Skip to content

Version Packages (beta)#175

Open
github-actions[bot] wants to merge 1 commit into
mainfrom
changeset-release/main
Open

Version Packages (beta)#175
github-actions[bot] wants to merge 1 commit into
mainfrom
changeset-release/main

Conversation

@github-actions

@github-actions github-actions Bot commented Dec 20, 2025

Copy link
Copy Markdown

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and publish to npm yourself or setup this action to publish automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

⚠️⚠️⚠️⚠️⚠️⚠️

main is currently in pre mode so this branch has prereleases rather than normal releases. If you want to exit prereleases, run changeset pre exit on main.

⚠️⚠️⚠️⚠️⚠️⚠️

Releases

@modelcontextprotocol/server@2.0.0-beta.3

Minor Changes

  • #2420 7635115 Thanks @felixweinberger! - Add runtime-neutral Bearer authentication to @modelcontextprotocol/server:
    requireBearerAuth gates web-standard fetch(request) hosts (Cloudflare
    Workers, Deno, Bun, Hono), built on the exported verifyBearerToken and
    bearerAuthChallengeResponse pieces, with OAuthTokenVerifier now defined
    here. The Express middleware adapts the same core and is unchanged in
    behavior, except that WWW-Authenticate challenge values are now RFC 7235
    quoted-string sanitized (quotes and backslashes escaped, control and
    non-ASCII characters replaced); @modelcontextprotocol/express re-exports
    OAuthTokenVerifier as before.

  • #2422 61866d7 Thanks @felixweinberger! - Add runtime-neutral OAuth discovery serving to @modelcontextprotocol/server:
    oauthMetadataResponse serves the RFC 9728 Protected Resource Metadata and
    RFC 8414 Authorization Server metadata documents from web-standard
    fetch(request) hosts, built on the exported
    buildOAuthProtectedResourceMetadata, with
    getOAuthProtectedResourceMetadataUrl now defined here. The Express metadata
    router adapts the same core and is unchanged in behavior; the insecure-issuer
    escape hatch is an explicit dangerouslyAllowInsecureIssuerUrl option in the
    neutral core instead of a module-scope environment read. The web-standard
    matcher validates lazily so unmatched traffic always falls through, tolerates
    a trailing slash, supports HEAD, and marks reflected CORS preflights with
    Vary.

Patch Changes

  • #2431 1b90c96 Thanks @morluto! - Fix the CommonJS validators/ajv subpath so reading the exported Ajv class no longer throws ReferenceError: import_ajv is not defined. The subpath now re-exports the bundled provider's concrete Ajv value in CJS output, matching the existing ESM behavior.

  • #2441 561c6d8 Thanks @felixweinberger! - POSTs whose Content-Type media type is not application/json are now
    rejected with 415 Unsupported Media Type; the header is parsed instead of
    substring-matched. Previously any value merely containing the substring
    passed the check (for example text/plain; a=application/json), case
    variants were wrongly rejected, and the 2026-07-28 entry did not inspect
    Content-Type at all — requests with a missing or non-JSON header that used
    to be served on that path now also answer 415. Values with parameters
    (application/json; charset=utf-8, including malformed parameter sections
    like application/json;) continue to work. SDK clients always send the
    correct header and are unaffected.

    The new isJsonContentType(header) helper is exported for transport and
    framework-adapter authors — custom entries composing the exported building
    blocks (classifyInboundRequest, PerRequestHTTPServerTransport) must apply
    it themselves. The hono adapter's JSON body pre-parse and the client's
    response dispatch now use the same parsed-media-type comparison.

  • #2384 ce2f65d Thanks @felixweinberger! - instanceof on the SDK error classes (ProtocolError and its typed subclasses, SdkError/SdkHttpError, OAuthError, and the client's SseError, UnauthorizedError, and OAuth-client-flow error family — OAuthClientFlowError and its subclasses) now works across separately bundled copies of the SDK. The classes match by a stable brand (via Symbol.hasInstance and a registry symbol) instead of prototype identity, so a process that uses both @modelcontextprotocol/client and @modelcontextprotocol/server - a gateway, host, or in-process test - can check errors constructed by either package against the class re-exported by the other. Ordinary prototype-based instanceof is preserved as a fallback; user-defined subclasses keep plain prototype semantics. Notes: cross-bundle matching requires both copies to be at or after this release; brands assert identity, not field shape, across versions - keep reading fields defensively. As a side effect, a foreign-bundle SdkError used as an abort reason is now rethrown as-is instead of being wrapped as a RequestTimeout. Branded hierarchies additionally expose an explicit static guard, X.isInstance(value), that reads the same brand and narrows in TypeScript — an alternative for codebases that prefer predicate-style checks over instanceof. Also: UnauthorizedError now sets error.name to 'UnauthorizedError' (previously 'Error'), and per-package conformance tests enforce that every exported error class participates in branding. Version-negotiation probing now recognizes UnauthorizedError (previously a dead name-string check) and propagates it unchanged, so connect() on an auth-gated server rejects with the original UnauthorizedError (previously wrapped as the cause of an SdkError(EraNegotiationFailed)) — run finishAuth() and reconnect, and the retry probes with the token.

  • #2425 e8de519 Thanks @Sehlani042! - Stop advertising validator provider classes from the root client/server type declarations. The provider classes remain available from the explicit validator subpaths.

@modelcontextprotocol/client@2.0.0-beta.3

Patch Changes

  • #2431 1b90c96 Thanks @morluto! - Fix the CommonJS validators/ajv subpath so reading the exported Ajv class no longer throws ReferenceError: import_ajv is not defined. The subpath now re-exports the bundled provider's concrete Ajv value in CJS output, matching the existing ESM behavior.

  • #2441 561c6d8 Thanks @felixweinberger! - POSTs whose Content-Type media type is not application/json are now
    rejected with 415 Unsupported Media Type; the header is parsed instead of
    substring-matched. Previously any value merely containing the substring
    passed the check (for example text/plain; a=application/json), case
    variants were wrongly rejected, and the 2026-07-28 entry did not inspect
    Content-Type at all — requests with a missing or non-JSON header that used
    to be served on that path now also answer 415. Values with parameters
    (application/json; charset=utf-8, including malformed parameter sections
    like application/json;) continue to work. SDK clients always send the
    correct header and are unaffected.

    The new isJsonContentType(header) helper is exported for transport and
    framework-adapter authors — custom entries composing the exported building
    blocks (classifyInboundRequest, PerRequestHTTPServerTransport) must apply
    it themselves. The hono adapter's JSON body pre-parse and the client's
    response dispatch now use the same parsed-media-type comparison.

  • #2384 ce2f65d Thanks @felixweinberger! - instanceof on the SDK error classes (ProtocolError and its typed subclasses, SdkError/SdkHttpError, OAuthError, and the client's SseError, UnauthorizedError, and OAuth-client-flow error family — OAuthClientFlowError and its subclasses) now works across separately bundled copies of the SDK. The classes match by a stable brand (via Symbol.hasInstance and a registry symbol) instead of prototype identity, so a process that uses both @modelcontextprotocol/client and @modelcontextprotocol/server - a gateway, host, or in-process test - can check errors constructed by either package against the class re-exported by the other. Ordinary prototype-based instanceof is preserved as a fallback; user-defined subclasses keep plain prototype semantics. Notes: cross-bundle matching requires both copies to be at or after this release; brands assert identity, not field shape, across versions - keep reading fields defensively. As a side effect, a foreign-bundle SdkError used as an abort reason is now rethrown as-is instead of being wrapped as a RequestTimeout. Branded hierarchies additionally expose an explicit static guard, X.isInstance(value), that reads the same brand and narrows in TypeScript — an alternative for codebases that prefer predicate-style checks over instanceof. Also: UnauthorizedError now sets error.name to 'UnauthorizedError' (previously 'Error'), and per-package conformance tests enforce that every exported error class participates in branding. Version-negotiation probing now recognizes UnauthorizedError (previously a dead name-string check) and propagates it unchanged, so connect() on an auth-gated server rejects with the original UnauthorizedError (previously wrapped as the cause of an SdkError(EraNegotiationFailed)) — run finishAuth() and reconnect, and the retry probes with the token.

  • #2425 e8de519 Thanks @Sehlani042! - Stop advertising validator provider classes from the root client/server type declarations. The provider classes remain available from the explicit validator subpaths.

@modelcontextprotocol/codemod@2.0.0-beta.3

Patch Changes

  • #2419 79dc162 Thanks @felixweinberger! - Read the v2 package versions the codemod writes into migrated package.json files directly from the workspace manifests at build time, replacing the committed generated versions.ts (which went stale after every release and made source builds write outdated versions).

  • #2420 7635115 Thanks @felixweinberger! - Add runtime-neutral Bearer authentication to @modelcontextprotocol/server:
    requireBearerAuth gates web-standard fetch(request) hosts (Cloudflare
    Workers, Deno, Bun, Hono), built on the exported verifyBearerToken and
    bearerAuthChallengeResponse pieces, with OAuthTokenVerifier now defined
    here. The Express middleware adapts the same core and is unchanged in
    behavior, except that WWW-Authenticate challenge values are now RFC 7235
    quoted-string sanitized (quotes and backslashes escaped, control and
    non-ASCII characters replaced); @modelcontextprotocol/express re-exports
    OAuthTokenVerifier as before.

@modelcontextprotocol/express@2.0.0-beta.3

Patch Changes

  • #2420 7635115 Thanks @felixweinberger! - Add runtime-neutral Bearer authentication to @modelcontextprotocol/server:
    requireBearerAuth gates web-standard fetch(request) hosts (Cloudflare
    Workers, Deno, Bun, Hono), built on the exported verifyBearerToken and
    bearerAuthChallengeResponse pieces, with OAuthTokenVerifier now defined
    here. The Express middleware adapts the same core and is unchanged in
    behavior, except that WWW-Authenticate challenge values are now RFC 7235
    quoted-string sanitized (quotes and backslashes escaped, control and
    non-ASCII characters replaced); @modelcontextprotocol/express re-exports
    OAuthTokenVerifier as before.

  • #2422 61866d7 Thanks @felixweinberger! - Add runtime-neutral OAuth discovery serving to @modelcontextprotocol/server:
    oauthMetadataResponse serves the RFC 9728 Protected Resource Metadata and
    RFC 8414 Authorization Server metadata documents from web-standard
    fetch(request) hosts, built on the exported
    buildOAuthProtectedResourceMetadata, with
    getOAuthProtectedResourceMetadataUrl now defined here. The Express metadata
    router adapts the same core and is unchanged in behavior; the insecure-issuer
    escape hatch is an explicit dangerouslyAllowInsecureIssuerUrl option in the
    neutral core instead of a module-scope environment read. The web-standard
    matcher validates lazily so unmatched traffic always falls through, tolerates
    a trailing slash, supports HEAD, and marks reflected CORS preflights with
    Vary.

  • Updated dependencies [1b90c96, 561c6d8, ce2f65d, e8de519, 7635115, 61866d7]:

    • @modelcontextprotocol/server@2.0.0-beta.3

@modelcontextprotocol/fastify@2.0.0-beta.3

Patch Changes

@modelcontextprotocol/hono@2.0.0-beta.3

Patch Changes

  • #2441 561c6d8 Thanks @felixweinberger! - POSTs whose Content-Type media type is not application/json are now
    rejected with 415 Unsupported Media Type; the header is parsed instead of
    substring-matched. Previously any value merely containing the substring
    passed the check (for example text/plain; a=application/json), case
    variants were wrongly rejected, and the 2026-07-28 entry did not inspect
    Content-Type at all — requests with a missing or non-JSON header that used
    to be served on that path now also answer 415. Values with parameters
    (application/json; charset=utf-8, including malformed parameter sections
    like application/json;) continue to work. SDK clients always send the
    correct header and are unaffected.

    The new isJsonContentType(header) helper is exported for transport and
    framework-adapter authors — custom entries composing the exported building
    blocks (classifyInboundRequest, PerRequestHTTPServerTransport) must apply
    it themselves. The hono adapter's JSON body pre-parse and the client's
    response dispatch now use the same parsed-media-type comparison.

  • Updated dependencies [1b90c96, 561c6d8, ce2f65d, e8de519, 7635115, 61866d7]:

    • @modelcontextprotocol/server@2.0.0-beta.3

@modelcontextprotocol/node@2.0.0-beta.3

Patch Changes

  • #2441 561c6d8 Thanks @felixweinberger! - POSTs whose Content-Type media type is not application/json are now
    rejected with 415 Unsupported Media Type; the header is parsed instead of
    substring-matched. Previously any value merely containing the substring
    passed the check (for example text/plain; a=application/json), case
    variants were wrongly rejected, and the 2026-07-28 entry did not inspect
    Content-Type at all — requests with a missing or non-JSON header that used
    to be served on that path now also answer 415. Values with parameters
    (application/json; charset=utf-8, including malformed parameter sections
    like application/json;) continue to work. SDK clients always send the
    correct header and are unaffected.

    The new isJsonContentType(header) helper is exported for transport and
    framework-adapter authors — custom entries composing the exported building
    blocks (classifyInboundRequest, PerRequestHTTPServerTransport) must apply
    it themselves. The hono adapter's JSON body pre-parse and the client's
    response dispatch now use the same parsed-media-type comparison.

  • #2445 78fabea Thanks @felixweinberger! - Document composing the host and origin validation guards in front of toNodeHandler for hand-wired node:http servers, matching the protected wiring the examples and serving guide now demonstrate.

  • Updated dependencies [1b90c96, 561c6d8, ce2f65d, e8de519, 7635115, 61866d7]:

    • @modelcontextprotocol/server@2.0.0-beta.3

@github-actions github-actions Bot force-pushed the changeset-release/main branch from 9bf0e19 to b798e3c Compare December 23, 2025 12:33
@github-actions github-actions Bot force-pushed the changeset-release/main branch 5 times, most recently from df38f93 to 59df763 Compare January 14, 2026 00:33
@github-actions github-actions Bot force-pushed the changeset-release/main branch 5 times, most recently from 5582238 to b362edf Compare January 22, 2026 18:33
@github-actions github-actions Bot force-pushed the changeset-release/main branch 4 times, most recently from 89b57bb to 085b09c Compare January 28, 2026 18:33
@github-actions github-actions Bot force-pushed the changeset-release/main branch 7 times, most recently from e385700 to 41a64d9 Compare February 6, 2026 18:33
@github-actions github-actions Bot force-pushed the changeset-release/main branch 5 times, most recently from f341bd3 to 636fae5 Compare February 13, 2026 18:33
@github-actions github-actions Bot force-pushed the changeset-release/main branch 3 times, most recently from ada79de to d9110e9 Compare February 20, 2026 06:33
@github-actions github-actions Bot force-pushed the changeset-release/main branch 3 times, most recently from e956327 to ee99040 Compare March 15, 2026 18:33
@github-actions github-actions Bot force-pushed the changeset-release/main branch 12 times, most recently from 752fad9 to 894c2e2 Compare March 30, 2026 12:34
@github-actions github-actions Bot force-pushed the changeset-release/main branch 3 times, most recently from c5aad6d to e9f4a90 Compare March 31, 2026 06:34
@github-actions github-actions Bot changed the title Version Packages Version Packages (alpha) Mar 31, 2026
@github-actions github-actions Bot force-pushed the changeset-release/main branch 4 times, most recently from 72ccc3f to 3b6840e Compare April 4, 2026 06:34
@github-actions github-actions Bot force-pushed the changeset-release/main branch 4 times, most recently from e6326bb to 53f503a Compare April 16, 2026 12:34
@github-actions github-actions Bot force-pushed the changeset-release/main branch 2 times, most recently from 940e536 to c2e832f Compare April 23, 2026 00:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants