modelcontextprotocol
diff --git a/‎.changeset/busy-weeks-hang.md‎
Lines changed: 6 additions & 0 deletions b/‎.changeset/busy-weeks-hang.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎.changeset/cyan-cycles-pump.md‎
Lines changed: 5 additions & 0 deletions b/‎.changeset/cyan-cycles-pump.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎.changeset/strong-hairs-study.md‎
Lines changed: 5 additions & 0 deletions b/‎.changeset/strong-hairs-study.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎.github/workflows/conformance.yml‎
Lines changed: 29 additions & 0 deletions b/‎.github/workflows/conformance.yml‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎.github/workflows/release-v1x.yml‎
Lines changed: 105 additions & 0 deletions b/‎.github/workflows/release-v1x.yml‎
Lines changed: 105 additions & 0 deletions
diff --git a/‎CONTRIBUTING.md‎
Lines changed: 42 additions & 0 deletions b/‎CONTRIBUTING.md‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎package.json‎
Lines changed: 8 additions & 2 deletions b/‎package.json‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎packages/client/src/client/auth.ts‎
Lines changed: 5 additions & 5 deletions b/‎packages/client/src/client/auth.ts‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎packages/client/src/client/sse.ts‎
Lines changed: 2 additions & 2 deletions b/‎packages/client/src/client/sse.ts‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎packages/client/src/client/streamableHttp.ts‎
Lines changed: 6 additions & 6 deletions b/‎packages/client/src/client/streamableHttp.ts‎
Lines changed: 6 additions & 6 deletions
@@ -0,0 +1,6 @@
+---
+'@modelcontextprotocol/core': patch
+'@modelcontextprotocol/server': patch
+---
+
+Fix ReDoS vulnerability in UriTemplate regex patterns (CVE-2026-0621)
@@ -0,0 +1,5 @@
+---
+'@modelcontextprotocol/server': patch
+---
+
+missing change for fix(client): replace body.cancel() with text() to prevent hanging
@@ -0,0 +1,5 @@
+---
+'@modelcontextprotocol/server': patch
+---
+
+add application/json header for notifications
@@ -0,0 +1,29 @@
+name: Conformance Tests
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  client-conformance:
+    runs-on: ubuntu-latest
+    continue-on-error: true  # Non-blocking initially
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          run_install: false
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 24
+          cache: pnpm
+          cache-dependency-path: pnpm-lock.yaml
+      - run: pnpm install
+      - run: pnpm run build:all
+      - run: pnpm run test:conformance:client:all
@@ -0,0 +1,105 @@
+# Publish v1.x releases when a v1.* tag is pushed
+# This allows releasing from the v1.x branch without switching GitHub's default branch
+#
+# Automatic (latest v1.x):
+#   git checkout v1.x
+#   npm version patch  # bumps version and creates tag
+#   git push origin v1.x --tags
+#
+# Manual (for older minor versions like v1.23.x):
+#   1. Create a release branch: git checkout -b release/1.23 v1.23.1
+#   2. Apply your fixes
+#   3. Bump version: npm version patch  # creates v1.23.2 tag
+#   4. Push: git push origin release/1.23 --tags
+#   5. Run this workflow manually from GitHub Actions, specifying the tag
+#
+# The workflow will automatically build, test, and publish to npm.
+
+name: Publish v1.x
+
+on:
+    push:
+        tags:
+            - 'v1.*'
+    workflow_dispatch:
+        inputs:
+            ref:
+                description: 'Git ref to release (tag, e.g., v1.23.2)'
+                required: true
+                type: string
+
+permissions:
+    contents: read
+
+concurrency: ${{ github.workflow }}-${{ inputs.ref || github.ref }}
+
+jobs:
+    build:
+        runs-on: ubuntu-latest
+
+        steps:
+            - uses: actions/checkout@v4
+              with:
+                  ref: ${{ inputs.ref || github.ref }}
+            - uses: actions/setup-node@v4
+              with:
+                  node-version: 24
+                  cache: npm
+
+            - run: npm ci
+            - run: npm run check
+            - run: npm run build
+
+    test:
+        runs-on: ubuntu-latest
+        strategy:
+            fail-fast: false
+            matrix:
+                node-version: [18, 24]
+
+        steps:
+            - uses: actions/checkout@v4
+              with:
+                  ref: ${{ inputs.ref || github.ref }}
+            - uses: actions/setup-node@v4
+              with:
+                  node-version: ${{ matrix.node-version }}
+                  cache: npm
+
+            - run: npm ci
+            - run: npm test
+
+    publish:
+        runs-on: ubuntu-latest
+        needs: [build, test]
+        environment: release
+
+        permissions:
+            contents: read
+            id-token: write
+
+        steps:
+            - uses: actions/checkout@v4
+              with:
+                  ref: ${{ inputs.ref || github.ref }}
+            - uses: actions/setup-node@v4
+              with:
+                  node-version: 24
+                  cache: npm
+                  registry-url: 'https://registry.npmjs.org'
+
+            - run: npm ci
+
+            - name: Determine npm tag
+              id: npm-tag
+              run: |
+                  VERSION=$(node -p "require('./package.json').version")
+                  # Use "release-X.Y" as tag for v1.x releases
+                  # This allows users to install specific minor versions:
+                  #   npm install @modelcontextprotocol/sdk@release-1.25
+                  MAJOR_MINOR=$(echo "$VERSION" | cut -d. -f1,2)
+                  echo "tag=release-${MAJOR_MINOR}" >> $GITHUB_OUTPUT
+
+            - run: npm publish --provenance --access public --tag ${{ steps.npm-tag.outputs.tag }}
+              env:
+                  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
@@ -60,6 +60,48 @@ pnpm --filter @modelcontextprotocol/examples-server exec tsx src/simpleStreamabl
 pnpm --filter @modelcontextprotocol/examples-client exec tsx src/simpleStreamableHttp.ts
 ```
 
+## Releasing v1.x Patches
+
+The `v1.x` branch contains the stable v1 release. To release a patch:
+
+### Latest v1.x (e.g., v1.25.3)
+
+```bash
+git checkout v1.x
+git pull origin v1.x
+# Apply your fix or cherry-pick commits
+npm version patch      # Bumps version and creates tag (e.g., v1.25.3)
+git push origin v1.x --tags
+```
+
+The tag push automatically triggers the release workflow.
+
+### Older minor versions (e.g., v1.23.2)
+
+For patching older minor versions that aren't on the `v1.x` branch:
+
+```bash
+# 1. Create a release branch from the last release tag
+git checkout -b release/1.23 v1.23.1
+
+# 2. Apply your fixes (cherry-pick or manual)
+git cherry-pick <commit-hash>
+
+# 3. Bump version and push
+npm version patch      # Creates v1.23.2 tag
+git push origin release/1.23 --tags
+```
+
+Then manually trigger the "Publish v1.x" workflow from [GitHub Actions](https://github.com/modelcontextprotocol/typescript-sdk/actions/workflows/release-v1x.yml), specifying the tag (e.g., `v1.23.2`).
+
+### npm Tags
+
+v1.x releases are published with `release-X.Y` npm tags (e.g., `release-1.25`), not `latest`. To install a specific minor version:
+
+```bash
+npm install @modelcontextprotocol/sdk@release-1.25
+```
+
 ## Code of Conduct
 
 This project follows our [Code of Conduct](CODE_OF_CONDUCT.md). Please review it before contributing.
 
@@ -29,13 +29,18 @@
         "lint:all": "pnpm -r lint",
         "lint:fix:all": "pnpm -r lint:fix",
         "check:all": "pnpm -r typecheck && pnpm -r lint",
-        "test:all": "pnpm -r test"
+        "test:all": "pnpm -r test",
+        "test:conformance:client": "conformance client --command 'npx tsx src/conformance/everything-client.ts'",
+        "test:conformance:client:all": "conformance client --command 'npx tsx src/conformance/everything-client.ts' --suite all",
+        "test:conformance:client:run": "npx tsx src/conformance/everything-client.ts"
     },
     "devDependencies": {
         "@cfworker/json-schema": "catalog:runtimeShared",
         "@changesets/changelog-github": "^0.5.2",
         "@changesets/cli": "^2.29.8",
         "@eslint/js": "catalog:devTools",
+        "@modelcontextprotocol/client": "workspace:^",
+        "@modelcontextprotocol/conformance": "0.1.9",
         "@types/content-type": "catalog:devTools",
         "@types/cors": "catalog:devTools",
         "@types/cross-spawn": "catalog:devTools",
@@ -56,7 +61,8 @@
         "typescript": "catalog:devTools",
         "typescript-eslint": "catalog:devTools",
         "vitest": "catalog:devTools",
-        "ws": "catalog:devTools"
+        "ws": "catalog:devTools",
+        "zod": "catalog:runtimeShared"
     },
     "resolutions": {
         "strip-ansi": "6.0.1"
 
@@ -670,12 +670,12 @@ export async function discoverOAuthProtectedResourceMetadata(
     });
 
     if (!response || response.status === 404) {
-        await response?.body?.cancel();
+        await response?.text?.().catch(() => {});
         throw new Error(`Resource server does not implement OAuth 2.0 Protected Resource Metadata.`);
     }
 
     if (!response.ok) {
-        await response.body?.cancel();
+        await response.text?.().catch(() => {});
         throw new Error(`HTTP ${response.status} trying to load well-known OAuth protected resource metadata.`);
     }
     return OAuthProtectedResourceMetadataSchema.parse(await response.json());
@@ -803,12 +803,12 @@ export async function discoverOAuthMetadata(
     });
 
     if (!response || response.status === 404) {
-        await response?.body?.cancel();
+        await response?.text?.().catch(() => {});
         return undefined;
     }
 
     if (!response.ok) {
-        await response.body?.cancel();
+        await response.text?.().catch(() => {});
         throw new Error(`HTTP ${response.status} trying to load well-known OAuth metadata`);
     }
 
@@ -918,7 +918,7 @@ export async function discoverAuthorizationServerMetadata(
         }
 
         if (!response.ok) {
-            await response.body?.cancel();
+            await response.text?.().catch(() => {});
             // Continue looking for any 4xx response code.
             if (response.status >= 400 && response.status < 500) {
                 continue; // Try next URL
 
@@ -260,7 +260,7 @@ export class SSEClientTransport implements Transport {
 
             const response = await (this._fetch ?? fetch)(this._endpoint, init);
             if (!response.ok) {
-                const text = await response.text().catch(() => null);
+                const text = await response.text?.().catch(() => null);
 
                 if (response.status === 401 && this._authProvider) {
                     const { resourceMetadataUrl, scope } = extractWWWAuthenticateParams(response);
@@ -285,7 +285,7 @@ export class SSEClientTransport implements Transport {
             }
 
             // Release connection - POST responses don't have content we need
-            await response.body?.cancel();
+            await response.text?.().catch(() => {});
         } catch (error) {
             this.onerror?.(error as Error);
             throw error;
 
@@ -235,7 +235,7 @@ export class StreamableHTTPClientTransport implements Transport {
             });
 
             if (!response.ok) {
-                await response.body?.cancel();
+                await response.text?.().catch(() => {});
 
                 if (response.status === 401 && this._authProvider) {
                     // Need to authenticate
@@ -495,7 +495,7 @@ export class StreamableHTTPClientTransport implements Transport {
             }
 
             if (!response.ok) {
-                const text = await response.text().catch(() => null);
+                const text = await response.text?.().catch(() => null);
 
                 if (response.status === 401 && this._authProvider) {
                     // Prevent infinite recursion when server returns 401 after successful auth
@@ -568,7 +568,7 @@ export class StreamableHTTPClientTransport implements Transport {
 
             // If the response is 202 Accepted, there's no body to process
             if (response.status === 202) {
-                await response.body?.cancel();
+                await response.text?.().catch(() => {});
                 // if the accepted notification is initialized, we start the SSE stream
                 // if it's supported by the server
                 if (isInitializedNotification(message)) {
@@ -603,12 +603,12 @@ export class StreamableHTTPClientTransport implements Transport {
                         this.onmessage?.(msg);
                     }
                 } else {
-                    await response.body?.cancel();
+                    await response.text?.().catch(() => {});
                     throw new StreamableHTTPError(-1, `Unexpected content type: ${contentType}`);
                 }
             } else {
                 // No requests in message but got 200 OK - still need to release connection
-                await response.body?.cancel();
+                await response.text?.().catch(() => {});
             }
         } catch (error) {
             this.onerror?.(error as Error);
@@ -647,7 +647,7 @@ export class StreamableHTTPClientTransport implements Transport {
             };
 
             const response = await (this._fetch ?? fetch)(this._url, init);
-            await response.body?.cancel();
+            await response.text?.().catch(() => {});
 
             // We specifically handle 405 as a valid response according to the spec,
             // meaning the server does not support explicit session termination
-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@modelcontextprotocol/server': patch
 +---
++
 +missing change for fix(client): replace body.cancel() with text() to prevent hanging