were wrongly rejected, and the 2026-07-28 entry did not inspect
Content-Typeat all — requests with a missing or non-JSON header that usedto be served on that path now also answer 415. Values with parameters
(
application/json; charset=utf-8, including malformed parameter sectionslike
application/json;) continue to work. SDK clients always send thecorrect header and are unaffected.
The new
isJsonContentType(header)helper is exported for transport andframework-adapter authors — custom entries composing the exported building
blocks (
classifyInboundRequest,PerRequestHTTPServerTransport) must applyit themselves. The hono adapter's JSON body pre-parse and the client's
response dispatch now use the same parsed-media-type comparison.
Updated dependencies [
1b90c96,561c6d8,ce2f65d,7e69735,e8de519,0ab5d14,7635115,61866d7]:@modelcontextprotocol/node@2.0.0-beta.3
Patch Changes
#2441
561c6d8Thanks @felixweinberger! - POSTs whoseContent-Typemedia type is notapplication/jsonare nowrejected with
415 Unsupported Media Type; the header is parsed instead ofsubstring-matched. Previously any value merely containing the substring
passed the check (for example
text/plain; a=application/json), casevariants were wrongly rejected, and the 2026-07-28 entry did not inspect
Content-Typeat all — requests with a missing or non-JSON header that usedto be served on that path now also answer 415. Values with parameters
(
application/json; charset=utf-8, including malformed parameter sectionslike
application/json;) continue to work. SDK clients always send thecorrect header and are unaffected.
The new
isJsonContentType(header)helper is exported for transport andframework-adapter authors — custom entries composing the exported building
blocks (
classifyInboundRequest,PerRequestHTTPServerTransport) must applyit themselves. The hono adapter's JSON body pre-parse and the client's
response dispatch now use the same parsed-media-type comparison.
#2445
78fabeaThanks @felixweinberger! - Document composing the host and origin validation guards in front oftoNodeHandlerfor hand-wirednode:httpservers, matching the protected wiring the examples and serving guide now demonstrate.Updated dependencies [
1b90c96,561c6d8,ce2f65d,7e69735,e8de519,0ab5d14,7635115,61866d7]:@modelcontextprotocol/core-internal@2.0.0-beta.2
Patch Changes
0ab5d14Thanks @mattzcarey! - Strip RFC 9110 optional whitespace around inboundMCP-Protocol-Version,Mcp-Method, andMcp-Namevalues before classifying and validating modern HTTP requests. This keeps valid requests portable across Fetch runtimes that expose raw leading or trailing SP/HTAB throughHeaders.get().