fix(fetch): refresh uv lockfile for PR #3607#1
Merged
Conversation
When a tool like `gzip-file-as-resource` is called multiple times with the same output name (especially the default `README.md.gz`), the server would throw "Resource already registered" because the SDK doesn't allow registering duplicate URIs. This fix: - Tracks registered resources by URI in a module-level Map - Before registering a new resource, checks if the URI already exists - If it does, removes the old resource using the SDK's `remove()` method - Then registers the new resource with fresh content This allows tools to be called repeatedly with the same parameters without errors, which is important for LLM agents that may retry tool calls. Found using Bellwether (https://bellwether.sh), an MCP server validation tool. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The httpx library renamed 'proxies' to 'proxy' in version 0.28.0. This updates the fetch server to use the new parameter name and removes the version cap on httpx. Fixes modelcontextprotocol#3287
…es/searchNodes Previously, `openNodes` and `searchNodes` only returned relations where BOTH endpoints were in the result set (using `&&`). This silently dropped all relations to/from nodes outside the set — making it impossible to discover a node's connections without calling `read_graph` and filtering the entire dataset client-side. Changed the filter from `&&` to `||` so that any relation with at least one endpoint in the result set is included. This matches the expected graph-query semantics: when you open a node, you should see all its edges, not just edges to other opened nodes. Fixes modelcontextprotocol#3137 Tests updated and new cases added covering: - Outgoing relations to nodes not in the open set - Incoming relations from nodes not in the open set - Relations connected to a single opened node - searchNodes returning outgoing relations to unmatched entities Co-authored-by: Cursor <cursoragent@cursor.com>
…ory-open-nodes-relations fix(memory): return relations connected to requested nodes in openNodes/searchNodes
…ion-resource-reregistration fix(everything): allow re-registration of session resources
…ttpx-proxy-arg fix(fetch): update to httpx 0.28+ proxy parameter
…ocol#3515) fix(fetch): handle malformed input without crashing Changes `raise_exceptions=True` to `raise_exceptions=False` in the fetch server's `Server.run()` call, preventing the server from crashing on malformed JSON-RPC input. This aligns with the SDK's intended default behavior and is consistent with other reference servers. Fixes modelcontextprotocol#3359
…#3534) feat(sequential-thinking): add tool annotations Adds MCP ToolAnnotations (readOnlyHint, destructiveHint, idempotentHint, openWorldHint) to the sequential-thinking tool, bringing it in line with the annotation pattern established by the filesystem server. Fixes modelcontextprotocol#3403
…modelcontextprotocol#3574) (modelcontextprotocol#3581) feat(time): add tool annotations Adds MCP ToolAnnotations to both time server tools (get_current_time, convert_time). Both are read-only, non-destructive, idempotent, and closed-world. Fixes modelcontextprotocol#3574
…te_branch, git_log, and git_branch (modelcontextprotocol#3545) fix(git): add missing argument injection guards Extends existing startswith("-") input validation to git_show, git_create_branch, git_log, and git_branch, preventing user-supplied values from being interpreted as CLI flags by GitPython's subprocess calls to git.
feat(git): add tool annotations Adds MCP ToolAnnotations to all 12 git server tools, marking read-only operations (status, diff, log, show, branch) and distinguishing destructive (reset) from non-destructive write operations (add, commit, create_branch, checkout). Fixes modelcontextprotocol#3573
…odelcontextprotocol#3533) fix(sequential-thinking): use z.coerce for number and safe preprocess for boolean params Uses z.coerce.number() for number fields and a z.preprocess() helper for boolean fields to handle string-typed parameters from LLM clients. The preprocess approach correctly handles "false" → false, avoiding the z.coerce.boolean() footgun where Boolean("false") === true. Fixes modelcontextprotocol#3428
…odelcontextprotocol#3434) fix(filesystem): ensure bare Windows drive letters normalize to root Appends path.sep to bare drive letters (e.g. "C:") before calling path.normalize(), preventing them from normalizing to "C:." (current directory on drive) instead of "C:\" (drive root). Includes test coverage with platform mocking. Fixes modelcontextprotocol#3418
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 785b340e46
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Comment on lines
+58
to
+60
| const existingResource = registeredResources.get(uri); | ||
| if (existingResource) { | ||
| existingResource.remove(); |
There was a problem hiding this comment.
registeredResources is process-global, so registerSessionResource can remove resources created by a different client session when URIs collide. In the SSE/streamable HTTP transports each session gets its own McpServer, but this shared map means a second session registering the same demo://resource/session/<name> URI will hit existingResource.remove() and invalidate the first session’s resource link, breaking session isolation.
Useful? React with 👍 / 👎.
Comment on lines
+95
to
+97
| readOnlyHint: true, | ||
| destructiveHint: false, | ||
| idempotentHint: true, |
There was a problem hiding this comment.
This tool is not read-only or idempotent: each call mutates thoughtHistory/branches in SequentialThinkingServer.processThought, and repeated identical calls change thoughtHistoryLength. Advertising readOnlyHint: true plus idempotentHint: true can cause clients to treat retries/caching as safe and accidentally reorder or collapse calls, which corrupts multi-step reasoning state.
Useful? React with 👍 / 👎.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This carries the minimal lockfile refresh needed to fix the same Python CI failure seen in modelcontextprotocol#3607.\n\nRoot cause:\n- src/fetch/pyproject.toml and src/fetch/uv.lock are out of sync\n- Build fetch fails at uv sync --locked --all-extras --dev\n\nDiff:\n- refresh src/fetch/uv.lock so requires-dist matches httpx>=0.27\n