Skip to content

Version Packages (beta)#2

Open
github-actions[bot] wants to merge 1 commit into
mainfrom
changeset-release/main
Open

Version Packages (beta)#2
github-actions[bot] wants to merge 1 commit into
mainfrom
changeset-release/main

Conversation

@github-actions

@github-actions github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and publish to npm yourself or setup this action to publish automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

⚠️⚠️⚠️⚠️⚠️⚠️

main is currently in pre mode so this branch has prereleases rather than normal releases. If you want to exit prereleases, run changeset pre exit on main.

⚠️⚠️⚠️⚠️⚠️⚠️

Releases

@modelcontextprotocol/server@2.0.0-beta.3

Minor Changes

  • #2420 7635115 Thanks @felixweinberger! - Add runtime-neutral Bearer authentication to @modelcontextprotocol/server:
    requireBearerAuth gates web-standard fetch(request) hosts (Cloudflare
    Workers, Deno, Bun, Hono), built on the exported verifyBearerToken and
    bearerAuthChallengeResponse pieces, with OAuthTokenVerifier now defined
    here. The Express middleware adapts the same core and is unchanged in
    behavior, except that WWW-Authenticate challenge values are now RFC 7235
    quoted-string sanitized (quotes and backslashes escaped, control and
    non-ASCII characters replaced); @modelcontextprotocol/express re-exports
    OAuthTokenVerifier as before.

  • #2422 61866d7 Thanks @felixweinberger! - Add runtime-neutral OAuth discovery serving to @modelcontextprotocol/server:
    oauthMetadataResponse serves the RFC 9728 Protected Resource Metadata and
    RFC 8414 Authorization Server metadata documents from web-standard
    fetch(request) hosts, built on the exported
    buildOAuthProtectedResourceMetadata, with
    getOAuthProtectedResourceMetadataUrl now defined here. The Express metadata
    router adapts the same core and is unchanged in behavior; the insecure-issuer
    escape hatch is an explicit dangerouslyAllowInsecureIssuerUrl option in the
    neutral core instead of a module-scope environment read. The web-standard
    matcher validates lazily so unmatched traffic always falls through, tolerates
    a trailing slash, supports HEAD, and marks reflected CORS preflights with
    Vary.

Patch Changes

  • #2431 1b90c96 Thanks @morluto! - Fix the CommonJS validators/ajv subpath so reading the exported Ajv class no longer throws ReferenceError: import_ajv is not defined. The subpath now re-exports the bundled provider's concrete Ajv value in CJS output, matching the existing ESM behavior.

  • #2441 561c6d8 Thanks @felixweinberger! - POSTs whose Content-Type media type is not application/json are now
    rejected with 415 Unsupported Media Type; the header is parsed instead of
    substring-matched. Previously any value merely containing the substring
    passed the check (for example text/plain; a=application/json), case
    variants were wrongly rejected, and the 2026-07-28 entry did not inspect
    Content-Type at all — requests with a missing or non-JSON header that used
    to be served on that path now also answer 415. Values with parameters
    (application/json; charset=utf-8, including malformed parameter sections
    like application/json;) continue to work. SDK clients always send the
    correct header and are unaffected.

    The new isJsonContentType(header) helper is exported for transport and
    framework-adapter authors — custom entries composing the exported building
    blocks (classifyInboundRequest, PerRequestHTTPServerTransport) must apply
    it themselves. The hono adapter's JSON body pre-parse and the client's
    response dispatch now use the same parsed-media-type comparison.

  • #2384 ce2f65d Thanks @felixweinberger! - instanceof on the SDK error classes (ProtocolError and its typed subclasses, SdkError/SdkHttpError, OAuthError, and the client's SseError, UnauthorizedError, and OAuth-client-flow error family — OAuthClientFlowError and its subclasses) now works across separately bundled copies of the SDK. The classes match by a stable brand (via Symbol.hasInstance and a registry symbol) instead of prototype identity, so a process that uses both @modelcontextprotocol/client and @modelcontextprotocol/server - a gateway, host, or in-process test - can check errors constructed by either package against the class re-exported by the other. Ordinary prototype-based instanceof is preserved as a fallback; user-defined subclasses keep plain prototype semantics. Notes: cross-bundle matching requires both copies to be at or after this release; brands assert identity, not field shape, across versions - keep reading fields defensively. As a side effect, a foreign-bundle SdkError used as an abort reason is now rethrown as-is instead of being wrapped as a RequestTimeout. Branded hierarchies additionally expose an explicit static guard, X.isInstance(value), that reads the same brand and narrows in TypeScript — an alternative for codebases that prefer predicate-style checks over instanceof. Also: UnauthorizedError now sets error.name to 'UnauthorizedError' (previously 'Error'), and per-package conformance tests enforce that every exported error class participates in branding. Version-negotiation probing now recognizes UnauthorizedError (previously a dead name-string check) and propagates it unchanged, so connect() on an auth-gated server rejects with the original UnauthorizedError (previously wrapped as the cause of an SdkError(EraNegotiationFailed)) — run finishAuth() and reconnect, and the retry probes with the token.

  • #2451 7e69735 Thanks @mattzcarey! - Return JSON-RPC Invalid Params with the original URI and an invalid_uri reason when resources/read receives a syntactically malformed URI.

  • #2425 e8de519 Thanks @Sehlani042! - Stop advertising validator provider classes from the root client/server type declarations. The provider classes remain available from the explicit validator subpaths.

  • #2453 0ab5d14 Thanks @mattzcarey! - Strip RFC 9110 optional whitespace around inbound MCP-Protocol-Version, Mcp-Method, and Mcp-Name values before classifying and validating modern HTTP requests. This keeps valid requests portable across Fetch runtimes that expose raw leading or trailing SP/HTAB through Headers.get().

@modelcontextprotocol/client@2.0.0-beta.3

Patch Changes

  • #2431 1b90c96 Thanks @morluto! - Fix the CommonJS validators/ajv subpath so reading the exported Ajv class no longer throws ReferenceError: import_ajv is not defined. The subpath now re-exports the bundled provider's concrete Ajv value in CJS output, matching the existing ESM behavior.

  • #2441 561c6d8 Thanks @felixweinberger! - POSTs whose Content-Type media type is not application/json are now
    rejected with 415 Unsupported Media Type; the header is parsed instead of
    substring-matched. Previously any value merely containing the substring
    passed the check (for example text/plain; a=application/json), case
    variants were wrongly rejected, and the 2026-07-28 entry did not inspect
    Content-Type at all — requests with a missing or non-JSON header that used
    to be served on that path now also answer 415. Values with parameters
    (application/json; charset=utf-8, including malformed parameter sections
    like application/json;) continue to work. SDK clients always send the
    correct header and are unaffected.

    The new isJsonContentType(header) helper is exported for transport and
    framework-adapter authors — custom entries composing the exported building
    blocks (classifyInboundRequest, PerRequestHTTPServerTransport) must apply
    it themselves. The hono adapter's JSON body pre-parse and the client's
    response dispatch now use the same parsed-media-type comparison.

  • #2384 ce2f65d Thanks @felixweinberger! - instanceof on the SDK error classes (ProtocolError and its typed subclasses, SdkError/SdkHttpError, OAuthError, and the client's SseError, UnauthorizedError, and OAuth-client-flow error family — OAuthClientFlowError and its subclasses) now works across separately bundled copies of the SDK. The classes match by a stable brand (via Symbol.hasInstance and a registry symbol) instead of prototype identity, so a process that uses both @modelcontextprotocol/client and @modelcontextprotocol/server - a gateway, host, or in-process test - can check errors constructed by either package against the class re-exported by the other. Ordinary prototype-based instanceof is preserved as a fallback; user-defined subclasses keep plain prototype semantics. Notes: cross-bundle matching requires both copies to be at or after this release; brands assert identity, not field shape, across versions - keep reading fields defensively. As a side effect, a foreign-bundle SdkError used as an abort reason is now rethrown as-is instead of being wrapped as a RequestTimeout. Branded hierarchies additionally expose an explicit static guard, X.isInstance(value), that reads the same brand and narrows in TypeScript — an alternative for codebases that prefer predicate-style checks over instanceof. Also: UnauthorizedError now sets error.name to 'UnauthorizedError' (previously 'Error'), and per-package conformance tests enforce that every exported error class participates in branding. Version-negotiation probing now recognizes UnauthorizedError (previously a dead name-string check) and propagates it unchanged, so connect() on an auth-gated server rejects with the original UnauthorizedError (previously wrapped as the cause of an SdkError(EraNegotiationFailed)) — run finishAuth() and reconnect, and the retry probes with the token.

  • #2455 cc70c5e Thanks @felixweinberger! - Version negotiation no longer discards transport handlers the caller set before connect(). The probe window now saves any pre-set onmessage/onerror/onclose, forwards error and close events to them while the probe is in flight, and restores them when the window closes — so Protocol.connect() chains them exactly as it does on a plain connect. Previously, connecting with versionNegotiation silently cleared pre-set handlers (e.g. an onerror used to detect session-expiry auth failures), leaving them permanently detached for the life of the connection.

  • #2425 e8de519 Thanks @Sehlani042! - Stop advertising validator provider classes from the root client/server type declarations. The provider classes remain available from the explicit validator subpaths.

@modelcontextprotocol/codemod@2.0.0-beta.3

Patch Changes

  • #2419 79dc162 Thanks @felixweinberger! - Read the v2 package versions the codemod writes into migrated package.json files directly from the workspace manifests at build time, replacing the committed generated versions.ts (which went stale after every release and made source builds write outdated versions).

  • #2420 7635115 Thanks @felixweinberger! - Add runtime-neutral Bearer authentication to @modelcontextprotocol/server:
    requireBearerAuth gates web-standard fetch(request) hosts (Cloudflare
    Workers, Deno, Bun, Hono), built on the exported verifyBearerToken and
    bearerAuthChallengeResponse pieces, with OAuthTokenVerifier now defined
    here. The Express middleware adapts the same core and is unchanged in
    behavior, except that WWW-Authenticate challenge values are now RFC 7235
    quoted-string sanitized (quotes and backslashes escaped, control and
    non-ASCII characters replaced); @modelcontextprotocol/express re-exports
    OAuthTokenVerifier as before.

@modelcontextprotocol/express@2.0.0-beta.3

Patch Changes

  • #2420 7635115 Thanks @felixweinberger! - Add runtime-neutral Bearer authentication to @modelcontextprotocol/server:
    requireBearerAuth gates web-standard fetch(request) hosts (Cloudflare
    Workers, Deno, Bun, Hono), built on the exported verifyBearerToken and
    bearerAuthChallengeResponse pieces, with OAuthTokenVerifier now defined
    here. The Express middleware adapts the same core and is unchanged in
    behavior, except that WWW-Authenticate challenge values are now RFC 7235
    quoted-string sanitized (quotes and backslashes escaped, control and
    non-ASCII characters replaced); @modelcontextprotocol/express re-exports
    OAuthTokenVerifier as before.

  • #2422 61866d7 Thanks @felixweinberger! - Add runtime-neutral OAuth discovery serving to @modelcontextprotocol/server:
    oauthMetadataResponse serves the RFC 9728 Protected Resource Metadata and
    RFC 8414 Authorization Server metadata documents from web-standard
    fetch(request) hosts, built on the exported
    buildOAuthProtectedResourceMetadata, with
    getOAuthProtectedResourceMetadataUrl now defined here. The Express metadata
    router adapts the same core and is unchanged in behavior; the insecure-issuer
    escape hatch is an explicit dangerouslyAllowInsecureIssuerUrl option in the
    neutral core instead of a module-scope environment read. The web-standard
    matcher validates lazily so unmatched traffic always falls through, tolerates
    a trailing slash, supports HEAD, and marks reflected CORS preflights with
    Vary.

  • Updated dependencies [1b90c96, 561c6d8, ce2f65d, 7e69735, e8de519, 0ab5d14, 7635115, 61866d7]:

    • @modelcontextprotocol/server@2.0.0-beta.3

@modelcontextprotocol/fastify@2.0.0-beta.3

Patch Changes

@modelcontextprotocol/hono@2.0.0-beta.3

Patch Changes

  • #2441 561c6d8 Thanks @felixweinberger! - POSTs whose Content-Type media type is not application/json are now
    rejected with 415 Unsupported Media Type; the header is parsed instead of
    substring-matched. Previously any value merely containing the substring
    passed the check (for example text/plain; a=application/json), case
    variants were wrongly rejected, and the 2026-07-28 entry did not inspect
    Content-Type at all — requests with a missing or non-JSON header that used
    to be served on that path now also answer 415. Values with parameters
    (application/json; charset=utf-8, including malformed parameter sections
    like application/json;) continue to work. SDK clients always send the
    correct header and are unaffected.

    The new isJsonContentType(header) helper is exported for transport and
    framework-adapter authors — custom entries composing the exported building
    blocks (classifyInboundRequest, PerRequestHTTPServerTransport) must apply
    it themselves. The hono adapter's JSON body pre-parse and the client's
    response dispatch now use the same parsed-media-type comparison.

  • Updated dependencies [1b90c96, 561c6d8, ce2f65d, 7e69735, e8de519, 0ab5d14, 7635115, 61866d7]:

    • @modelcontextprotocol/server@2.0.0-beta.3

@modelcontextprotocol/node@2.0.0-beta.3

Patch Changes

  • #2441 561c6d8 Thanks @felixweinberger! - POSTs whose Content-Type media type is not application/json are now
    rejected with 415 Unsupported Media Type; the header is parsed instead of
    substring-matched. Previously any value merely containing the substring
    passed the check (for example text/plain; a=application/json), case
    variants were wrongly rejected, and the 2026-07-28 entry did not inspect
    Content-Type at all — requests with a missing or non-JSON header that used
    to be served on that path now also answer 415. Values with parameters
    (application/json; charset=utf-8, including malformed parameter sections
    like application/json;) continue to work. SDK clients always send the
    correct header and are unaffected.

    The new isJsonContentType(header) helper is exported for transport and
    framework-adapter authors — custom entries composing the exported building
    blocks (classifyInboundRequest, PerRequestHTTPServerTransport) must apply
    it themselves. The hono adapter's JSON body pre-parse and the client's
    response dispatch now use the same parsed-media-type comparison.

  • #2445 78fabea Thanks @felixweinberger! - Document composing the host and origin validation guards in front of toNodeHandler for hand-wired node:http servers, matching the protected wiring the examples and serving guide now demonstrate.

  • Updated dependencies [1b90c96, 561c6d8, ce2f65d, 7e69735, e8de519, 0ab5d14, 7635115, 61866d7]:

    • @modelcontextprotocol/server@2.0.0-beta.3

@modelcontextprotocol/core-internal@2.0.0-beta.2

Patch Changes

  • #2453 0ab5d14 Thanks @mattzcarey! - Strip RFC 9110 optional whitespace around inbound MCP-Protocol-Version, Mcp-Method, and Mcp-Name values before classifying and validating modern HTTP requests. This keeps valid requests portable across Fetch runtimes that expose raw leading or trailing SP/HTAB through Headers.get().

@github-actions github-actions Bot force-pushed the changeset-release/main branch 3 times, most recently from 1ba1d6d to 0dc45b6 Compare July 7, 2026 13:09
@github-actions github-actions Bot force-pushed the changeset-release/main branch from 0dc45b6 to b598c15 Compare July 7, 2026 17:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants