From 428423c20f235e6421d9fde9425db2d9e7735796 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 26 Mar 2026 03:28:56 +0000 Subject: [PATCH] Version Packages --- .changeset/add-hono-peer-dep.md | 5 - .changeset/brave-lions-glow.md | 5 - .changeset/busy-weeks-hang.md | 6 - .changeset/cyan-cycles-pump.md | 5 - .changeset/expose-auth-server-discovery.md | 10 -- .changeset/extract-task-manager.md | 10 -- .changeset/fix-onerror-callbacks.md | 5 - .changeset/fix-stdio-epipe-crash.md | 5 - .changeset/fix-task-session-isolation.md | 5 - .changeset/fix-unknown-tool-protocol-error.md | 15 --- .changeset/funky-baths-attack.md | 8 -- .changeset/heavy-walls-swim.md | 5 - .changeset/oauth-error-http200.md | 7 -- .changeset/quick-islands-occur.md | 10 -- .changeset/respect-capability-negotiation.md | 14 --- .changeset/rich-hounds-report.md | 10 -- .changeset/shy-times-learn.md | 8 -- .changeset/support-standard-json-schema.md | 34 ------ .changeset/tame-camels-greet.md | 9 -- .changeset/tender-snails-fold.md | 6 - .changeset/token-provider-composable-auth.md | 16 --- .changeset/twelve-dodos-taste.md | 5 - .changeset/use-scopes-supported-in-dcr.md | 10 -- packages/client/CHANGELOG.md | 110 ++++++++++++++++++ packages/client/package.json | 2 +- packages/core/CHANGELOG.md | 78 +++++++++++++ packages/core/package.json | 2 +- packages/middleware/express/CHANGELOG.md | 22 ++++ packages/middleware/express/package.json | 2 +- packages/middleware/hono/CHANGELOG.md | 19 +++ packages/middleware/hono/package.json | 2 +- packages/middleware/node/CHANGELOG.md | 31 +++++ packages/middleware/node/package.json | 2 +- packages/server/CHANGELOG.md | 93 +++++++++++++++ packages/server/package.json | 2 +- test/integration/CHANGELOG.md | 11 ++ test/integration/package.json | 2 +- 37 files changed, 371 insertions(+), 220 deletions(-) delete mode 100644 .changeset/add-hono-peer-dep.md delete mode 100644 .changeset/brave-lions-glow.md delete mode 100644 .changeset/busy-weeks-hang.md delete mode 100644 .changeset/cyan-cycles-pump.md delete mode 100644 .changeset/expose-auth-server-discovery.md delete mode 100644 .changeset/extract-task-manager.md delete mode 100644 .changeset/fix-onerror-callbacks.md delete mode 100644 .changeset/fix-stdio-epipe-crash.md delete mode 100644 .changeset/fix-task-session-isolation.md delete mode 100644 .changeset/fix-unknown-tool-protocol-error.md delete mode 100644 .changeset/funky-baths-attack.md delete mode 100644 .changeset/heavy-walls-swim.md delete mode 100644 .changeset/oauth-error-http200.md delete mode 100644 .changeset/quick-islands-occur.md delete mode 100644 .changeset/respect-capability-negotiation.md delete mode 100644 .changeset/rich-hounds-report.md delete mode 100644 .changeset/shy-times-learn.md delete mode 100644 .changeset/support-standard-json-schema.md delete mode 100644 .changeset/tame-camels-greet.md delete mode 100644 .changeset/tender-snails-fold.md delete mode 100644 .changeset/token-provider-composable-auth.md delete mode 100644 .changeset/twelve-dodos-taste.md delete mode 100644 .changeset/use-scopes-supported-in-dcr.md create mode 100644 packages/client/CHANGELOG.md create mode 100644 packages/core/CHANGELOG.md create mode 100644 packages/middleware/express/CHANGELOG.md create mode 100644 packages/middleware/hono/CHANGELOG.md create mode 100644 packages/middleware/node/CHANGELOG.md create mode 100644 packages/server/CHANGELOG.md create mode 100644 test/integration/CHANGELOG.md diff --git a/.changeset/add-hono-peer-dep.md b/.changeset/add-hono-peer-dep.md deleted file mode 100644 index 25f90bbd83..0000000000 --- a/.changeset/add-hono-peer-dep.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -'@modelcontextprotocol/node': patch ---- - -Add missing `hono` peer dependency to `@modelcontextprotocol/node`. The package already depends on `@hono/node-server` which requires `hono` at runtime, but `hono` was only listed in the workspace root, not as a peer dependency of the package itself. diff --git a/.changeset/brave-lions-glow.md b/.changeset/brave-lions-glow.md deleted file mode 100644 index 5871838994..0000000000 --- a/.changeset/brave-lions-glow.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -'@modelcontextprotocol/node': patch ---- - -Prevent Hono from overriding global Response object by passing `overrideGlobalObjects: false` to `getRequestListener()`. This fixes compatibility with frameworks like Next.js whose response classes extend the native Response. diff --git a/.changeset/busy-weeks-hang.md b/.changeset/busy-weeks-hang.md deleted file mode 100644 index a045aaa41f..0000000000 --- a/.changeset/busy-weeks-hang.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -'@modelcontextprotocol/core': patch -'@modelcontextprotocol/server': patch ---- - -Fix ReDoS vulnerability in UriTemplate regex patterns (CVE-2026-0621) diff --git a/.changeset/cyan-cycles-pump.md b/.changeset/cyan-cycles-pump.md deleted file mode 100644 index 0f2008a3a1..0000000000 --- a/.changeset/cyan-cycles-pump.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -'@modelcontextprotocol/server': patch ---- - -missing change for fix(client): replace body.cancel() with text() to prevent hanging diff --git a/.changeset/expose-auth-server-discovery.md b/.changeset/expose-auth-server-discovery.md deleted file mode 100644 index 443dce893d..0000000000 --- a/.changeset/expose-auth-server-discovery.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -'@modelcontextprotocol/client': minor ---- - -Add `discoverOAuthServerInfo()` function and unified discovery state caching for OAuth - -- New `discoverOAuthServerInfo(serverUrl)` export that performs RFC 9728 protected resource metadata discovery followed by authorization server metadata discovery in a single call. Use this for operations like token refresh and revocation that need the authorization server URL outside of `auth()`. -- New `OAuthDiscoveryState` type and optional `OAuthClientProvider` methods `saveDiscoveryState()` / `discoveryState()` allow providers to persist all discovery results (auth server URL, resource metadata URL, resource metadata, auth server metadata) across sessions. This avoids redundant discovery requests and handles browser redirect scenarios where discovery state would otherwise be lost. -- New `'discovery'` scope for `invalidateCredentials()` to clear cached discovery state. -- New `OAuthServerInfo` type exported for the return value of `discoverOAuthServerInfo()`. diff --git a/.changeset/extract-task-manager.md b/.changeset/extract-task-manager.md deleted file mode 100644 index 6a72182837..0000000000 --- a/.changeset/extract-task-manager.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -"@modelcontextprotocol/core": minor -"@modelcontextprotocol/client": minor -"@modelcontextprotocol/server": minor ---- - -refactor: extract task orchestration from Protocol into TaskManager - -**Breaking changes:** -- `taskStore`, `taskMessageQueue`, `defaultTaskPollInterval`, and `maxTaskQueueSize` moved from `ProtocolOptions` to `capabilities.tasks` on `ClientOptions`/`ServerOptions` diff --git a/.changeset/fix-onerror-callbacks.md b/.changeset/fix-onerror-callbacks.md deleted file mode 100644 index 4ca4e72e4b..0000000000 --- a/.changeset/fix-onerror-callbacks.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -'@modelcontextprotocol/server': patch ---- - -Fix transport errors being silently swallowed by adding missing `onerror` callback invocations before all `createJsonErrorResponse` calls in `WebStandardStreamableHTTPServerTransport`. This ensures errors like parse failures, invalid headers, and session validation errors are properly reported via the `onerror` callback. diff --git a/.changeset/fix-stdio-epipe-crash.md b/.changeset/fix-stdio-epipe-crash.md deleted file mode 100644 index 456a8c22f8..0000000000 --- a/.changeset/fix-stdio-epipe-crash.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -'@modelcontextprotocol/server': patch ---- - -Handle stdout errors (e.g. EPIPE) in `StdioServerTransport` gracefully instead of crashing. When the client disconnects abruptly, the transport now catches the stdout error, surfaces it via `onerror`, and closes. diff --git a/.changeset/fix-task-session-isolation.md b/.changeset/fix-task-session-isolation.md deleted file mode 100644 index 7220673374..0000000000 --- a/.changeset/fix-task-session-isolation.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -'@modelcontextprotocol/core': patch ---- - -Fix InMemoryTaskStore to enforce session isolation. Previously, sessionId was accepted but ignored on all TaskStore methods, allowing any session to enumerate, read, and mutate tasks created by other sessions. The store now persists sessionId at creation time and enforces ownership on all reads and writes. diff --git a/.changeset/fix-unknown-tool-protocol-error.md b/.changeset/fix-unknown-tool-protocol-error.md deleted file mode 100644 index 086158b4b6..0000000000 --- a/.changeset/fix-unknown-tool-protocol-error.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -"@modelcontextprotocol/core": minor -"@modelcontextprotocol/server": major ---- - -Fix error handling for unknown tools and resources per MCP spec. - -**Tools:** Unknown or disabled tool calls now return JSON-RPC protocol errors with -code `-32602` (InvalidParams) instead of `CallToolResult` with `isError: true`. -Callers who checked `result.isError` for unknown tools should catch rejected promises instead. - -**Resources:** Unknown resource reads now return error code `-32002` (ResourceNotFound) -instead of `-32602` (InvalidParams). - -Added `ProtocolErrorCode.ResourceNotFound`. diff --git a/.changeset/funky-baths-attack.md b/.changeset/funky-baths-attack.md deleted file mode 100644 index f65f1263c8..0000000000 --- a/.changeset/funky-baths-attack.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -'@modelcontextprotocol/node': patch -'@modelcontextprotocol/test-integration': patch -'@modelcontextprotocol/server': patch -'@modelcontextprotocol/core': patch ---- - -remove deprecated .tool, .prompt, .resource method signatures diff --git a/.changeset/heavy-walls-swim.md b/.changeset/heavy-walls-swim.md deleted file mode 100644 index 7a09cda0dc..0000000000 --- a/.changeset/heavy-walls-swim.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -'@modelcontextprotocol/server': patch ---- - -reverting application/json in notifications diff --git a/.changeset/oauth-error-http200.md b/.changeset/oauth-error-http200.md deleted file mode 100644 index 1ce4fdd9ed..0000000000 --- a/.changeset/oauth-error-http200.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -'@modelcontextprotocol/client': patch ---- - -Fix OAuth error handling for servers returning errors with HTTP 200 status - -Some OAuth servers (e.g., GitHub) return error responses with HTTP 200 status instead of 4xx. The SDK now checks for an `error` field in the JSON response before attempting to parse it as tokens, providing users with meaningful error messages. diff --git a/.changeset/quick-islands-occur.md b/.changeset/quick-islands-occur.md deleted file mode 100644 index 2ec83908d1..0000000000 --- a/.changeset/quick-islands-occur.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -'@modelcontextprotocol/express': patch -'@modelcontextprotocol/hono': patch -'@modelcontextprotocol/node': patch -'@modelcontextprotocol/client': patch -'@modelcontextprotocol/server': patch -'@modelcontextprotocol/core': patch ---- - -remove npm references, use pnpm diff --git a/.changeset/respect-capability-negotiation.md b/.changeset/respect-capability-negotiation.md deleted file mode 100644 index 6a42cf6076..0000000000 --- a/.changeset/respect-capability-negotiation.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -'@modelcontextprotocol/client': patch ---- - -Respect capability negotiation in list methods by returning empty lists when server lacks capability - -The Client now returns empty lists instead of sending requests to servers that don't advertise the corresponding capability: - -- `listPrompts()` returns `{ prompts: [] }` if server lacks prompts capability -- `listResources()` returns `{ resources: [] }` if server lacks resources capability -- `listResourceTemplates()` returns `{ resourceTemplates: [] }` if server lacks resources capability -- `listTools()` returns `{ tools: [] }` if server lacks tools capability - -This respects the MCP spec requirement that "Both parties SHOULD respect capability negotiation" and avoids unnecessary server warnings and traffic. The existing `enforceStrictCapabilities` option continues to throw errors when set to `true`. diff --git a/.changeset/rich-hounds-report.md b/.changeset/rich-hounds-report.md deleted file mode 100644 index d1736bf72c..0000000000 --- a/.changeset/rich-hounds-report.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -'@modelcontextprotocol/express': patch -'@modelcontextprotocol/hono': patch -'@modelcontextprotocol/node': patch -'@modelcontextprotocol/client': patch -'@modelcontextprotocol/server': patch -'@modelcontextprotocol/core': patch ---- - -clean up package manager usage, all pnpm diff --git a/.changeset/shy-times-learn.md b/.changeset/shy-times-learn.md deleted file mode 100644 index 99617f8b7d..0000000000 --- a/.changeset/shy-times-learn.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -'@modelcontextprotocol/node': patch -'@modelcontextprotocol/test-integration': patch -'@modelcontextprotocol/server': patch -'@modelcontextprotocol/core': patch ---- - -deprecated .tool, .prompt, .resource method removal diff --git a/.changeset/support-standard-json-schema.md b/.changeset/support-standard-json-schema.md deleted file mode 100644 index 1ceff35844..0000000000 --- a/.changeset/support-standard-json-schema.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -'@modelcontextprotocol/core': minor -'@modelcontextprotocol/server': minor -'@modelcontextprotocol/client': minor ---- - -Support Standard Schema for tool and prompt schemas - -Tool and prompt registration now accepts any schema library that implements the [Standard Schema spec](https://standardschema.dev/): Zod v4, Valibot, ArkType, and others. `RegisteredTool.inputSchema`, `RegisteredTool.outputSchema`, and `RegisteredPrompt.argsSchema` now use `StandardSchemaWithJSON` (requires both `~standard.validate` and `~standard.jsonSchema`) instead of the Zod-specific `AnySchema` type. - -**Zod v4 schemas continue to work unchanged** — Zod v4 implements the required interfaces natively. - -```typescript -import { type } from 'arktype'; - -server.registerTool('greet', { - inputSchema: type({ name: 'string' }) -}, async ({ name }) => ({ content: [{ type: 'text', text: `Hello, ${name}!` }] })); -``` - -For raw JSON Schema (e.g. TypeBox output), use the new `fromJsonSchema` adapter: - -```typescript -import { fromJsonSchema, AjvJsonSchemaValidator } from '@modelcontextprotocol/core'; - -server.registerTool('greet', { - inputSchema: fromJsonSchema({ type: 'object', properties: { name: { type: 'string' } } }, new AjvJsonSchemaValidator()) -}, handler); -``` - -**Breaking changes:** -- `experimental.tasks.getTaskResult()` no longer accepts a `resultSchema` parameter. Returns `GetTaskPayloadResult` (a loose `Result`); cast to the expected type at the call site. -- Removed unused exports from `@modelcontextprotocol/core`: `SchemaInput`, `schemaToJson`, `parseSchemaAsync`, `getSchemaShape`, `getSchemaDescription`, `isOptionalSchema`, `unwrapOptionalSchema`. Use the new `standardSchemaToJsonSchema` and `validateStandardSchema` instead. -- `completable()` remains Zod-specific (it relies on Zod's `.shape` introspection). diff --git a/.changeset/tame-camels-greet.md b/.changeset/tame-camels-greet.md deleted file mode 100644 index 5f9c1d1c59..0000000000 --- a/.changeset/tame-camels-greet.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -'@modelcontextprotocol/client': patch ---- - -Don't swallow fetch `TypeError` as CORS in non-browser environments. Network errors -(DNS resolution failure, connection refused, invalid URL) in Node.js and Cloudflare -Workers now propagate from OAuth discovery instead of being silently misattributed -to CORS and returning `undefined`. This surfaces the real error to callers rather -than masking it as "metadata not found." diff --git a/.changeset/tender-snails-fold.md b/.changeset/tender-snails-fold.md deleted file mode 100644 index 138596950c..0000000000 --- a/.changeset/tender-snails-fold.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -'@modelcontextprotocol/client': patch -'@modelcontextprotocol/server': patch ---- - -Initial 2.0.0-alpha.0 client and server package diff --git a/.changeset/token-provider-composable-auth.md b/.changeset/token-provider-composable-auth.md deleted file mode 100644 index f5c064e7f1..0000000000 --- a/.changeset/token-provider-composable-auth.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -'@modelcontextprotocol/client': minor ---- - -Add `AuthProvider` for composable bearer-token auth; transports adapt `OAuthClientProvider` automatically - -- New `AuthProvider` interface: `{ token(): Promise; onUnauthorized?(ctx): Promise }`. Transports call `token()` before every request and `onUnauthorized()` on 401 (then retry once). -- Transport `authProvider` option now accepts `AuthProvider | OAuthClientProvider`. OAuth providers are adapted internally via `adaptOAuthProvider()` — no changes needed to existing `OAuthClientProvider` implementations. -- For simple bearer tokens (API keys, gateway-managed tokens, service accounts): `{ authProvider: { token: async () => myKey } }` — one-line object literal, no class. -- New `adaptOAuthProvider(provider)` export for explicit adaptation. -- New `handleOAuthUnauthorized(provider, ctx)` helper — the standard OAuth `onUnauthorized` behavior. -- New `isOAuthClientProvider()` type guard. -- New `UnauthorizedContext` type. -- Exported previously-internal auth helpers for building custom flows: `applyBasicAuth`, `applyPostAuth`, `applyPublicAuth`, `executeTokenRequest`. - -Transports are simplified internally — ~50 lines of inline OAuth orchestration (auth() calls, WWW-Authenticate parsing, circuit-breaker state) moved into the adapter's `onUnauthorized()` implementation. `OAuthClientProvider` itself is unchanged. diff --git a/.changeset/twelve-dodos-taste.md b/.changeset/twelve-dodos-taste.md deleted file mode 100644 index 1b0fdc19d9..0000000000 --- a/.changeset/twelve-dodos-taste.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@modelcontextprotocol/express": patch ---- - -Add jsonLimit option to createMcpExpressApp diff --git a/.changeset/use-scopes-supported-in-dcr.md b/.changeset/use-scopes-supported-in-dcr.md deleted file mode 100644 index d40da05f0e..0000000000 --- a/.changeset/use-scopes-supported-in-dcr.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -'@modelcontextprotocol/client': minor ---- - -Apply resolved scope consistently to both DCR and the authorization URL (SEP-835) - -When `scopes_supported` is present in the protected resource metadata (`/.well-known/oauth-protected-resource`), the SDK already uses it as the default scope for the authorization URL. This change applies the same resolved scope to the dynamic client registration request body, ensuring both use a consistent value. - -- `registerClient()` now accepts an optional `scope` parameter that overrides `clientMetadata.scope` in the registration body. -- `auth()` now computes the resolved scope once (WWW-Authenticate → PRM `scopes_supported` → `clientMetadata.scope`) and passes it to both DCR and the authorization request. diff --git a/packages/client/CHANGELOG.md b/packages/client/CHANGELOG.md new file mode 100644 index 0000000000..add1a939a9 --- /dev/null +++ b/packages/client/CHANGELOG.md @@ -0,0 +1,110 @@ +# @modelcontextprotocol/client + +## 2.0.0 + +### Minor Changes + +- [#1527](https://github.com/modelcontextprotocol/typescript-sdk/pull/1527) [`dc896e1`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dc896e198bdd1367d93a7c38846fdf9e78d84c6a) Thanks [@felixweinberger](https://github.com/felixweinberger)! - Add + `discoverOAuthServerInfo()` function and unified discovery state caching for OAuth + - New `discoverOAuthServerInfo(serverUrl)` export that performs RFC 9728 protected resource metadata discovery followed by authorization server metadata discovery in a single call. Use this for operations like token refresh and revocation that need the authorization server + URL outside of `auth()`. + - New `OAuthDiscoveryState` type and optional `OAuthClientProvider` methods `saveDiscoveryState()` / `discoveryState()` allow providers to persist all discovery results (auth server URL, resource metadata URL, resource metadata, auth server metadata) across sessions. This + avoids redundant discovery requests and handles browser redirect scenarios where discovery state would otherwise be lost. + - New `'discovery'` scope for `invalidateCredentials()` to clear cached discovery state. + - New `OAuthServerInfo` type exported for the return value of `discoverOAuthServerInfo()`. + +- [#1673](https://github.com/modelcontextprotocol/typescript-sdk/pull/1673) [`462c3fc`](https://github.com/modelcontextprotocol/typescript-sdk/commit/462c3fc47dffac908d2ba27784d47ff010fa065e) Thanks [@KKonstantinov](https://github.com/KKonstantinov)! - refactor: extract task + orchestration from Protocol into TaskManager + + **Breaking changes:** + - `taskStore`, `taskMessageQueue`, `defaultTaskPollInterval`, and `maxTaskQueueSize` moved from `ProtocolOptions` to `capabilities.tasks` on `ClientOptions`/`ServerOptions` + +- [#1689](https://github.com/modelcontextprotocol/typescript-sdk/pull/1689) [`0784be1`](https://github.com/modelcontextprotocol/typescript-sdk/commit/0784be1a67fb3cc2aba0182d88151264f4ea73c8) Thanks [@felixweinberger](https://github.com/felixweinberger)! - Support Standard Schema + for tool and prompt schemas + + Tool and prompt registration now accepts any schema library that implements the [Standard Schema spec](https://standardschema.dev/): Zod v4, Valibot, ArkType, and others. `RegisteredTool.inputSchema`, `RegisteredTool.outputSchema`, and `RegisteredPrompt.argsSchema` now use + `StandardSchemaWithJSON` (requires both `~standard.validate` and `~standard.jsonSchema`) instead of the Zod-specific `AnySchema` type. + + **Zod v4 schemas continue to work unchanged** — Zod v4 implements the required interfaces natively. + + ```typescript + import { type } from 'arktype'; + + server.registerTool( + 'greet', + { + inputSchema: type({ name: 'string' }) + }, + async ({ name }) => ({ content: [{ type: 'text', text: `Hello, ${name}!` }] }) + ); + ``` + + For raw JSON Schema (e.g. TypeBox output), use the new `fromJsonSchema` adapter: + + ```typescript + import { fromJsonSchema, AjvJsonSchemaValidator } from '@modelcontextprotocol/core'; + + server.registerTool( + 'greet', + { + inputSchema: fromJsonSchema({ type: 'object', properties: { name: { type: 'string' } } }, new AjvJsonSchemaValidator()) + }, + handler + ); + ``` + + **Breaking changes:** + - `experimental.tasks.getTaskResult()` no longer accepts a `resultSchema` parameter. Returns `GetTaskPayloadResult` (a loose `Result`); cast to the expected type at the call site. + - Removed unused exports from `@modelcontextprotocol/core`: `SchemaInput`, `schemaToJson`, `parseSchemaAsync`, `getSchemaShape`, `getSchemaDescription`, `isOptionalSchema`, `unwrapOptionalSchema`. Use the new `standardSchemaToJsonSchema` and `validateStandardSchema` instead. + - `completable()` remains Zod-specific (it relies on Zod's `.shape` introspection). + +- [#1710](https://github.com/modelcontextprotocol/typescript-sdk/pull/1710) [`e563e63`](https://github.com/modelcontextprotocol/typescript-sdk/commit/e563e63bd2b3c2c1d1137406bef3f842c946201e) Thanks [@felixweinberger](https://github.com/felixweinberger)! - Add `AuthProvider` for + composable bearer-token auth; transports adapt `OAuthClientProvider` automatically + - New `AuthProvider` interface: `{ token(): Promise; onUnauthorized?(ctx): Promise }`. Transports call `token()` before every request and `onUnauthorized()` on 401 (then retry once). + - Transport `authProvider` option now accepts `AuthProvider | OAuthClientProvider`. OAuth providers are adapted internally via `adaptOAuthProvider()` — no changes needed to existing `OAuthClientProvider` implementations. + - For simple bearer tokens (API keys, gateway-managed tokens, service accounts): `{ authProvider: { token: async () => myKey } }` — one-line object literal, no class. + - New `adaptOAuthProvider(provider)` export for explicit adaptation. + - New `handleOAuthUnauthorized(provider, ctx)` helper — the standard OAuth `onUnauthorized` behavior. + - New `isOAuthClientProvider()` type guard. + - New `UnauthorizedContext` type. + - Exported previously-internal auth helpers for building custom flows: `applyBasicAuth`, `applyPostAuth`, `applyPublicAuth`, `executeTokenRequest`. + + Transports are simplified internally — ~50 lines of inline OAuth orchestration (auth() calls, WWW-Authenticate parsing, circuit-breaker state) moved into the adapter's `onUnauthorized()` implementation. `OAuthClientProvider` itself is unchanged. + +- [#1614](https://github.com/modelcontextprotocol/typescript-sdk/pull/1614) [`1a78b01`](https://github.com/modelcontextprotocol/typescript-sdk/commit/1a78b0138f1f3432968e53e810bac7929833eda2) Thanks [@pcarleton](https://github.com/pcarleton)! - Apply resolved scope consistently + to both DCR and the authorization URL (SEP-835) + + When `scopes_supported` is present in the protected resource metadata (`/.well-known/oauth-protected-resource`), the SDK already uses it as the default scope for the authorization URL. This change applies the same resolved scope to the dynamic client registration request + body, ensuring both use a consistent value. + - `registerClient()` now accepts an optional `scope` parameter that overrides `clientMetadata.scope` in the registration body. + - `auth()` now computes the resolved scope once (WWW-Authenticate → PRM `scopes_supported` → `clientMetadata.scope`) and passes it to both DCR and the authorization request. + +### Patch Changes + +- [#1343](https://github.com/modelcontextprotocol/typescript-sdk/pull/1343) [`4b5fdcb`](https://github.com/modelcontextprotocol/typescript-sdk/commit/4b5fdcba02c20f26d8b0f07acc87248288522842) Thanks [@christso](https://github.com/christso)! - Fix OAuth error handling for servers + returning errors with HTTP 200 status + + Some OAuth servers (e.g., GitHub) return error responses with HTTP 200 status instead of 4xx. The SDK now checks for an `error` field in the JSON response before attempting to parse it as tokens, providing users with meaningful error messages. + +- [#1534](https://github.com/modelcontextprotocol/typescript-sdk/pull/1534) [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e) Thanks [@josefaidt](https://github.com/josefaidt)! - remove npm references, use pnpm + +- [#1386](https://github.com/modelcontextprotocol/typescript-sdk/pull/1386) [`00249ce`](https://github.com/modelcontextprotocol/typescript-sdk/commit/00249ce86dac558fb1089aea46d4d6d14e9a56c6) Thanks [@PederHP](https://github.com/PederHP)! - Respect capability negotiation in list + methods by returning empty lists when server lacks capability + + The Client now returns empty lists instead of sending requests to servers that don't advertise the corresponding capability: + - `listPrompts()` returns `{ prompts: [] }` if server lacks prompts capability + - `listResources()` returns `{ resources: [] }` if server lacks resources capability + - `listResourceTemplates()` returns `{ resourceTemplates: [] }` if server lacks resources capability + - `listTools()` returns `{ tools: [] }` if server lacks tools capability + + This respects the MCP spec requirement that "Both parties SHOULD respect capability negotiation" and avoids unnecessary server warnings and traffic. The existing `enforceStrictCapabilities` option continues to throw errors when set to `true`. + +- [#1534](https://github.com/modelcontextprotocol/typescript-sdk/pull/1534) [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e) Thanks [@josefaidt](https://github.com/josefaidt)! - clean up package manager usage, all + pnpm + +- [#1595](https://github.com/modelcontextprotocol/typescript-sdk/pull/1595) [`13a0d34`](https://github.com/modelcontextprotocol/typescript-sdk/commit/13a0d345c0b88bf73264c41a793bf0ad44cfa620) Thanks [@bhosmer-ant](https://github.com/bhosmer-ant)! - Don't swallow fetch `TypeError` + as CORS in non-browser environments. Network errors (DNS resolution failure, connection refused, invalid URL) in Node.js and Cloudflare Workers now propagate from OAuth discovery instead of being silently misattributed to CORS and returning `undefined`. This surfaces the real + error to callers rather than masking it as "metadata not found." + +- [#1279](https://github.com/modelcontextprotocol/typescript-sdk/pull/1279) [`71ae3ac`](https://github.com/modelcontextprotocol/typescript-sdk/commit/71ae3acee0203a1023817e3bffcd172d0966d2ac) Thanks [@KKonstantinov](https://github.com/KKonstantinov)! - Initial 2.0.0-alpha.0 + client and server package diff --git a/packages/client/package.json b/packages/client/package.json index e205903b82..f1c6fc0eec 100644 --- a/packages/client/package.json +++ b/packages/client/package.json @@ -1,6 +1,6 @@ { "name": "@modelcontextprotocol/client", - "version": "2.0.0-alpha.0", + "version": "2.0.0", "description": "Model Context Protocol implementation for TypeScript - Client package", "license": "MIT", "author": "Anthropic, PBC (https://anthropic.com)", diff --git a/packages/core/CHANGELOG.md b/packages/core/CHANGELOG.md new file mode 100644 index 0000000000..04d733ff74 --- /dev/null +++ b/packages/core/CHANGELOG.md @@ -0,0 +1,78 @@ +# @modelcontextprotocol/core + +## 2.0.0 + +### Minor Changes + +- [#1673](https://github.com/modelcontextprotocol/typescript-sdk/pull/1673) [`462c3fc`](https://github.com/modelcontextprotocol/typescript-sdk/commit/462c3fc47dffac908d2ba27784d47ff010fa065e) Thanks [@KKonstantinov](https://github.com/KKonstantinov)! - refactor: extract task + orchestration from Protocol into TaskManager + + **Breaking changes:** + - `taskStore`, `taskMessageQueue`, `defaultTaskPollInterval`, and `maxTaskQueueSize` moved from `ProtocolOptions` to `capabilities.tasks` on `ClientOptions`/`ServerOptions` + +- [#1389](https://github.com/modelcontextprotocol/typescript-sdk/pull/1389) [`108f2f3`](https://github.com/modelcontextprotocol/typescript-sdk/commit/108f2f3ab6a1267587c7c4f900b6eca3cc2dae51) Thanks [@DePasqualeOrg](https://github.com/DePasqualeOrg)! - Fix error handling for + unknown tools and resources per MCP spec. + + **Tools:** Unknown or disabled tool calls now return JSON-RPC protocol errors with code `-32602` (InvalidParams) instead of `CallToolResult` with `isError: true`. Callers who checked `result.isError` for unknown tools should catch rejected promises instead. + + **Resources:** Unknown resource reads now return error code `-32002` (ResourceNotFound) instead of `-32602` (InvalidParams). + + Added `ProtocolErrorCode.ResourceNotFound`. + +- [#1689](https://github.com/modelcontextprotocol/typescript-sdk/pull/1689) [`0784be1`](https://github.com/modelcontextprotocol/typescript-sdk/commit/0784be1a67fb3cc2aba0182d88151264f4ea73c8) Thanks [@felixweinberger](https://github.com/felixweinberger)! - Support Standard Schema + for tool and prompt schemas + + Tool and prompt registration now accepts any schema library that implements the [Standard Schema spec](https://standardschema.dev/): Zod v4, Valibot, ArkType, and others. `RegisteredTool.inputSchema`, `RegisteredTool.outputSchema`, and `RegisteredPrompt.argsSchema` now use + `StandardSchemaWithJSON` (requires both `~standard.validate` and `~standard.jsonSchema`) instead of the Zod-specific `AnySchema` type. + + **Zod v4 schemas continue to work unchanged** — Zod v4 implements the required interfaces natively. + + ```typescript + import { type } from 'arktype'; + + server.registerTool( + 'greet', + { + inputSchema: type({ name: 'string' }) + }, + async ({ name }) => ({ content: [{ type: 'text', text: `Hello, ${name}!` }] }) + ); + ``` + + For raw JSON Schema (e.g. TypeBox output), use the new `fromJsonSchema` adapter: + + ```typescript + import { fromJsonSchema, AjvJsonSchemaValidator } from '@modelcontextprotocol/core'; + + server.registerTool( + 'greet', + { + inputSchema: fromJsonSchema({ type: 'object', properties: { name: { type: 'string' } } }, new AjvJsonSchemaValidator()) + }, + handler + ); + ``` + + **Breaking changes:** + - `experimental.tasks.getTaskResult()` no longer accepts a `resultSchema` parameter. Returns `GetTaskPayloadResult` (a loose `Result`); cast to the expected type at the call site. + - Removed unused exports from `@modelcontextprotocol/core`: `SchemaInput`, `schemaToJson`, `parseSchemaAsync`, `getSchemaShape`, `getSchemaDescription`, `isOptionalSchema`, `unwrapOptionalSchema`. Use the new `standardSchemaToJsonSchema` and `validateStandardSchema` instead. + - `completable()` remains Zod-specific (it relies on Zod's `.shape` introspection). + +### Patch Changes + +- [#1363](https://github.com/modelcontextprotocol/typescript-sdk/pull/1363) [`0a75810`](https://github.com/modelcontextprotocol/typescript-sdk/commit/0a75810b26e24bae6b9cfb41e12ac770aeaa1da4) Thanks [@DevJanderson](https://github.com/DevJanderson)! - Fix ReDoS vulnerability in + UriTemplate regex patterns (CVE-2026-0621) + +- [#1486](https://github.com/modelcontextprotocol/typescript-sdk/pull/1486) [`65bbcea`](https://github.com/modelcontextprotocol/typescript-sdk/commit/65bbceab773277f056a9d3e385e7e7d8cef54f9b) Thanks [@localden](https://github.com/localden)! - Fix InMemoryTaskStore to enforce + session isolation. Previously, sessionId was accepted but ignored on all TaskStore methods, allowing any session to enumerate, read, and mutate tasks created by other sessions. The store now persists sessionId at creation time and enforces ownership on all reads and writes. + +- [#1419](https://github.com/modelcontextprotocol/typescript-sdk/pull/1419) [`dcf708d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dcf708d892b7ca5f137c74109d42cdeb05e2ee3a) Thanks [@KKonstantinov](https://github.com/KKonstantinov)! - remove deprecated .tool, + .prompt, .resource method signatures + +- [#1534](https://github.com/modelcontextprotocol/typescript-sdk/pull/1534) [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e) Thanks [@josefaidt](https://github.com/josefaidt)! - remove npm references, use pnpm + +- [#1534](https://github.com/modelcontextprotocol/typescript-sdk/pull/1534) [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e) Thanks [@josefaidt](https://github.com/josefaidt)! - clean up package manager usage, all + pnpm + +- [#1419](https://github.com/modelcontextprotocol/typescript-sdk/pull/1419) [`dcf708d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dcf708d892b7ca5f137c74109d42cdeb05e2ee3a) Thanks [@KKonstantinov](https://github.com/KKonstantinov)! - deprecated .tool, .prompt, + .resource method removal diff --git a/packages/core/package.json b/packages/core/package.json index 6f0c703a53..9658feefed 100644 --- a/packages/core/package.json +++ b/packages/core/package.json @@ -1,7 +1,7 @@ { "name": "@modelcontextprotocol/core", "private": true, - "version": "2.0.0-alpha.0", + "version": "2.0.0", "description": "Model Context Protocol implementation for TypeScript - Core package", "license": "MIT", "author": "Anthropic, PBC (https://anthropic.com)", diff --git a/packages/middleware/express/CHANGELOG.md b/packages/middleware/express/CHANGELOG.md new file mode 100644 index 0000000000..917319c4dd --- /dev/null +++ b/packages/middleware/express/CHANGELOG.md @@ -0,0 +1,22 @@ +# @modelcontextprotocol/express + +## 2.0.0 + +### Patch Changes + +- [#1534](https://github.com/modelcontextprotocol/typescript-sdk/pull/1534) [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e) Thanks [@josefaidt](https://github.com/josefaidt)! - remove npm references, use pnpm + +- [#1534](https://github.com/modelcontextprotocol/typescript-sdk/pull/1534) [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e) Thanks [@josefaidt](https://github.com/josefaidt)! - clean up package manager usage, all + pnpm + +- [#1625](https://github.com/modelcontextprotocol/typescript-sdk/pull/1625) [`1fe9eda`](https://github.com/modelcontextprotocol/typescript-sdk/commit/1fe9eda4a712a5f3a3ba11561e723ec7e6cf5a5b) Thanks [@rameshreddy-adutla](https://github.com/rameshreddy-adutla)! - Add jsonLimit + option to createMcpExpressApp + +- Updated dependencies [[`0a75810`](https://github.com/modelcontextprotocol/typescript-sdk/commit/0a75810b26e24bae6b9cfb41e12ac770aeaa1da4), [`3466a9e`](https://github.com/modelcontextprotocol/typescript-sdk/commit/3466a9e0e5d392824156d9b290863ae08192d87e), + [`462c3fc`](https://github.com/modelcontextprotocol/typescript-sdk/commit/462c3fc47dffac908d2ba27784d47ff010fa065e), [`78bae74`](https://github.com/modelcontextprotocol/typescript-sdk/commit/78bae7426d4ca38216c0571b5aa7806f58ab81e4), + [`f1ade75`](https://github.com/modelcontextprotocol/typescript-sdk/commit/f1ade75b67a2b46b06316fa4e5caa1d277537cc7), [`108f2f3`](https://github.com/modelcontextprotocol/typescript-sdk/commit/108f2f3ab6a1267587c7c4f900b6eca3cc2dae51), + [`dcf708d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dcf708d892b7ca5f137c74109d42cdeb05e2ee3a), [`f66a55b`](https://github.com/modelcontextprotocol/typescript-sdk/commit/f66a55b5f4eb7ce0f8b3885633bf9a7b1080e0b5), + [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e), [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e), + [`dcf708d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dcf708d892b7ca5f137c74109d42cdeb05e2ee3a), [`0784be1`](https://github.com/modelcontextprotocol/typescript-sdk/commit/0784be1a67fb3cc2aba0182d88151264f4ea73c8), + [`71ae3ac`](https://github.com/modelcontextprotocol/typescript-sdk/commit/71ae3acee0203a1023817e3bffcd172d0966d2ac)]: + - @modelcontextprotocol/server@2.0.0 diff --git a/packages/middleware/express/package.json b/packages/middleware/express/package.json index 10805588a4..0e2665eb8b 100644 --- a/packages/middleware/express/package.json +++ b/packages/middleware/express/package.json @@ -1,7 +1,7 @@ { "name": "@modelcontextprotocol/express", "private": false, - "version": "2.0.0-alpha.0", + "version": "2.0.0", "description": "Express adapters for the Model Context Protocol TypeScript server SDK - Express middleware", "license": "MIT", "author": "Anthropic, PBC (https://anthropic.com)", diff --git a/packages/middleware/hono/CHANGELOG.md b/packages/middleware/hono/CHANGELOG.md new file mode 100644 index 0000000000..82d90add36 --- /dev/null +++ b/packages/middleware/hono/CHANGELOG.md @@ -0,0 +1,19 @@ +# @modelcontextprotocol/hono + +## 2.0.0 + +### Patch Changes + +- [#1534](https://github.com/modelcontextprotocol/typescript-sdk/pull/1534) [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e) Thanks [@josefaidt](https://github.com/josefaidt)! - remove npm references, use pnpm + +- [#1534](https://github.com/modelcontextprotocol/typescript-sdk/pull/1534) [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e) Thanks [@josefaidt](https://github.com/josefaidt)! - clean up package manager usage, all + pnpm + +- Updated dependencies [[`0a75810`](https://github.com/modelcontextprotocol/typescript-sdk/commit/0a75810b26e24bae6b9cfb41e12ac770aeaa1da4), [`3466a9e`](https://github.com/modelcontextprotocol/typescript-sdk/commit/3466a9e0e5d392824156d9b290863ae08192d87e), + [`462c3fc`](https://github.com/modelcontextprotocol/typescript-sdk/commit/462c3fc47dffac908d2ba27784d47ff010fa065e), [`78bae74`](https://github.com/modelcontextprotocol/typescript-sdk/commit/78bae7426d4ca38216c0571b5aa7806f58ab81e4), + [`f1ade75`](https://github.com/modelcontextprotocol/typescript-sdk/commit/f1ade75b67a2b46b06316fa4e5caa1d277537cc7), [`108f2f3`](https://github.com/modelcontextprotocol/typescript-sdk/commit/108f2f3ab6a1267587c7c4f900b6eca3cc2dae51), + [`dcf708d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dcf708d892b7ca5f137c74109d42cdeb05e2ee3a), [`f66a55b`](https://github.com/modelcontextprotocol/typescript-sdk/commit/f66a55b5f4eb7ce0f8b3885633bf9a7b1080e0b5), + [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e), [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e), + [`dcf708d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dcf708d892b7ca5f137c74109d42cdeb05e2ee3a), [`0784be1`](https://github.com/modelcontextprotocol/typescript-sdk/commit/0784be1a67fb3cc2aba0182d88151264f4ea73c8), + [`71ae3ac`](https://github.com/modelcontextprotocol/typescript-sdk/commit/71ae3acee0203a1023817e3bffcd172d0966d2ac)]: + - @modelcontextprotocol/server@2.0.0 diff --git a/packages/middleware/hono/package.json b/packages/middleware/hono/package.json index 262828d229..50e020e174 100644 --- a/packages/middleware/hono/package.json +++ b/packages/middleware/hono/package.json @@ -1,7 +1,7 @@ { "name": "@modelcontextprotocol/hono", "private": false, - "version": "2.0.0-alpha.0", + "version": "2.0.0", "description": "Hono adapters for the Model Context Protocol TypeScript server SDK - Hono middleware", "license": "MIT", "author": "Anthropic, PBC (https://anthropic.com)", diff --git a/packages/middleware/node/CHANGELOG.md b/packages/middleware/node/CHANGELOG.md new file mode 100644 index 0000000000..b833e672a5 --- /dev/null +++ b/packages/middleware/node/CHANGELOG.md @@ -0,0 +1,31 @@ +# @modelcontextprotocol/node + +## 2.0.0 + +### Patch Changes + +- [#1504](https://github.com/modelcontextprotocol/typescript-sdk/pull/1504) [`327243c`](https://github.com/modelcontextprotocol/typescript-sdk/commit/327243cebd96e07686c88f7fa9ca22a5a7a7993d) Thanks [@corvid-agent](https://github.com/corvid-agent)! - Add missing `hono` peer + dependency to `@modelcontextprotocol/node`. The package already depends on `@hono/node-server` which requires `hono` at runtime, but `hono` was only listed in the workspace root, not as a peer dependency of the package itself. + +- [#1410](https://github.com/modelcontextprotocol/typescript-sdk/pull/1410) [`9296459`](https://github.com/modelcontextprotocol/typescript-sdk/commit/9296459ac006546499f6b4105ffc528b8c212d88) Thanks [@mattzcarey](https://github.com/mattzcarey)! - Prevent Hono from overriding + global Response object by passing `overrideGlobalObjects: false` to `getRequestListener()`. This fixes compatibility with frameworks like Next.js whose response classes extend the native Response. + +- [#1419](https://github.com/modelcontextprotocol/typescript-sdk/pull/1419) [`dcf708d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dcf708d892b7ca5f137c74109d42cdeb05e2ee3a) Thanks [@KKonstantinov](https://github.com/KKonstantinov)! - remove deprecated .tool, + .prompt, .resource method signatures + +- [#1534](https://github.com/modelcontextprotocol/typescript-sdk/pull/1534) [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e) Thanks [@josefaidt](https://github.com/josefaidt)! - remove npm references, use pnpm + +- [#1534](https://github.com/modelcontextprotocol/typescript-sdk/pull/1534) [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e) Thanks [@josefaidt](https://github.com/josefaidt)! - clean up package manager usage, all + pnpm + +- [#1419](https://github.com/modelcontextprotocol/typescript-sdk/pull/1419) [`dcf708d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dcf708d892b7ca5f137c74109d42cdeb05e2ee3a) Thanks [@KKonstantinov](https://github.com/KKonstantinov)! - deprecated .tool, .prompt, + .resource method removal + +- Updated dependencies [[`0a75810`](https://github.com/modelcontextprotocol/typescript-sdk/commit/0a75810b26e24bae6b9cfb41e12ac770aeaa1da4), [`3466a9e`](https://github.com/modelcontextprotocol/typescript-sdk/commit/3466a9e0e5d392824156d9b290863ae08192d87e), + [`462c3fc`](https://github.com/modelcontextprotocol/typescript-sdk/commit/462c3fc47dffac908d2ba27784d47ff010fa065e), [`78bae74`](https://github.com/modelcontextprotocol/typescript-sdk/commit/78bae7426d4ca38216c0571b5aa7806f58ab81e4), + [`f1ade75`](https://github.com/modelcontextprotocol/typescript-sdk/commit/f1ade75b67a2b46b06316fa4e5caa1d277537cc7), [`108f2f3`](https://github.com/modelcontextprotocol/typescript-sdk/commit/108f2f3ab6a1267587c7c4f900b6eca3cc2dae51), + [`dcf708d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dcf708d892b7ca5f137c74109d42cdeb05e2ee3a), [`f66a55b`](https://github.com/modelcontextprotocol/typescript-sdk/commit/f66a55b5f4eb7ce0f8b3885633bf9a7b1080e0b5), + [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e), [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e), + [`dcf708d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dcf708d892b7ca5f137c74109d42cdeb05e2ee3a), [`0784be1`](https://github.com/modelcontextprotocol/typescript-sdk/commit/0784be1a67fb3cc2aba0182d88151264f4ea73c8), + [`71ae3ac`](https://github.com/modelcontextprotocol/typescript-sdk/commit/71ae3acee0203a1023817e3bffcd172d0966d2ac)]: + - @modelcontextprotocol/server@2.0.0 diff --git a/packages/middleware/node/package.json b/packages/middleware/node/package.json index c13e49646b..0ba35e6d60 100644 --- a/packages/middleware/node/package.json +++ b/packages/middleware/node/package.json @@ -1,6 +1,6 @@ { "name": "@modelcontextprotocol/node", - "version": "2.0.0-alpha.0", + "version": "2.0.0", "description": "Model Context Protocol implementation for TypeScript - Node.js middleware", "license": "MIT", "author": "Anthropic, PBC (https://anthropic.com)", diff --git a/packages/server/CHANGELOG.md b/packages/server/CHANGELOG.md new file mode 100644 index 0000000000..78897febac --- /dev/null +++ b/packages/server/CHANGELOG.md @@ -0,0 +1,93 @@ +# @modelcontextprotocol/server + +## 2.0.0 + +### Major Changes + +- [#1389](https://github.com/modelcontextprotocol/typescript-sdk/pull/1389) [`108f2f3`](https://github.com/modelcontextprotocol/typescript-sdk/commit/108f2f3ab6a1267587c7c4f900b6eca3cc2dae51) Thanks [@DePasqualeOrg](https://github.com/DePasqualeOrg)! - Fix error handling for + unknown tools and resources per MCP spec. + + **Tools:** Unknown or disabled tool calls now return JSON-RPC protocol errors with code `-32602` (InvalidParams) instead of `CallToolResult` with `isError: true`. Callers who checked `result.isError` for unknown tools should catch rejected promises instead. + + **Resources:** Unknown resource reads now return error code `-32002` (ResourceNotFound) instead of `-32602` (InvalidParams). + + Added `ProtocolErrorCode.ResourceNotFound`. + +### Minor Changes + +- [#1673](https://github.com/modelcontextprotocol/typescript-sdk/pull/1673) [`462c3fc`](https://github.com/modelcontextprotocol/typescript-sdk/commit/462c3fc47dffac908d2ba27784d47ff010fa065e) Thanks [@KKonstantinov](https://github.com/KKonstantinov)! - refactor: extract task + orchestration from Protocol into TaskManager + + **Breaking changes:** + - `taskStore`, `taskMessageQueue`, `defaultTaskPollInterval`, and `maxTaskQueueSize` moved from `ProtocolOptions` to `capabilities.tasks` on `ClientOptions`/`ServerOptions` + +- [#1689](https://github.com/modelcontextprotocol/typescript-sdk/pull/1689) [`0784be1`](https://github.com/modelcontextprotocol/typescript-sdk/commit/0784be1a67fb3cc2aba0182d88151264f4ea73c8) Thanks [@felixweinberger](https://github.com/felixweinberger)! - Support Standard Schema + for tool and prompt schemas + + Tool and prompt registration now accepts any schema library that implements the [Standard Schema spec](https://standardschema.dev/): Zod v4, Valibot, ArkType, and others. `RegisteredTool.inputSchema`, `RegisteredTool.outputSchema`, and `RegisteredPrompt.argsSchema` now use + `StandardSchemaWithJSON` (requires both `~standard.validate` and `~standard.jsonSchema`) instead of the Zod-specific `AnySchema` type. + + **Zod v4 schemas continue to work unchanged** — Zod v4 implements the required interfaces natively. + + ```typescript + import { type } from 'arktype'; + + server.registerTool( + 'greet', + { + inputSchema: type({ name: 'string' }) + }, + async ({ name }) => ({ content: [{ type: 'text', text: `Hello, ${name}!` }] }) + ); + ``` + + For raw JSON Schema (e.g. TypeBox output), use the new `fromJsonSchema` adapter: + + ```typescript + import { fromJsonSchema, AjvJsonSchemaValidator } from '@modelcontextprotocol/core'; + + server.registerTool( + 'greet', + { + inputSchema: fromJsonSchema({ type: 'object', properties: { name: { type: 'string' } } }, new AjvJsonSchemaValidator()) + }, + handler + ); + ``` + + **Breaking changes:** + - `experimental.tasks.getTaskResult()` no longer accepts a `resultSchema` parameter. Returns `GetTaskPayloadResult` (a loose `Result`); cast to the expected type at the call site. + - Removed unused exports from `@modelcontextprotocol/core`: `SchemaInput`, `schemaToJson`, `parseSchemaAsync`, `getSchemaShape`, `getSchemaDescription`, `isOptionalSchema`, `unwrapOptionalSchema`. Use the new `standardSchemaToJsonSchema` and `validateStandardSchema` instead. + - `completable()` remains Zod-specific (it relies on Zod's `.shape` introspection). + +### Patch Changes + +- [#1363](https://github.com/modelcontextprotocol/typescript-sdk/pull/1363) [`0a75810`](https://github.com/modelcontextprotocol/typescript-sdk/commit/0a75810b26e24bae6b9cfb41e12ac770aeaa1da4) Thanks [@DevJanderson](https://github.com/DevJanderson)! - Fix ReDoS vulnerability in + UriTemplate regex patterns (CVE-2026-0621) + +- [#1372](https://github.com/modelcontextprotocol/typescript-sdk/pull/1372) [`3466a9e`](https://github.com/modelcontextprotocol/typescript-sdk/commit/3466a9e0e5d392824156d9b290863ae08192d87e) Thanks [@mattzcarey](https://github.com/mattzcarey)! - missing change for fix(client): + replace body.cancel() with text() to prevent hanging + +- [#1433](https://github.com/modelcontextprotocol/typescript-sdk/pull/1433) [`78bae74`](https://github.com/modelcontextprotocol/typescript-sdk/commit/78bae7426d4ca38216c0571b5aa7806f58ab81e4) Thanks [@codewithkenzo](https://github.com/codewithkenzo)! - Fix transport errors being + silently swallowed by adding missing `onerror` callback invocations before all `createJsonErrorResponse` calls in `WebStandardStreamableHTTPServerTransport`. This ensures errors like parse failures, invalid headers, and session validation errors are properly reported via the + `onerror` callback. + +- [#1568](https://github.com/modelcontextprotocol/typescript-sdk/pull/1568) [`f1ade75`](https://github.com/modelcontextprotocol/typescript-sdk/commit/f1ade75b67a2b46b06316fa4e5caa1d277537cc7) Thanks [@stakeswky](https://github.com/stakeswky)! - Handle stdout errors (e.g. EPIPE) + in `StdioServerTransport` gracefully instead of crashing. When the client disconnects abruptly, the transport now catches the stdout error, surfaces it via `onerror`, and closes. + +- [#1419](https://github.com/modelcontextprotocol/typescript-sdk/pull/1419) [`dcf708d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dcf708d892b7ca5f137c74109d42cdeb05e2ee3a) Thanks [@KKonstantinov](https://github.com/KKonstantinov)! - remove deprecated .tool, + .prompt, .resource method signatures + +- [#1388](https://github.com/modelcontextprotocol/typescript-sdk/pull/1388) [`f66a55b`](https://github.com/modelcontextprotocol/typescript-sdk/commit/f66a55b5f4eb7ce0f8b3885633bf9a7b1080e0b5) Thanks [@mattzcarey](https://github.com/mattzcarey)! - reverting application/json in + notifications + +- [#1534](https://github.com/modelcontextprotocol/typescript-sdk/pull/1534) [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e) Thanks [@josefaidt](https://github.com/josefaidt)! - remove npm references, use pnpm + +- [#1534](https://github.com/modelcontextprotocol/typescript-sdk/pull/1534) [`69a0626`](https://github.com/modelcontextprotocol/typescript-sdk/commit/69a062693f61e024d7a366db0c3e3ba74ff59d8e) Thanks [@josefaidt](https://github.com/josefaidt)! - clean up package manager usage, all + pnpm + +- [#1419](https://github.com/modelcontextprotocol/typescript-sdk/pull/1419) [`dcf708d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dcf708d892b7ca5f137c74109d42cdeb05e2ee3a) Thanks [@KKonstantinov](https://github.com/KKonstantinov)! - deprecated .tool, .prompt, + .resource method removal + +- [#1279](https://github.com/modelcontextprotocol/typescript-sdk/pull/1279) [`71ae3ac`](https://github.com/modelcontextprotocol/typescript-sdk/commit/71ae3acee0203a1023817e3bffcd172d0966d2ac) Thanks [@KKonstantinov](https://github.com/KKonstantinov)! - Initial 2.0.0-alpha.0 + client and server package diff --git a/packages/server/package.json b/packages/server/package.json index 92eab267da..ed078d282d 100644 --- a/packages/server/package.json +++ b/packages/server/package.json @@ -1,6 +1,6 @@ { "name": "@modelcontextprotocol/server", - "version": "2.0.0-alpha.0", + "version": "2.0.0", "description": "Model Context Protocol implementation for TypeScript - Server package", "license": "MIT", "author": "Anthropic, PBC (https://anthropic.com)", diff --git a/test/integration/CHANGELOG.md b/test/integration/CHANGELOG.md new file mode 100644 index 0000000000..c1bb300e12 --- /dev/null +++ b/test/integration/CHANGELOG.md @@ -0,0 +1,11 @@ +# @modelcontextprotocol/test-integration + +## 2.0.0 + +### Patch Changes + +- [#1419](https://github.com/modelcontextprotocol/typescript-sdk/pull/1419) [`dcf708d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dcf708d892b7ca5f137c74109d42cdeb05e2ee3a) Thanks [@KKonstantinov](https://github.com/KKonstantinov)! - remove deprecated .tool, + .prompt, .resource method signatures + +- [#1419](https://github.com/modelcontextprotocol/typescript-sdk/pull/1419) [`dcf708d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/dcf708d892b7ca5f137c74109d42cdeb05e2ee3a) Thanks [@KKonstantinov](https://github.com/KKonstantinov)! - deprecated .tool, .prompt, + .resource method removal diff --git a/test/integration/package.json b/test/integration/package.json index 49075d7c7a..bf45321f60 100644 --- a/test/integration/package.json +++ b/test/integration/package.json @@ -1,7 +1,7 @@ { "name": "@modelcontextprotocol/test-integration", "private": true, - "version": "2.0.0-alpha.0", + "version": "2.0.0", "description": "Model Context Protocol implementation for TypeScript", "license": "MIT", "author": "Anthropic, PBC (https://anthropic.com)",