server: add maxBodyBytes guard to WebStandardStreamableHTTPServerTransport

[TheodorNEngoy]

WebStandardStreamableHTTPServerTransport currently falls back to await req.json() when parsedBody is not provided, which reads the full request body with no size guard.

This PR adds a maxBodyBytes option (default: 1_000_000) and enforces it while parsing application/json request bodies, returning a JSON-RPC error with HTTP 413 when exceeded.

• Uses streaming reads via req.body.getReader() when available
• Allows disabling the limit by setting maxBodyBytes to 0/Infinity
• Includes tests + changeset for @modelcontextprotocol/server

[changeset-bot]

🦋 Changeset detected

Latest commit: 637b932

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 4 packages

Name	Type
@modelcontextprotocol/server	Patch
@modelcontextprotocol/express	Patch
@modelcontextprotocol/hono	Patch
@modelcontextprotocol/node	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@1496

@modelcontextprotocol/server

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@1496

@modelcontextprotocol/express

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/express@1496

@modelcontextprotocol/hono

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/hono@1496

@modelcontextprotocol/node

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/node@1496

commit: 637b932

[felixweinberger]

What prompted this PR, is this an issue you actually ran into?

[km-anthropic]

@claude review