From 1ba1d6d1653ef99bb21de3b5b8d441ebf2323c62 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 6 Jul 2026 21:34:38 +0000 Subject: [PATCH] Version Packages (beta) --- .changeset/pre.json | 10 ++++- packages/client/CHANGELOG.md | 27 ++++++++++++ packages/client/package.json | 2 +- packages/codemod/CHANGELOG.md | 16 ++++++++ packages/codemod/package.json | 2 +- packages/middleware/express/CHANGELOG.md | 29 +++++++++++++ packages/middleware/express/package.json | 2 +- packages/middleware/fastify/CHANGELOG.md | 7 ++++ packages/middleware/fastify/package.json | 2 +- packages/middleware/hono/CHANGELOG.md | 24 +++++++++++ packages/middleware/hono/package.json | 2 +- packages/middleware/node/CHANGELOG.md | 26 ++++++++++++ packages/middleware/node/package.json | 2 +- packages/server/CHANGELOG.md | 52 ++++++++++++++++++++++++ packages/server/package.json | 2 +- 15 files changed, 197 insertions(+), 8 deletions(-) diff --git a/.changeset/pre.json b/.changeset/pre.json index 559973ea8a..ce4da17371 100644 --- a/.changeset/pre.json +++ b/.changeset/pre.json @@ -26,8 +26,16 @@ }, "changesets": [ "beta-release", + "cjs-ajv-validator-subpath", "cjs-support-v2-packages", "codemod-iterations-5", - "post-dispatch-32021-http-400" + "codemod-versions-from-manifests", + "content-type-media-type-validation", + "cross-bundle-error-instanceof", + "examples-protected-wiring", + "post-dispatch-32021-http-400", + "silent-validators-wave", + "web-standard-bearer-auth", + "web-standard-oauth-metadata" ] } diff --git a/packages/client/CHANGELOG.md b/packages/client/CHANGELOG.md index 98ca06c430..7c3aaf1b5b 100644 --- a/packages/client/CHANGELOG.md +++ b/packages/client/CHANGELOG.md @@ -1,5 +1,32 @@ # @modelcontextprotocol/client +## 2.0.0-beta.3 + +### Patch Changes + +- [#2431](https://github.com/modelcontextprotocol/typescript-sdk/pull/2431) [`1b90c96`](https://github.com/modelcontextprotocol/typescript-sdk/commit/1b90c96d11fd17016d2977cae9dd661de3fb84df) Thanks [@morluto](https://github.com/morluto)! - Fix the CommonJS `validators/ajv` subpath so reading the exported `Ajv` class no longer throws `ReferenceError: import_ajv is not defined`. The subpath now re-exports the bundled provider's concrete `Ajv` value in CJS output, matching the existing ESM behavior. + +- [#2441](https://github.com/modelcontextprotocol/typescript-sdk/pull/2441) [`561c6d8`](https://github.com/modelcontextprotocol/typescript-sdk/commit/561c6d83456ef98d6c713bbda9837e64337f22c9) Thanks [@felixweinberger](https://github.com/felixweinberger)! - POSTs whose `Content-Type` media type is not `application/json` are now + rejected with `415 Unsupported Media Type`; the header is parsed instead of + substring-matched. Previously any value merely containing the substring + passed the check (for example `text/plain; a=application/json`), case + variants were wrongly rejected, and the 2026-07-28 entry did not inspect + `Content-Type` at all — requests with a missing or non-JSON header that used + to be served on that path now also answer 415. Values with parameters + (`application/json; charset=utf-8`, including malformed parameter sections + like `application/json;`) continue to work. SDK clients always send the + correct header and are unaffected. + + The new `isJsonContentType(header)` helper is exported for transport and + framework-adapter authors — custom entries composing the exported building + blocks (`classifyInboundRequest`, `PerRequestHTTPServerTransport`) must apply + it themselves. The hono adapter's JSON body pre-parse and the client's + response dispatch now use the same parsed-media-type comparison. + +- [#2384](https://github.com/modelcontextprotocol/typescript-sdk/pull/2384) [`ce2f65d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/ce2f65db0e019506f4d2526466ec8cc7106de98e) Thanks [@felixweinberger](https://github.com/felixweinberger)! - `instanceof` on the SDK error classes (`ProtocolError` and its typed subclasses, `SdkError`/`SdkHttpError`, `OAuthError`, and the client's `SseError`, `UnauthorizedError`, and OAuth-client-flow error family — `OAuthClientFlowError` and its subclasses) now works across separately bundled copies of the SDK. The classes match by a stable brand (via `Symbol.hasInstance` and a registry symbol) instead of prototype identity, so a process that uses both `@modelcontextprotocol/client` and `@modelcontextprotocol/server` - a gateway, host, or in-process test - can check errors constructed by either package against the class re-exported by the other. Ordinary prototype-based `instanceof` is preserved as a fallback; user-defined subclasses keep plain prototype semantics. Notes: cross-bundle matching requires both copies to be at or after this release; brands assert identity, not field shape, across versions - keep reading fields defensively. As a side effect, a foreign-bundle `SdkError` used as an abort reason is now rethrown as-is instead of being wrapped as a `RequestTimeout`. Branded hierarchies additionally expose an explicit static guard, `X.isInstance(value)`, that reads the same brand and narrows in TypeScript — an alternative for codebases that prefer predicate-style checks over `instanceof`. Also: `UnauthorizedError` now sets `error.name` to `'UnauthorizedError'` (previously `'Error'`), and per-package conformance tests enforce that every exported error class participates in branding. Version-negotiation probing now recognizes `UnauthorizedError` (previously a dead name-string check) and propagates it unchanged, so `connect()` on an auth-gated server rejects with the original `UnauthorizedError` (previously wrapped as the `cause` of an `SdkError(EraNegotiationFailed)`) — run `finishAuth()` and reconnect, and the retry probes with the token. + +- [#2425](https://github.com/modelcontextprotocol/typescript-sdk/pull/2425) [`e8de519`](https://github.com/modelcontextprotocol/typescript-sdk/commit/e8de519d3129f46b7528d2999b7641f55be1f091) Thanks [@Sehlani042](https://github.com/Sehlani042)! - Stop advertising validator provider classes from the root client/server type declarations. The provider classes remain available from the explicit validator subpaths. + ## 2.0.0-beta.2 ### Patch Changes diff --git a/packages/client/package.json b/packages/client/package.json index f96b681bc7..752b5a38c3 100644 --- a/packages/client/package.json +++ b/packages/client/package.json @@ -1,6 +1,6 @@ { "name": "@modelcontextprotocol/client", - "version": "2.0.0-beta.2", + "version": "2.0.0-beta.3", "description": "Model Context Protocol implementation for TypeScript - Client package", "license": "MIT", "author": "Anthropic, PBC (https://anthropic.com)", diff --git a/packages/codemod/CHANGELOG.md b/packages/codemod/CHANGELOG.md index 88458c85a4..c603f018b1 100644 --- a/packages/codemod/CHANGELOG.md +++ b/packages/codemod/CHANGELOG.md @@ -1,5 +1,21 @@ # @modelcontextprotocol/codemod +## 2.0.0-beta.3 + +### Patch Changes + +- [#2419](https://github.com/modelcontextprotocol/typescript-sdk/pull/2419) [`79dc162`](https://github.com/modelcontextprotocol/typescript-sdk/commit/79dc162efcb4e1f7b820bfb6068906483cf71ec7) Thanks [@felixweinberger](https://github.com/felixweinberger)! - Read the v2 package versions the codemod writes into migrated `package.json` files directly from the workspace manifests at build time, replacing the committed generated `versions.ts` (which went stale after every release and made source builds write outdated versions). + +- [#2420](https://github.com/modelcontextprotocol/typescript-sdk/pull/2420) [`7635115`](https://github.com/modelcontextprotocol/typescript-sdk/commit/7635115d0112c3f980b45a9773a4770660af8aae) Thanks [@felixweinberger](https://github.com/felixweinberger)! - Add runtime-neutral Bearer authentication to `@modelcontextprotocol/server`: + `requireBearerAuth` gates web-standard `fetch(request)` hosts (Cloudflare + Workers, Deno, Bun, Hono), built on the exported `verifyBearerToken` and + `bearerAuthChallengeResponse` pieces, with `OAuthTokenVerifier` now defined + here. The Express middleware adapts the same core and is unchanged in + behavior, except that `WWW-Authenticate` challenge values are now RFC 7235 + quoted-string sanitized (quotes and backslashes escaped, control and + non-ASCII characters replaced); `@modelcontextprotocol/express` re-exports + `OAuthTokenVerifier` as before. + ## 2.0.0-beta.2 ### Patch Changes diff --git a/packages/codemod/package.json b/packages/codemod/package.json index f3c19675a6..009d882195 100644 --- a/packages/codemod/package.json +++ b/packages/codemod/package.json @@ -1,6 +1,6 @@ { "name": "@modelcontextprotocol/codemod", - "version": "2.0.0-beta.2", + "version": "2.0.0-beta.3", "description": "Codemod to migrate MCP TypeScript SDK code from v1 to v2", "license": "MIT", "author": "Anthropic, PBC (https://anthropic.com)", diff --git a/packages/middleware/express/CHANGELOG.md b/packages/middleware/express/CHANGELOG.md index dd7b7f653a..e812db3338 100644 --- a/packages/middleware/express/CHANGELOG.md +++ b/packages/middleware/express/CHANGELOG.md @@ -1,5 +1,34 @@ # @modelcontextprotocol/express +## 2.0.0-beta.3 + +### Patch Changes + +- [#2420](https://github.com/modelcontextprotocol/typescript-sdk/pull/2420) [`7635115`](https://github.com/modelcontextprotocol/typescript-sdk/commit/7635115d0112c3f980b45a9773a4770660af8aae) Thanks [@felixweinberger](https://github.com/felixweinberger)! - Add runtime-neutral Bearer authentication to `@modelcontextprotocol/server`: + `requireBearerAuth` gates web-standard `fetch(request)` hosts (Cloudflare + Workers, Deno, Bun, Hono), built on the exported `verifyBearerToken` and + `bearerAuthChallengeResponse` pieces, with `OAuthTokenVerifier` now defined + here. The Express middleware adapts the same core and is unchanged in + behavior, except that `WWW-Authenticate` challenge values are now RFC 7235 + quoted-string sanitized (quotes and backslashes escaped, control and + non-ASCII characters replaced); `@modelcontextprotocol/express` re-exports + `OAuthTokenVerifier` as before. + +- [#2422](https://github.com/modelcontextprotocol/typescript-sdk/pull/2422) [`61866d7`](https://github.com/modelcontextprotocol/typescript-sdk/commit/61866d7a5ff4475663ceb525c88447c497c1b92a) Thanks [@felixweinberger](https://github.com/felixweinberger)! - Add runtime-neutral OAuth discovery serving to `@modelcontextprotocol/server`: + `oauthMetadataResponse` serves the RFC 9728 Protected Resource Metadata and + RFC 8414 Authorization Server metadata documents from web-standard + `fetch(request)` hosts, built on the exported + `buildOAuthProtectedResourceMetadata`, with + `getOAuthProtectedResourceMetadataUrl` now defined here. The Express metadata + router adapts the same core and is unchanged in behavior; the insecure-issuer + escape hatch is an explicit `dangerouslyAllowInsecureIssuerUrl` option in the + neutral core instead of a module-scope environment read. The web-standard + matcher validates lazily so unmatched traffic always falls through, tolerates + a trailing slash, supports HEAD, and marks reflected CORS preflights with + `Vary`. +- Updated dependencies [[`1b90c96`](https://github.com/modelcontextprotocol/typescript-sdk/commit/1b90c96d11fd17016d2977cae9dd661de3fb84df), [`561c6d8`](https://github.com/modelcontextprotocol/typescript-sdk/commit/561c6d83456ef98d6c713bbda9837e64337f22c9), [`ce2f65d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/ce2f65db0e019506f4d2526466ec8cc7106de98e), [`e8de519`](https://github.com/modelcontextprotocol/typescript-sdk/commit/e8de519d3129f46b7528d2999b7641f55be1f091), [`7635115`](https://github.com/modelcontextprotocol/typescript-sdk/commit/7635115d0112c3f980b45a9773a4770660af8aae), [`61866d7`](https://github.com/modelcontextprotocol/typescript-sdk/commit/61866d7a5ff4475663ceb525c88447c497c1b92a)]: + - @modelcontextprotocol/server@2.0.0-beta.3 + ## 2.0.0-beta.2 ### Patch Changes diff --git a/packages/middleware/express/package.json b/packages/middleware/express/package.json index f1c736a2b0..0be07f6e07 100644 --- a/packages/middleware/express/package.json +++ b/packages/middleware/express/package.json @@ -1,7 +1,7 @@ { "name": "@modelcontextprotocol/express", "private": false, - "version": "2.0.0-beta.2", + "version": "2.0.0-beta.3", "description": "Express adapters for the Model Context Protocol TypeScript server SDK - Express middleware", "license": "MIT", "author": "Anthropic, PBC (https://anthropic.com)", diff --git a/packages/middleware/fastify/CHANGELOG.md b/packages/middleware/fastify/CHANGELOG.md index 71f5747525..0f487f0ff5 100644 --- a/packages/middleware/fastify/CHANGELOG.md +++ b/packages/middleware/fastify/CHANGELOG.md @@ -1,5 +1,12 @@ # @modelcontextprotocol/fastify +## 2.0.0-beta.3 + +### Patch Changes + +- Updated dependencies [[`1b90c96`](https://github.com/modelcontextprotocol/typescript-sdk/commit/1b90c96d11fd17016d2977cae9dd661de3fb84df), [`561c6d8`](https://github.com/modelcontextprotocol/typescript-sdk/commit/561c6d83456ef98d6c713bbda9837e64337f22c9), [`ce2f65d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/ce2f65db0e019506f4d2526466ec8cc7106de98e), [`e8de519`](https://github.com/modelcontextprotocol/typescript-sdk/commit/e8de519d3129f46b7528d2999b7641f55be1f091), [`7635115`](https://github.com/modelcontextprotocol/typescript-sdk/commit/7635115d0112c3f980b45a9773a4770660af8aae), [`61866d7`](https://github.com/modelcontextprotocol/typescript-sdk/commit/61866d7a5ff4475663ceb525c88447c497c1b92a)]: + - @modelcontextprotocol/server@2.0.0-beta.3 + ## 2.0.0-beta.2 ### Patch Changes diff --git a/packages/middleware/fastify/package.json b/packages/middleware/fastify/package.json index 7f430b518c..fb5472363e 100644 --- a/packages/middleware/fastify/package.json +++ b/packages/middleware/fastify/package.json @@ -1,7 +1,7 @@ { "name": "@modelcontextprotocol/fastify", "private": false, - "version": "2.0.0-beta.2", + "version": "2.0.0-beta.3", "description": "Fastify adapters for the Model Context Protocol TypeScript server SDK - Fastify middleware", "license": "MIT", "author": "Anthropic, PBC (https://anthropic.com)", diff --git a/packages/middleware/hono/CHANGELOG.md b/packages/middleware/hono/CHANGELOG.md index d7e9f48280..70aace7e19 100644 --- a/packages/middleware/hono/CHANGELOG.md +++ b/packages/middleware/hono/CHANGELOG.md @@ -1,5 +1,29 @@ # @modelcontextprotocol/hono +## 2.0.0-beta.3 + +### Patch Changes + +- [#2441](https://github.com/modelcontextprotocol/typescript-sdk/pull/2441) [`561c6d8`](https://github.com/modelcontextprotocol/typescript-sdk/commit/561c6d83456ef98d6c713bbda9837e64337f22c9) Thanks [@felixweinberger](https://github.com/felixweinberger)! - POSTs whose `Content-Type` media type is not `application/json` are now + rejected with `415 Unsupported Media Type`; the header is parsed instead of + substring-matched. Previously any value merely containing the substring + passed the check (for example `text/plain; a=application/json`), case + variants were wrongly rejected, and the 2026-07-28 entry did not inspect + `Content-Type` at all — requests with a missing or non-JSON header that used + to be served on that path now also answer 415. Values with parameters + (`application/json; charset=utf-8`, including malformed parameter sections + like `application/json;`) continue to work. SDK clients always send the + correct header and are unaffected. + + The new `isJsonContentType(header)` helper is exported for transport and + framework-adapter authors — custom entries composing the exported building + blocks (`classifyInboundRequest`, `PerRequestHTTPServerTransport`) must apply + it themselves. The hono adapter's JSON body pre-parse and the client's + response dispatch now use the same parsed-media-type comparison. + +- Updated dependencies [[`1b90c96`](https://github.com/modelcontextprotocol/typescript-sdk/commit/1b90c96d11fd17016d2977cae9dd661de3fb84df), [`561c6d8`](https://github.com/modelcontextprotocol/typescript-sdk/commit/561c6d83456ef98d6c713bbda9837e64337f22c9), [`ce2f65d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/ce2f65db0e019506f4d2526466ec8cc7106de98e), [`e8de519`](https://github.com/modelcontextprotocol/typescript-sdk/commit/e8de519d3129f46b7528d2999b7641f55be1f091), [`7635115`](https://github.com/modelcontextprotocol/typescript-sdk/commit/7635115d0112c3f980b45a9773a4770660af8aae), [`61866d7`](https://github.com/modelcontextprotocol/typescript-sdk/commit/61866d7a5ff4475663ceb525c88447c497c1b92a)]: + - @modelcontextprotocol/server@2.0.0-beta.3 + ## 2.0.0-beta.2 ### Patch Changes diff --git a/packages/middleware/hono/package.json b/packages/middleware/hono/package.json index 3c280c0ecb..e3dddfc711 100644 --- a/packages/middleware/hono/package.json +++ b/packages/middleware/hono/package.json @@ -1,7 +1,7 @@ { "name": "@modelcontextprotocol/hono", "private": false, - "version": "2.0.0-beta.2", + "version": "2.0.0-beta.3", "description": "Hono adapters for the Model Context Protocol TypeScript server SDK - Hono middleware", "license": "MIT", "author": "Anthropic, PBC (https://anthropic.com)", diff --git a/packages/middleware/node/CHANGELOG.md b/packages/middleware/node/CHANGELOG.md index ff35d59b7e..0da4869000 100644 --- a/packages/middleware/node/CHANGELOG.md +++ b/packages/middleware/node/CHANGELOG.md @@ -1,5 +1,31 @@ # @modelcontextprotocol/node +## 2.0.0-beta.3 + +### Patch Changes + +- [#2441](https://github.com/modelcontextprotocol/typescript-sdk/pull/2441) [`561c6d8`](https://github.com/modelcontextprotocol/typescript-sdk/commit/561c6d83456ef98d6c713bbda9837e64337f22c9) Thanks [@felixweinberger](https://github.com/felixweinberger)! - POSTs whose `Content-Type` media type is not `application/json` are now + rejected with `415 Unsupported Media Type`; the header is parsed instead of + substring-matched. Previously any value merely containing the substring + passed the check (for example `text/plain; a=application/json`), case + variants were wrongly rejected, and the 2026-07-28 entry did not inspect + `Content-Type` at all — requests with a missing or non-JSON header that used + to be served on that path now also answer 415. Values with parameters + (`application/json; charset=utf-8`, including malformed parameter sections + like `application/json;`) continue to work. SDK clients always send the + correct header and are unaffected. + + The new `isJsonContentType(header)` helper is exported for transport and + framework-adapter authors — custom entries composing the exported building + blocks (`classifyInboundRequest`, `PerRequestHTTPServerTransport`) must apply + it themselves. The hono adapter's JSON body pre-parse and the client's + response dispatch now use the same parsed-media-type comparison. + +- [#2445](https://github.com/modelcontextprotocol/typescript-sdk/pull/2445) [`78fabea`](https://github.com/modelcontextprotocol/typescript-sdk/commit/78fabea44557bd49f5a050b92e57ccd22dab14ad) Thanks [@felixweinberger](https://github.com/felixweinberger)! - Document composing the host and origin validation guards in front of `toNodeHandler` for hand-wired `node:http` servers, matching the protected wiring the examples and serving guide now demonstrate. + +- Updated dependencies [[`1b90c96`](https://github.com/modelcontextprotocol/typescript-sdk/commit/1b90c96d11fd17016d2977cae9dd661de3fb84df), [`561c6d8`](https://github.com/modelcontextprotocol/typescript-sdk/commit/561c6d83456ef98d6c713bbda9837e64337f22c9), [`ce2f65d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/ce2f65db0e019506f4d2526466ec8cc7106de98e), [`e8de519`](https://github.com/modelcontextprotocol/typescript-sdk/commit/e8de519d3129f46b7528d2999b7641f55be1f091), [`7635115`](https://github.com/modelcontextprotocol/typescript-sdk/commit/7635115d0112c3f980b45a9773a4770660af8aae), [`61866d7`](https://github.com/modelcontextprotocol/typescript-sdk/commit/61866d7a5ff4475663ceb525c88447c497c1b92a)]: + - @modelcontextprotocol/server@2.0.0-beta.3 + ## 2.0.0-beta.2 ### Patch Changes diff --git a/packages/middleware/node/package.json b/packages/middleware/node/package.json index aad6227dda..e0c9a5fa7d 100644 --- a/packages/middleware/node/package.json +++ b/packages/middleware/node/package.json @@ -1,6 +1,6 @@ { "name": "@modelcontextprotocol/node", - "version": "2.0.0-beta.2", + "version": "2.0.0-beta.3", "description": "Model Context Protocol implementation for TypeScript - Node.js middleware", "license": "MIT", "author": "Anthropic, PBC (https://anthropic.com)", diff --git a/packages/server/CHANGELOG.md b/packages/server/CHANGELOG.md index 9467763c06..0615422147 100644 --- a/packages/server/CHANGELOG.md +++ b/packages/server/CHANGELOG.md @@ -1,5 +1,57 @@ # @modelcontextprotocol/server +## 2.0.0-beta.3 + +### Minor Changes + +- [#2420](https://github.com/modelcontextprotocol/typescript-sdk/pull/2420) [`7635115`](https://github.com/modelcontextprotocol/typescript-sdk/commit/7635115d0112c3f980b45a9773a4770660af8aae) Thanks [@felixweinberger](https://github.com/felixweinberger)! - Add runtime-neutral Bearer authentication to `@modelcontextprotocol/server`: + `requireBearerAuth` gates web-standard `fetch(request)` hosts (Cloudflare + Workers, Deno, Bun, Hono), built on the exported `verifyBearerToken` and + `bearerAuthChallengeResponse` pieces, with `OAuthTokenVerifier` now defined + here. The Express middleware adapts the same core and is unchanged in + behavior, except that `WWW-Authenticate` challenge values are now RFC 7235 + quoted-string sanitized (quotes and backslashes escaped, control and + non-ASCII characters replaced); `@modelcontextprotocol/express` re-exports + `OAuthTokenVerifier` as before. + +- [#2422](https://github.com/modelcontextprotocol/typescript-sdk/pull/2422) [`61866d7`](https://github.com/modelcontextprotocol/typescript-sdk/commit/61866d7a5ff4475663ceb525c88447c497c1b92a) Thanks [@felixweinberger](https://github.com/felixweinberger)! - Add runtime-neutral OAuth discovery serving to `@modelcontextprotocol/server`: + `oauthMetadataResponse` serves the RFC 9728 Protected Resource Metadata and + RFC 8414 Authorization Server metadata documents from web-standard + `fetch(request)` hosts, built on the exported + `buildOAuthProtectedResourceMetadata`, with + `getOAuthProtectedResourceMetadataUrl` now defined here. The Express metadata + router adapts the same core and is unchanged in behavior; the insecure-issuer + escape hatch is an explicit `dangerouslyAllowInsecureIssuerUrl` option in the + neutral core instead of a module-scope environment read. The web-standard + matcher validates lazily so unmatched traffic always falls through, tolerates + a trailing slash, supports HEAD, and marks reflected CORS preflights with + `Vary`. + +### Patch Changes + +- [#2431](https://github.com/modelcontextprotocol/typescript-sdk/pull/2431) [`1b90c96`](https://github.com/modelcontextprotocol/typescript-sdk/commit/1b90c96d11fd17016d2977cae9dd661de3fb84df) Thanks [@morluto](https://github.com/morluto)! - Fix the CommonJS `validators/ajv` subpath so reading the exported `Ajv` class no longer throws `ReferenceError: import_ajv is not defined`. The subpath now re-exports the bundled provider's concrete `Ajv` value in CJS output, matching the existing ESM behavior. + +- [#2441](https://github.com/modelcontextprotocol/typescript-sdk/pull/2441) [`561c6d8`](https://github.com/modelcontextprotocol/typescript-sdk/commit/561c6d83456ef98d6c713bbda9837e64337f22c9) Thanks [@felixweinberger](https://github.com/felixweinberger)! - POSTs whose `Content-Type` media type is not `application/json` are now + rejected with `415 Unsupported Media Type`; the header is parsed instead of + substring-matched. Previously any value merely containing the substring + passed the check (for example `text/plain; a=application/json`), case + variants were wrongly rejected, and the 2026-07-28 entry did not inspect + `Content-Type` at all — requests with a missing or non-JSON header that used + to be served on that path now also answer 415. Values with parameters + (`application/json; charset=utf-8`, including malformed parameter sections + like `application/json;`) continue to work. SDK clients always send the + correct header and are unaffected. + + The new `isJsonContentType(header)` helper is exported for transport and + framework-adapter authors — custom entries composing the exported building + blocks (`classifyInboundRequest`, `PerRequestHTTPServerTransport`) must apply + it themselves. The hono adapter's JSON body pre-parse and the client's + response dispatch now use the same parsed-media-type comparison. + +- [#2384](https://github.com/modelcontextprotocol/typescript-sdk/pull/2384) [`ce2f65d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/ce2f65db0e019506f4d2526466ec8cc7106de98e) Thanks [@felixweinberger](https://github.com/felixweinberger)! - `instanceof` on the SDK error classes (`ProtocolError` and its typed subclasses, `SdkError`/`SdkHttpError`, `OAuthError`, and the client's `SseError`, `UnauthorizedError`, and OAuth-client-flow error family — `OAuthClientFlowError` and its subclasses) now works across separately bundled copies of the SDK. The classes match by a stable brand (via `Symbol.hasInstance` and a registry symbol) instead of prototype identity, so a process that uses both `@modelcontextprotocol/client` and `@modelcontextprotocol/server` - a gateway, host, or in-process test - can check errors constructed by either package against the class re-exported by the other. Ordinary prototype-based `instanceof` is preserved as a fallback; user-defined subclasses keep plain prototype semantics. Notes: cross-bundle matching requires both copies to be at or after this release; brands assert identity, not field shape, across versions - keep reading fields defensively. As a side effect, a foreign-bundle `SdkError` used as an abort reason is now rethrown as-is instead of being wrapped as a `RequestTimeout`. Branded hierarchies additionally expose an explicit static guard, `X.isInstance(value)`, that reads the same brand and narrows in TypeScript — an alternative for codebases that prefer predicate-style checks over `instanceof`. Also: `UnauthorizedError` now sets `error.name` to `'UnauthorizedError'` (previously `'Error'`), and per-package conformance tests enforce that every exported error class participates in branding. Version-negotiation probing now recognizes `UnauthorizedError` (previously a dead name-string check) and propagates it unchanged, so `connect()` on an auth-gated server rejects with the original `UnauthorizedError` (previously wrapped as the `cause` of an `SdkError(EraNegotiationFailed)`) — run `finishAuth()` and reconnect, and the retry probes with the token. + +- [#2425](https://github.com/modelcontextprotocol/typescript-sdk/pull/2425) [`e8de519`](https://github.com/modelcontextprotocol/typescript-sdk/commit/e8de519d3129f46b7528d2999b7641f55be1f091) Thanks [@Sehlani042](https://github.com/Sehlani042)! - Stop advertising validator provider classes from the root client/server type declarations. The provider classes remain available from the explicit validator subpaths. + ## 2.0.0-beta.2 ### Patch Changes diff --git a/packages/server/package.json b/packages/server/package.json index d77e533db8..d4a75c70fc 100644 --- a/packages/server/package.json +++ b/packages/server/package.json @@ -1,6 +1,6 @@ { "name": "@modelcontextprotocol/server", - "version": "2.0.0-beta.2", + "version": "2.0.0-beta.3", "description": "Model Context Protocol implementation for TypeScript - Server package", "license": "MIT", "author": "Anthropic, PBC (https://anthropic.com)",