Skip to content

Version Packages (alpha) #1845

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
github-actions wants to merge 1 commit into
base: main
Choose a base branch
from
+39 −4
Open

Version Packages (alpha) #1845

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion .changeset/pre.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,13 +42,16 @@
"fix-session-status-codes",
"fix-stdio-epipe-crash",
"fix-stdio-windows-hide",
"fix-streamable-close-reentrant",
"fix-streamable-http-error-response",
"fix-task-session-isolation",
"fix-transport-exact-optional-property-types",
"fix-unknown-tool-protocol-error",
"fix-validate-client-metadata-url",
"funky-baths-attack",
"heavy-walls-swim",
"oauth-error-http200",
"odd-forks-enjoy",
"quick-islands-occur",
"reconnection-scheduler",
"remove-websocket-transport",
Expand All @@ -63,6 +66,7 @@
"tender-snails-fold",
"token-provider-composable-auth",
"twelve-dodos-taste",
"use-scopes-supported-in-dcr"
"use-scopes-supported-in-dcr",
"zod-json-schema-compat"
]
}
17 changes: 17 additions & 0 deletions packages/client/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,22 @@
# @modelcontextprotocol/client

## 2.0.0-alpha.3

### Minor Changes

- [#1653](https://github.com/modelcontextprotocol/typescript-sdk/pull/1653) [`6bec24a`](https://github.com/modelcontextprotocol/typescript-sdk/commit/6bec24a14cb7e3dbe9f5e04aeb893cd0d6e8cb83) Thanks [@rechedev9](https://github.com/rechedev9)! - Add `validateClientMetadataUrl()`
utility for early validation of `clientMetadataUrl`

Exports a `validateClientMetadataUrl()` function that `OAuthClientProvider` implementations can call in their constructors to fail fast on invalid URL-based client IDs, instead of discovering the error deep in the auth flow.

Check warning on line 10 in packages/client/CHANGELOG.md

View check run for this annotation

Claude / Claude Code Review

CfWorkerJsonSchemaValidator removed from package root without breaking-change CHANGELOG entry 

PR #1843 didn't just *add* the `./validators/cf-worker` sub-path (as comment 3068107615 frames it) — it also **removed** `CfWorkerJsonSchemaValidator` from the package-root export of both `@modelcontextprotocol/client` and `@modelcontextprotocol/server`, so `import { CfWorkerJsonSchemaValidator } from '@modelcontextprotocol/server'` compiles in alpha.2 and fails in alpha.3. When adding the #1843 CHANGELOG entry, please word it as a breaking change (e.g. "**Breaking:** `CfWorkerJsonSchemaValidato
Comment on lines +3 to +10
Copy link
Copy Markdown

@claude claude bot Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 PR #1875 (commit 9ed62fe) added a public claims?: Record<string, unknown> option to PrivateKeyJwtProviderOptions but landed without a changeset, so this user-facing feature is absent from the @modelcontextprotocol/client alpha.3 CHANGELOG even though it ships in this release. Either land a changeset on main and let the bot regenerate this PR, or manually add a Minor-change entry crediting #1875 under 2.0.0-alpha.3 before merging.

Extended reasoning...

PR #1875 custom-claims feature absent from alpha.3 CHANGELOG

What the bug is and how it manifests

PR #1875 (commit 9ed62fe, merged 2026-04-14 — after the most recent bot review at 10:29 UTC) added a new public claims?: Record<string, unknown> option to PrivateKeyJwtProviderOptions, letting callers inject custom JWT claims into the private_key_jwt client-assertion flow. PrivateKeyJwtProvider and PrivateKeyJwtProviderOptions are both re-exported from packages/client/src/index.ts (lines ~45–53), so this is a user-facing public-API addition. However, the commit touched only packages/client/src/client/authExtensions.ts and its test file — it created no .changeset/*.md file. As a result, the Changesets action generated no CHANGELOG entry for it.

The specific code path

The Version Packages commit 91dceb0 (this PR's HEAD) sits directly on top of 9ed62fe in git log, so the claims option WILL be published as part of @modelcontextprotocol/client@2.0.0-alpha.3. Yet .changeset/pre.json in this PR adds only four new slugs (fix-streamable-close-reentrant, fix-validate-client-metadata-url, odd-forks-enjoy, zod-json-schema-compat) — none corresponding to #1875 — and packages/client/CHANGELOG.md lines 3–19 list only #1653 and #1655 under the alpha.3 section.

Why existing checks don't catch it

There is no CI gate that diffs the set of merged commits against the set of changeset slugs. Changesets faithfully renders whatever .changeset/*.md files exist; commits that should have included one but did not pass through silently. This is the same root cause already flagged on this PR for #1842 (guard methods) and #1843 (CF Workers validator), but those comments do not cover #1875, which landed afterward.

Impact

Documentation-only: the feature ships and works, but alpha users reading the npm release notes for client@2.0.0-alpha.3 have no way to discover that PrivateKeyJwtProvider now accepts custom claims. Alpha users actively track release notes to find new APIs, so undocumented additions reduce the value of the alpha program.

Step-by-step proof

  1. git show 9ed62fe --stat → only packages/client/src/client/authExtensions.ts and packages/client/src/client/authExtensions.test.ts changed.
  2. git show 9ed62fe -- .changeset/ → empty; no changeset file added.
  3. git log --oneline -2 91dceb091dceb0 Version Packages (alpha) followed by 9ed62fe feat(client): support custom claims in PrivateKeyJwtProvider (#1875)9ed62fe is an ancestor of this release.
  4. grep -r "claims\|1875\|PrivateKeyJwt" .changeset/ → no matches.
  5. packages/client/CHANGELOG.md lines 3–19 (alpha.3 section): only fix: validate clientMetadataUrl at construction time (fail-fast) #1653 and fix(client): preserve custom Accept headers in StreamableHTTPClientTransport #1655 listed; no mention of claims / PrivateKeyJwtProvider / feat(client): support custom claims in PrivateKeyJwtProvider #1875.

How to fix

Preferred: land a minor changeset on main targeting @modelcontextprotocol/client and let the Changesets bot regenerate this PR. Alternatively, hand-edit packages/client/CHANGELOG.md to add under ### Minor Changes for 2.0.0-alpha.3:

- [#1875] Support custom claims in `PrivateKeyJwtProvider` via a new `claims?: Record<string, unknown>` option on `PrivateKeyJwtProviderOptions`.

Comment on lines +3 to +10
Copy link
Copy Markdown

@claude claude bot Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 PR #1843 didn't just add the ./validators/cf-worker sub-path (as comment 3068107615 frames it) — it also removed CfWorkerJsonSchemaValidator from the package-root export of both @modelcontextprotocol/client and @modelcontextprotocol/server, so import { CfWorkerJsonSchemaValidator } from '@modelcontextprotocol/server' compiles in alpha.2 and fails in alpha.3. When adding the #1843 CHANGELOG entry, please word it as a breaking change (e.g. "Breaking: CfWorkerJsonSchemaValidator is no longer exported from the package root — import from @modelcontextprotocol/{client,server}/validators/cf-worker instead"), not just "added new sub-path".

Extended reasoning...

What the bug is

Commit 7ba58da (PR #1843, shipping in this alpha.3 release) deleted the line export { CfWorkerJsonSchemaValidator } from '../../validators/cfWorkerProvider.js' from packages/core/src/exports/public/index.ts (it was line 140 at the alpha.2 publish commit). Because both packages/client/src/index.ts:81 and packages/server/src/index.ts:50 do export * from '@modelcontextprotocol/core/public', this removed a value export from the main entry of both published packages. The class is now reachable only via the new ./validators/cf-worker sub-path.

Neither alpha.3 CHANGELOG section mentions this. packages/client/CHANGELOG.md lists only #1653/#1655 and packages/server/CHANGELOG.md lists only #1788.

Why this is distinct from the existing #1843 comment

Inline comment 3068107615 already asks for a CHANGELOG entry for #1843, but frames it as a purely additive feature ("new ./validators/cf-worker sub-path export"). That framing is incomplete: CfWorkerJsonSchemaValidator already existed at the package root in alpha.2, and #1843 moved it. A maintainer following 3068107615 verbatim would write "Added ./validators/cf-worker sub-path" and still leave alpha.2 users with no explanation for why their existing root import stopped compiling. Per REVIEW.md → Correctness: "removed exports — flagged and justified".

Step-by-step proof

  1. git show 0021561:packages/core/src/exports/public/index.ts | grep -n CfWorker → line 140: export { CfWorkerJsonSchemaValidator } from '../../validators/cfWorkerProvider.js' (alpha.2 publish commit).
  2. git show 7ba58da -- packages/core/src/exports/public/index.ts → that line is deleted; only the type export CfWorkerSchemaDraft remains.
  3. packages/client/src/index.ts:81 and packages/server/src/index.ts:50 at HEAD still wildcard-re-export @modelcontextprotocol/core/public and add no compensating direct re-export of the class.
  4. Therefore alpha.2 user code import { CfWorkerJsonSchemaValidator } from '@modelcontextprotocol/server' (or /client) fails in alpha.3 with "has no exported member 'CfWorkerJsonSchemaValidator'".
  5. packages/client/CHANGELOG.md lines 3–19 and packages/server/CHANGELOG.md lines 3–8 (the alpha.3 sections being added in this PR) say nothing about it.

Impact

Any alpha.2 consumer who imported CfWorkerJsonSchemaValidator from the package root (the only path that existed in alpha.2) gets a compile error on upgrade with nothing in the npm release notes pointing at the cause. docs/migration.md was updated in 7ba58da to point at the sub-path, but that guide covers v1→v2, not alpha.2→alpha.3; alpha users follow the per-package CHANGELOGs.

This is filed as a nit because (a) breaking changes between alpha pre-releases are expected, (b) the actionable fix is the same one-line CHANGELOG addition already requested in 3068107615 — just with the correct "Breaking: moved" framing rather than "Added", and (c) docs/migration.md does cover the new location. The novel value is ensuring the entry is worded so alpha.2 users can find it when their import breaks.

How to fix

When adding the #1843 entry to both packages/client/CHANGELOG.md and packages/server/CHANGELOG.md under 2.0.0-alpha.3, word it as:

Breaking: CfWorkerJsonSchemaValidator is no longer exported from the package root. Import it from @modelcontextprotocol/{client,server}/validators/cf-worker instead.

rather than just "Added ./validators/cf-worker sub-path export".


### Patch Changes

- [#1655](https://github.com/modelcontextprotocol/typescript-sdk/pull/1655) [`1eb3123`](https://github.com/modelcontextprotocol/typescript-sdk/commit/1eb31236e707c4f4ab9234d87db21ab3f34bf0bc) Thanks [@nielskaspers](https://github.com/nielskaspers)! - fix(client): append custom
Accept headers to spec-required defaults in StreamableHTTPClientTransport

Comment on lines +3 to +16
Copy link
Copy Markdown

@claude claude bot Apr 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 PR #1843 (commit 7ba58da) added the ./validators/cf-worker sub-path export and CfWorkerJsonSchemaValidator to both @modelcontextprotocol/client and @modelcontextprotocol/server without including a changeset file, so the alpha.3 CHANGELOGs for both packages make no mention of this new feature. Users upgrading from alpha.2 to alpha.3 have no way to discover the new CF Workers validator integration from the release notes. Before merging, manually add a CHANGELOG entry to both packages/client/CHANGELOG.md and packages/server/CHANGELOG.md documenting the new ./validators/cf-worker export path and CfWorkerJsonSchemaValidator.

Extended reasoning...

CF Workers validator feature silently absent from alpha.3 CHANGELOG

What the bug is and how it manifests

PR #1843 (commit 7ba58da) landed two concrete, user-visible additions to both @modelcontextprotocol/client and @modelcontextprotocol/server: a new ./validators/cf-worker sub-path export (visible in both packages/client/package.json and packages/server/package.json under exports) and a CfWorkerJsonSchemaValidator class exposed through it. However, the PR author did not create a changeset file for these changes. Because Changesets generates CHANGELOG entries exclusively from changeset files, the alpha.3 CHANGELOG for both packages says nothing about this feature — the client CHANGELOG only mentions the Accept-header fix (PR #1655) and the server CHANGELOG only mentions the stack-overflow fix (PR #1788).

The specific code path

packages/client/package.json (line 28–31) and packages/server/package.json (line 28–31) both contain the "./validators/cf-worker" export entry added by commit 7ba58da. Searching .changeset/ in that commit yields zero results — the three new changeset slugs added in .changeset/pre.json (fix-streamable-close-reentrant, odd-forks-enjoy, zod-json-schema-compat) cover entirely different features. Neither the odd-forks-enjoy slug (which produced the Accept-header entry) nor any other slug mentions CF Workers.

Addressing the refutations

Two verifiers argued this is "not actionable" because the Changesets workflow can only produce entries from changeset files and the version-bump PR cannot retroactively create them. This reasoning is correct about how Changesets generates content automatically, but misses the point: CHANGELOG.md files are plain text and can be edited manually before a PR is merged. Version-bump PRs that accidentally missed changesets are routinely fixed by hand-editing the CHANGELOG before the merge/publish. Since this PR has not yet been merged, the omission is still correctable here. The workflow contract is with the automation, not with the maintainers — maintainers always retain the ability to amend the generated text.

Why existing code does not prevent it

There is no CI check that validates CHANGELOG completeness against the set of merged commits between two version tags. The Changesets action produces whatever its inputs say; it cannot detect omitted changeset files. The alpha pre-release mode does not lower the practical importance of this: the ./validators/cf-worker export is the only documented way to use CF Workers JSON schema validation, and alpha users actively track release notes to find new APIs.

Step-by-step proof

  1. Check commit 7ba58da: git show 7ba58da -- .changeset/ returns empty — no changeset file was added.
  2. Open packages/client/CHANGELOG.md lines 3–14: only one entry under 2.0.0-alpha.3, referencing PR fix(client): preserve custom Accept headers in StreamableHTTPClientTransport #1655 (Accept headers). No mention of ./validators/cf-worker or CfWorkerJsonSchemaValidator.
  3. Open packages/server/CHANGELOG.md lines 3–11: only one entry under 2.0.0-alpha.3, referencing PR fix: prevent stack overflow in transport close with re-entrancy guard #1788 (stack overflow fix). Same omission.
  4. Open packages/client/package.json lines 28–31: "./validators/cf-worker" export is present and will ship in alpha.3.
  5. A user reading the alpha.3 release notes finds no indication this export exists.

How to fix

Manually add a patch-change entry to both packages/client/CHANGELOG.md and packages/server/CHANGELOG.md under 2.0.0-alpha.3, crediting PR #1843. For example:

- [#1843](https://github.com/modelcontextprotocol/typescript-sdk/pull/1843) Add `./validators/cf-worker` sub-path export and `CfWorkerJsonSchemaValidator` for Cloudflare Workers environments. Import from `@modelcontextprotocol/client/validators/cf-worker` (or `/server/`) to use the workerd-compatible JSON Schema validator.

This is a one-time manual correction; no changeset infrastructure changes are needed.

Custom Accept headers provided via `requestInit.headers` are now appended to the spec-mandated Accept types instead of being overwritten. This ensures the required media types (`application/json, text/event-stream` for POST; `text/event-stream` for GET SSE) are always present
while allowing users to include additional types for proxy/gateway routing.

Comment on lines +15 to +19
Copy link
Copy Markdown

@claude claude bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 The CHANGELOG entry says custom Accept headers are "appended to the spec-mandated Accept types", implying spec-required types come first, but the actual implementation does the reverse: user-provided types are placed first and spec-required types are appended last. The description should be corrected to accurately reflect the ordering, e.g., "spec-mandated Accept types are appended to any custom Accept headers".

Extended reasoning...

CHANGELOG Wording Inverts Actual Accept Header Ordering

What the bug is and how it manifests

The new CHANGELOG entry (line 10) states: "Custom Accept headers provided via requestInit.headers are now appended to the spec-mandated Accept types instead of being overwritten." In standard English, "X appended to Y" means Y is the base and X is added after — so this sentence implies spec-required types come first, with user custom types added afterward.

However, the actual implementation in streamableHttp.ts does the opposite. The GET SSE path uses: [...(userAccept?.split(',').map(s => s.trim().toLowerCase()) ?? []), 'text/event-stream'] and the POST path uses [...(userAccept?.split(',') ?? []), 'application/json', 'text/event-stream']. User-provided types come first, and spec-required types are appended last.

The specific code path and why it matters

Per RFC 7231, when multiple Accept types share equal q-values, earlier entries carry higher implicit preference. So the actual behavior gives user-provided types higher preference than spec-required types. The CHANGELOG implies the opposite preference ordering. While this ordering may be intentional (user routing hints for proxies need higher preference), the documentation still misrepresents which type comes first.

Addressing the refutation

The refutation argues that user-types-first is intentional for proxy/gateway routing, that CHANGELOG entries are not formal specs, and that this is a version-bump PR. These points are valid context, but they do not resolve the wording inaccuracy. The key claim in the CHANGELOG — that spec-required types are always present — is correct, but the described ordering is backwards. The fix is a one-line wording update, not a code change. Since this CHANGELOG entry appears in this PR's diff, this is the appropriate place to catch it.

Step-by-step proof of the discrepancy

  1. User sets requestInit.headers = { Accept: 'application/vnd.proxy-hint' }
  2. Code computes types = ['application/vnd.proxy-hint', 'text/event-stream']
  3. Final header: Accept: application/vnd.proxy-hint, text/event-stream
  4. application/vnd.proxy-hint has higher implicit preference (appears first)
  5. CHANGELOG says custom types are "appended to" spec types, which would produce text/event-stream, application/vnd.proxy-hint (spec first, custom second)
  6. The actual and described orderings are reversed.

Impact and fix

This is a documentation-only inaccuracy — the functional behavior is correct (spec-required types are always present). The fix is to update the CHANGELOG wording to something like: "spec-mandated Accept types are appended to any custom Accept headers provided via requestInit.headers", which accurately reflects user types appearing first with spec types appended after. The secondary q-value deduplication issue (e.g., text/event-stream; q=0.9 not deduped against text/event-stream) is a pre-existing edge case from PR #1655 and not introduced by this PR.

## 2.0.0-alpha.2

Comment on lines +3 to 21
Copy link
Copy Markdown

@claude claude bot Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 PR #1842 (commit 1eb80c4, 'v2: add guard methods') introduced new public API type guards — at minimum isCallToolResult and isJSONRPCResponse — to @modelcontextprotocol/client and @modelcontextprotocol/server without a changeset file, so these exports are absent from all alpha.3 CHANGELOGs. Before merging, manually add CHANGELOG entries for the new guard functions in packages/client/CHANGELOG.md and packages/server/CHANGELOG.md under 2.0.0-alpha.3.

Extended reasoning...

Guard methods from PR #1842 absent from alpha.3 CHANGELOGs

What the bug is and how it manifests

PR #1842 (commit 1eb80c4, 'v2: add guard methods') added new type guard functions to packages/core/src/types/guards.ts and exported them via packages/core/src/exports/public/index.ts. Because both packages/client/src/index.ts and packages/server/src/index.ts do export * from '@modelcontextprotocol/core/public', these guards became part of the published public API of both @modelcontextprotocol/client@2.0.0-alpha.3 and @modelcontextprotocol/server@2.0.0-alpha.3. However, PR #1842 did not create a changeset file, so the Changesets action generated no CHANGELOG entries for these additions.

The specific code path

The guards flow: packages/core/src/types/guards.ts → re-exported from packages/core/src/exports/public/index.ts (lines 107–115) → consumed via export * from '@modelcontextprotocol/core/public' in both packages/client/src/index.ts and packages/server/src/index.ts. Verifiers confirmed that at minimum isCallToolResult and isJSONRPCResponse are newly introduced in this commit; most other JSONRPC guards in the list may have pre-existed. No .changeset/ file appears in the commit, confirmed by git show 1eb80c4 -- .changeset/ returning empty.

Why existing code does not prevent it

There is no CI check that validates CHANGELOG completeness against the set of merged commits. The Changesets action only generates entries from changeset files it finds; it cannot detect commits that should have had a changeset but did not. This is the same root cause as the CF Workers CHANGELOG omission (PR #1843).

Impact

Users upgrading from alpha.2 to alpha.3 who read the release notes have no way to discover these new type guard exports. Alpha users actively track release notes precisely to find new APIs, so undocumented public additions reduce the practical value of the alpha program. The omission is a documentation gap with no functional impact.

Step-by-step proof

  1. git show 1eb80c4 -- .changeset/ returns nothing — PR v2: add guard methods #1842 created no changeset file.
  2. Open packages/client/CHANGELOG.md lines 3–14: the only alpha.3 entry is for PR fix(client): preserve custom Accept headers in StreamableHTTPClientTransport #1655 (Accept headers). No mention of any guard function.
  3. Open packages/server/CHANGELOG.md lines 3–11: the only alpha.3 entry is for PR fix: prevent stack overflow in transport close with re-entrancy guard #1788 (stack overflow fix). Same omission.
  4. Open packages/core/src/exports/public/index.ts lines 107–115: isCallToolResult, isJSONRPCResponse, and related guards are exported.
  5. A user reading the alpha.3 release notes finds zero indication that type guards were added to either published package.

How to fix

Manually add a patch-change entry to both packages/client/CHANGELOG.md and packages/server/CHANGELOG.md under 2.0.0-alpha.3, crediting PR #1842. The CHANGELOG files are plain text and can be amended before this PR is merged, as was done for other missed changeset entries.

### Patch Changes
Expand Down
2 changes: 1 addition & 1 deletion packages/client/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@modelcontextprotocol/client",
"version": "2.0.0-alpha.2",
"version": "2.0.0-alpha.3",
Copy link
Copy Markdown

@claude claude bot Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 The browser export condition for ./_shims in packages/client/package.json routes to dist/shimsBrowser.mjs, which contains a bare external ESM import of @cfworker/json-schema (inlined from core via noExternal, but with @cfworker/json-schema left external). Since @cfworker/json-schema is only in devDependencies and not in dependencies or peerDependencies, any browser bundler (Vite, webpack, Rollup, esbuild) that resolves the browser export condition will fail with a module-not-found error. Fix by adding @cfworker/json-schema as an optional peerDependency in packages/client/package.json.

Extended reasoning...

Client shimsBrowser.mjs requires @cfworker/json-schema but it is not in runtime dependencies

What the bug is and how it manifests

packages/client/package.json exports the ./_shims entry with a browser condition that points to dist/shimsBrowser.mjs. This file is built from packages/client/src/shimsBrowser.ts, which exports CfWorkerJsonSchemaValidator as DefaultJsonSchemaValidator from @modelcontextprotocol/core (line 6). packages/core/src/validators/cfWorkerProvider.ts has a static top-level import: import { Validator } from '@cfworker/json-schema' (line 11). The tsdown.config.ts sets noExternal: ['@modelcontextprotocol/core'], so all of core is inlined into the client bundle — but @cfworker/json-schema is NOT in noExternal and therefore remains as a bare external ESM import statement in the emitted dist/shimsBrowser.mjs.

The specific code path that triggers it

Browser bundlers (Vite, webpack, Rollup, esbuild) automatically select the browser export condition when targeting browsers. Any developer building a browser application that imports @modelcontextprotocol/client will have their bundler resolve ./_shims → dist/shimsBrowser.mjs, which immediately encounters import { Validator } from '@cfworker/json-schema' as the first top-level import. Since @cfworker/json-schema is only in devDependencies of packages/client/package.json and not in dependencies or peerDependencies, it is never installed for npm consumers.

Why existing code does not prevent it

packages/core/package.json does list @cfworker/json-schema as an optional peerDependency. However, core is "private": true and never published to npm, so its dependency declarations are invisible to external consumers. The only package.json that matters to browser bundler consumers is packages/client/package.json, and there @cfworker/json-schema appears exclusively in devDependencies. No package manager will warn users to install it, and no bundler will find it in node_modules.

What the impact is

Any developer targeting a browser environment with @modelcontextprotocol/client@2.0.0-alpha.3 will receive a module-not-found error for @cfworker/json-schema at build time (static bundlers like Vite/esbuild) or at runtime. The browser condition is applied automatically — no explicit import of the validator sub-path is needed to trigger this. This bug is distinct from the workerd condition issue (bug_003) and the server browser condition issue (bug_008); the client's shimsBrowser.ts has CORS_IS_POSSIBLE=true semantics distinct from the workerd shim but still uses CfWorkerJsonSchemaValidator, so the same missing dependency applies here.

Step-by-step proof

  1. Developer runs npm install @modelcontextprotocol/client@2.0.0-alpha.3 — @cfworker/json-schema is not installed (only in devDependencies, never transitively installed for consumers).
  2. Developer's Vite/webpack config targets browser; the bundler resolves ./_shims via the browser export condition → selects dist/shimsBrowser.mjs.
  3. dist/shimsBrowser.mjs contains a bare top-level import { Validator } from '@cfworker/json-schema' statement.
  4. Bundler cannot resolve @cfworker/json-schema — build fails with module-not-found, or runtime throws ERR_MODULE_NOT_FOUND.
  5. new Client() is never reached.

How to fix

Add @cfworker/json-schema as an optional peerDependency in packages/client/package.json. This ensures package managers warn browser-targeting consumers to install @cfworker/json-schema and makes the runtime requirement visible in the published package metadata. Alternatively, add @cfworker/json-schema to noExternal in the client's tsdown.config.ts to bundle it directly.

Copy link
Copy Markdown

@claude claude bot Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Commit 7ba58da rewrote the JSDoc at packages/core/src/index.ts:31,35 to state both AjvJsonSchemaValidator and CfWorkerJsonSchemaValidator are "Bundled — no additional dependencies required" and dropped @cfworker/json-schema from peerDependencies accordingly — but noExternal in both tsdown configs was never extended, so ajv/ajv-formats/@cfworker/json-schema remain bare external imports in the published dist. This JSDoc is inlined into the shipped .d.mts files, so alpha.3 publishes a false "Bundled" promise; it also shows the author's intent was bundling, so the fix consistent with the docs/migration guide is to add 'ajv', 'ajv-formats', '@cfworker/json-schema' to noExternal in packages/{client,server}/tsdown.config.ts — re-adding peer/runtime deps (as suggested above) would leave this JSDoc and docs/migration.md still wrong.

Extended reasoning...

Published JSDoc promises bundling that the build does not deliver

What the bug is

Commit 7ba58da (PR #1843, shipping in this alpha.3 release) changed the JSDoc block in packages/core/src/index.ts from:

AjvJsonSchemaValidatorRequires peer dependencies: ajv, ajv-formats
CfWorkerJsonSchemaValidatorRequires peer dependency: @cfworker/json-schema

to:

AjvJsonSchemaValidatorBundled — no additional dependencies required. (line 31)
CfWorkerJsonSchemaValidatorBundled — no additional dependencies required. (line 35)

The same commit removed @cfworker/json-schema from peerDependencies in both packages/client/package.json and packages/server/package.json, and updated docs/migration.md to direct users to import these validators with no install step. All of this is consistent with a single intent: the author meant to bundle these libraries into the dist output.

However, the only build-config change in 7ba58da was adding 'src/validators/cfWorker.ts' to the entry array. The noExternal array at packages/client/tsdown.config.ts:35 and packages/server/tsdown.config.ts:35 was left as ['@modelcontextprotocol/core'] — so tsdown still treats ajv, ajv-formats, and @cfworker/json-schema as external and emits them as bare import statements in dist/*.mjs.

Why this is distinct from the four earlier dependency comments

One reviewer will reasonably note that comments 3035194589, 3073682357, 3073682371, and 3073783213 already cover the module-not-found symptom and that two of them mention noExternal as an alternative. That is accurate — but none of those comments cite the rewritten JSDoc, which is the piece of evidence that turns "either fix works" into "only one fix is correct":

  • The JSDoc is inlined into the published dist/*.d.mts via the dts.compilerOptions.paths mapping in both tsdown configs. So independently of any runtime crash, alpha.3 ships a false API-doc claim ("Bundled — no additional dependencies required") that consumers see in their IDE — a docs-vs-implementation contradiction per REVIEW.md → Documentation & Changesets.
  • The earlier comments' primary recommendation — re-add peer/runtime dependencies — would fix the crash but leave the JSDoc, the migration guide, and the peerDep removal all still contradicting the implementation. Extending noExternal is the only fix that satisfies every artifact 7ba58da touched.

So this comment is the root-cause framing that resolves the ambiguity across the four prior reports, not a fifth restatement of the symptom.

Why nothing prevents it

tsdown with platform: 'node' externalises every bare import not listed in noExternal by design (the config comment at line 33–34 says exactly this). The build succeeds because ajv/@cfworker/json-schema are present in the workspace via core's deps and devDeps, so no missing-module warning fires at build time. core is "private": true, so its own dependency declarations never reach npm consumers.

Step-by-step proof

  1. git show 7ba58da -- packages/core/src/index.ts → lines 31 and 35 changed from "Requires peer dependencies …" to "Bundled — no additional dependencies required."
  2. git show 7ba58da -- packages/client/tsdown.config.ts packages/server/tsdown.config.ts → only the entry array changed; noExternal is untouched.
  3. packages/client/tsdown.config.ts:35 today: noExternal: ['@modelcontextprotocol/core']ajv, ajv-formats, @cfworker/json-schema absent.
  4. After pnpm build, dist/shimsNode.mjs contains import { Ajv } from "ajv" and dist/shimsWorkerd.mjs / dist/shimsBrowser.mjs contain import { Validator } from "@cfworker/json-schema" as bare externals.
  5. dist/index.d.mts contains the literal string "Bundled — no additional dependencies required" (inlined from core via the dts paths mapping).
  6. A consumer reads the type-doc, installs nothing extra, and hits ERR_MODULE_NOT_FOUND — directly contradicting step 5.

Impact

Same runtime blast radius already described in the earlier comments (module-not-found on Node, browser, and workerd). The additional impact here is that the published type definitions actively mislead users into not installing the missing packages, and the migration guide reinforces that. Per REVIEW.md: "prose that promises behavior the code no longer ships misleads consumers."

Fix

Extend noExternal in both packages/client/tsdown.config.ts and packages/server/tsdown.config.ts:

noExternal: ['@modelcontextprotocol/core', 'ajv', 'ajv-formats', '@cfworker/json-schema'],

This makes the build match the JSDoc, the migration guide, and the peerDependency removal in one change. If maintainers instead prefer the runtime-/peer-dependency route, then the JSDoc at packages/core/src/index.ts:31,35 and docs/migration.md must be reverted in the same PR — otherwise the published docs remain false.

Copy link
Copy Markdown

@claude claude bot Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 PR #1875 (commit 9ed62fe, shipping in this alpha.3 release) added a claims option to PrivateKeyJwtProvider whose JSDoc at packages/client/src/client/authExtensions.ts:239-240 promises "custom claims taking precedence for any overlapping keys" — but the implementation at lines 82–89 chains .setIssuer/.setSubject/.setAudience/.setIssuedAt/.setExpirationTime/.setJti after constructing SignJWT(claims), and each jose setter unconditionally overwrites the corresponding payload field. So a user passing e.g. claims: { aud: 'https://custom-audience' } per the docs silently gets aud reset to the SDK-computed value. Either drop the redundant setter chain so the merged claims object is authoritative, or fix the JSDoc to say standard claims cannot be overridden.

Extended reasoning...

What the bug is

PR #1875 (commit 9ed62fe — direct parent of this version-bump commit, so it ships in @modelcontextprotocol/client@2.0.0-alpha.3) added a claims option to PrivateKeyJwtProviderOptions. The JSDoc at packages/client/src/client/authExtensions.ts:238-240 reads:

Optional custom claims to include in the JWT assertion. These are merged with the standard claims (iss, sub, aud, exp, iat, jti), with custom claims taking precedence for any overlapping keys.

The implementation does spread { ...baseClaims, ...options.claims } at line 60, so the merged claims object initially has the user's values winning. But lines 82–89 then build the JWT with:

new jose.SignJWT(claims)
    .setProtectedHeader({ alg, typ: 'JWT' })
    .setIssuer(options.issuer)
    .setSubject(options.subject)
    .setAudience(audience)
    .setIssuedAt(now)
    .setExpirationTime(now + lifetimeSeconds)
    .setJti(jti)
    .sign(...)

Each of those setters writes back into the payload after the constructor copies claims, so the SDK-computed values overwrite whatever the user passed for all six listed standard claims. The actual behavior is the exact opposite of the JSDoc promise.

Why existing code doesn't prevent it

Verified against jose@6.2.2 source (node_modules/.pnpm/jose@6.2.2/.../jwt/sign.js and lib/jwt_claims_set.js): the SignJWT constructor passes the payload to JWTClaimsBuilder which does this.#payload = structuredClone(payload), and each setter (set iss, set sub, set aud, set jti, set exp, set iat) does an unconditional this.#payload.<claim> = value assignment — no "only if absent" guard. So .setIssuer(options.issuer) always replaces claims.iss, etc.

The tests added in 9ed62fe only exercise non-standard claims (tenant_id, role), which do flow through correctly because no setter touches them. There is no test that passes a standard claim via options.claims and asserts it appears in the signed JWT, so the contradiction is not caught.

Step-by-step proof

  1. User constructs the provider with claims: { aud: 'https://custom-token-endpoint', jti: 'fixed-id' }, relying on the JSDoc precedence guarantee.
  2. Line 60 produces claims = { iss, sub, aud: 'https://custom-token-endpoint', exp, iat, jti: 'fixed-id' } — user values win in the merged object.
  3. Line 82 passes that object to new jose.SignJWT(claims); jose clones it into #payload.
  4. Line 86 .setAudience(audience) runs this.#payload.aud = audience (the SDK-computed metadata?.issuer ?? url), overwriting 'https://custom-token-endpoint'.
  5. Line 89 .setJti(jti) runs this.#payload.jti = jti (the SDK-generated random string), overwriting 'fixed-id'.
  6. The signed assertion contains the SDK values for aud and jti; the user's values are silently discarded with no warning. Same applies to iss, sub, iat, exp.

Impact

This is a docs-vs-implementation contradiction in a public API surface that ships to npm in this release. A user who follows the JSDoc to override aud (a real use case — some authorization servers require a token-endpoint-specific audience that differs from the issuer URL) will silently get the wrong audience in the assertion and a 401 from the AS, with nothing pointing them at the cause. Per REVIEW.md → Documentation & Changesets, prose that promises behavior the code doesn't ship misleads consumers and should be flagged at the publish gate.

The spread at line 60 is effectively dead code for the six standard claims — it only matters for additional, non-standard claims.

How to fix

Two options, pick one:

  • Honor the JSDoc (recommended, since the spread at line 60 already shows this was the intent): drop the redundant .setIssuer/.setSubject/.setAudience/.setIssuedAt/.setExpirationTime/.setJti chain at lines 84–89, leaving just new jose.SignJWT(claims).setProtectedHeader({ alg, typ: 'JWT' }).sign(key). The merged claims object already contains all six standard claims with the correct precedence.
  • Honor the implementation: change the JSDoc at lines 239–240 to state that the standard claims (iss, sub, aud, exp, iat, jti) cannot be overridden via claims and that only additional claims are merged. In that case the baseClaims spread at line 60 can also be dropped since it's a no-op for those keys.

Copy link
Copy Markdown

@claude claude bot Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟣 🟣 Pre-existing — and a correction to the five prior runtime-dependency comments (3035194589 / 3073682357 / 3073682371 / 3073783213 / 3078795515): I built dist and verified that ajv, ajv-formats, and @cfworker/json-schema are fully inlined into the .mjs bundles — the only external import in dist/src-*.mjs is zod/v4, and shimsNode/Browser/Workerd.mjs all import only from the local chunk, so there is no runtime ERR_MODULE_NOT_FOUND and the JSDoc "Bundled" claim is correct. The actual residual issue is type-only: packages/{client,server}/dist/index-*.d.mts lines 2–3 contain import { Ajv } from 'ajv' and import { JSONSchema } from 'json-schema-typed' (referenced by AjvJsonSchemaValidator(ajv?: Ajv) and type JsonSchemaType), and neither package is in dependencies/peerDependencies, so consumers with skipLibCheck: false get TS2307 — a config #1766 explicitly intends to support. Fix by adding ajv + json-schema-typed to both packages' dependencies (zero runtime cost; JS already bundled), or stop exposing the raw Ajv type / inline JSONSchema.Interface.

Extended reasoning...

Correction to prior comments + actual residual issue

Prior comments are factually wrong about runtime. Five earlier comments on this PR (3035194589, 3073682357, 3073682371, 3073783213, 3078795515) assert that dist/shimsNode.mjs / shimsWorkerd.mjs / shimsBrowser.mjs contain bare external import statements for ajv, ajv-formats, and @cfworker/json-schema, causing ERR_MODULE_NOT_FOUND at module load. I verified by running pnpm --filter @modelcontextprotocol/{client,server} build and inspecting the output, and that claim does not hold:

  • packages/client/dist/src-5RQ50XKB.mjs (387 KB shared chunk) has exactly one external import on line 1: import * as z from "zod/v4". ajv (~122 inline string occurrences), ajv-formats, and @cfworker/json-schema (the CfWorkerJsonSchemaValidator class definition lives at ~line 10343) are all inlined. The two require("ajv/...") strings inside the chunk are part of ajv's own codegen template literals, not real import/require statements.
  • shimsNode.mjs, shimsBrowser.mjs, shimsWorkerd.mjs, and validators/cfWorker.mjs all import only from ./src-5RQ50XKB.mjsgrep -E 'from "ajv|from "@cfworker|from "ajv-formats' dist/**/*.mjs returns zero matches.
  • Same for packages/server/dist/src-*.mjs.

Why the earlier reasoning was wrong: those comments assumed tsdown/rolldown externalises every bare import not listed in noExternal. It doesn't — it auto-externalises only packages listed in the building package's own dependencies/peerDependencies. Since ajv/ajv-formats/@cfworker/json-schema are absent from client's and server's package.json (they live only in core's deps, and core is a devDependency), tsdown bundles them regardless of noExternal. So the JSDoc "Bundled — no additional dependencies required" at packages/core/src/index.ts:31,35 is correct for runtime, and the recommended "extend noExternal" fix in 3078795515 is a no-op for the .mjs output.

The actual residual issue (type-only)

What the dist inspection did surface is that the bundled type declarations still reference external packages. packages/client/dist/index-KFyi7eTI.d.mts and packages/server/dist/index-BIf1K4vK.d.mts both contain on lines 2–3:

import { Ajv } from 'ajv';
import { JSONSchema } from 'json-schema-typed';

These are used at type JsonSchemaType = JSONSchema.Interface (~line 9799) and declare class AjvJsonSchemaValidator { constructor(ajv?: Ajv); } (~line 9883). The dts bundler (tsdown's dts.resolver: 'tsc' with paths mapping only @modelcontextprotocol/core) inlines core's declarations but leaves third-party type references external. None of the five prior comments mention json-schema-typed at all, and none distinguish .mjs from .d.mts behaviour.

Neither ajv nor json-schema-typed is in dependencies or peerDependencies of packages/client/package.json or packages/server/package.json. A consumer with "skipLibCheck": false therefore gets TS2307: Cannot find module 'ajv' / 'json-schema-typed' on any import from @modelcontextprotocol/client or /server — not just when using the validators. Per the alpha.1 CHANGELOG entry for #1766, the SDK explicitly intends to support skipLibCheck: false, so this is a supported-config break.

Step-by-step proof

  1. npm install @modelcontextprotocol/client@2.0.0-alpha.3 in a fresh project → node_modules contains zod, cross-spawn, eventsource, etc., but not ajv or json-schema-typed.
  2. node -e "import('@modelcontextprotocol/client').then(m => console.log(typeof m.AjvJsonSchemaValidator))" → prints function. Runtime works — the prior comments' ERR_MODULE_NOT_FOUND does not reproduce.
  3. tsconfig.json with "skipLibCheck": false; source file: import { McpClient } from '@modelcontextprotocol/client';.
  4. tsc --noEmitnode_modules/@modelcontextprotocol/client/dist/index-KFyi7eTI.d.mts(2,21): error TS2307: Cannot find module 'ajv' or its corresponding type declarations. and the same for json-schema-typed on line 3.
  5. Type-check fails for every consumer file that imports anything from the package.

Impact and fix

Runtime is fine; this is a compile-time-only break for the skipLibCheck: false population (which #1766 explicitly targets). Pre-existing since alpha.1 (#1689 introduced AjvJsonSchemaValidator and JsonSchemaType); this PR doesn't change it but is the publish gate for alpha.3.

Two fix options:

  • Add ajv and json-schema-typed to dependencies of both packages/client/package.json and packages/server/package.json. This satisfies TypeScript's module resolution for the .d.mts imports at zero additional runtime cost (the JS is already bundled; the packages are pulled in only so tsc can find their .d.ts).
  • Stop leaking the third-party types: change constructor(ajv?: Ajv) to constructor(ajv?: unknown) (or a locally-declared structural type) and inline/re-declare JSONSchema.Interface instead of re-exporting it. This keeps the dependency list minimal but is a small public-API surface change.

Filed primarily so the maintainers don't act on the incorrect runtime-crash framing / noExternal recommendation above before publish — extending noExternal would not address the .d.mts emission, and re-adding peer deps is unnecessary for runtime.

"description": "Model Context Protocol implementation for TypeScript - Client package",
"license": "MIT",
"author": "Anthropic, PBC (https://anthropic.com)",
Expand Down
7 changes: 7 additions & 0 deletions packages/core/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,12 @@
# @modelcontextprotocol/core

## 2.0.0-alpha.2

### Patch Changes

- [#1768](https://github.com/modelcontextprotocol/typescript-sdk/pull/1768) [`866c08d`](https://github.com/modelcontextprotocol/typescript-sdk/commit/866c08d3640c5213f80c3b4220e24c42acfc2db8) Thanks [@felixweinberger](https://github.com/felixweinberger)! - Allow additional JSON
Schema properties in elicitInput's requestedSchema type by adding .catchall(z.unknown()), matching the pattern used by inputSchema. This fixes type incompatibility when using Zod v4's .toJSONSchema() output which includes extra properties like $schema and additionalProperties.
Comment on lines +3 to +8
Copy link
Copy Markdown

@claude claude bot Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 The zod-json-schema-compat changeset declares only '@modelcontextprotocol/core': patch, but core is private: true and never published — so the elicitInput requestedSchema fix lands in core's CHANGELOG (invisible on npm) and is absent from the @modelcontextprotocol/client and @modelcontextprotocol/server alpha.3 CHANGELOGs even though that's where the fix actually ships (via tsdown noExternal inlining). Also note that because core is only a devDependency of client/server, changesets won't propagate a core-only bump — had this been the only changeset since alpha.2, client/server would not have been republished at all. Consider manually adding the #1768 entry to the client/server alpha.3 CHANGELOGs, and going forward target core-bundled fixes at the published packages.

Extended reasoning...

What the bug is

.changeset/zod-json-schema-compat.md declares only '@modelcontextprotocol/core': patch. The Changesets action consequently writes the PR #1768 entry ("Allow additional JSON Schema properties in elicitInput's requestedSchema...") into packages/core/CHANGELOG.md under 2.0.0-alpha.2 and nowhere else. But packages/core/package.json has "private": true — core is never published to npm, so its CHANGELOG is invisible to package consumers. The fix actually reaches users inside @modelcontextprotocol/client@2.0.0-alpha.3 and @modelcontextprotocol/server@2.0.0-alpha.3, because both packages set noExternal: ['@modelcontextprotocol/core'] in tsdown.config.ts and inline core's source into their bundles. Neither published package's CHANGELOG mentions the elicitInput fix.

Why changesets doesn't propagate this

There is also a structural issue beyond the documentation gap: @modelcontextprotocol/core is listed only in devDependencies of both packages/client/package.json and packages/server/package.json (not dependencies or peerDependencies). Changesets' updateInternalDependencies only follows runtime/peer dependency edges, so a core-only changeset does not cause client or server to be version-bumped. In this PR, client and server happen to be bumped to alpha.3 by unrelated changesets (fix-validate-client-metadata-url, odd-forks-enjoy, fix-streamable-close-reentrant), so the elicitInput fix ships by coincidence. If zod-json-schema-compat had been the only changeset since alpha.2, client/server would have stayed at alpha.2 and the fix would not have been published at all.

Relationship to prior comments

This is distinct from the previously-filed comments about PR #1842 and PR #1843 (which lacked changeset files entirely). Here a changeset does exist but targets an unpublished package. It is the same class of outcome (missing entry in published CHANGELOGs) with a different root cause (mis-targeted vs. missing changeset).

This pattern is not new — the alpha.1 core CHANGELOG already contains several core-only entries (#1735, #1790, #1766, #1762) that similarly never appeared in client/server CHANGELOGs, so maintainers may consider this established practice. That precedent is why this is filed as a nit rather than a blocking issue, but the devDependency-propagation observation is worth surfacing because it means core-only changesets are effectively no-ops for publishing.

Step-by-step proof

  1. .changeset/zod-json-schema-compat.md front-matter: only '@modelcontextprotocol/core': patch.
  2. packages/core/package.json line 3: "private": true — never published.
  3. packages/client/package.json and packages/server/package.json: @modelcontextprotocol/core appears only under devDependencies → changesets does not treat it as an internal dependency to bump.
  4. packages/client/CHANGELOG.md lines 3–19 (alpha.3 section): only fix: validate clientMetadataUrl at construction time (fail-fast) #1653 and fix(client): preserve custom Accept headers in StreamableHTTPClientTransport #1655 listed; no mention of elicitInput / requestedSchema / fix(core): allow additional JSON Schema properties in elicitInput requestedSchema #1768.
  5. packages/server/CHANGELOG.md lines 3–8 (alpha.3 section): only fix: prevent stack overflow in transport close with re-entrancy guard #1788 listed; no mention of elicitInput / fix(core): allow additional JSON Schema properties in elicitInput requestedSchema #1768.
  6. A user reading the npm release notes for client@2.0.0-alpha.3 or server@2.0.0-alpha.3 has no way to discover the elicitInput.requestedSchema Zod-v4 compatibility fix that those packages now contain.

Impact and fix

Impact is documentation-only in this release (the fix does ship), but the changeset is structurally mis-targeted. Short-term: manually add the #1768 entry under ### Patch Changes in both packages/client/CHANGELOG.md and packages/server/CHANGELOG.md for 2.0.0-alpha.3. Longer-term: when a fix lives in core but ships via the inlined client/server bundles, the changeset should declare '@modelcontextprotocol/client': patch and '@modelcontextprotocol/server': patch (optionally in addition to core) so the bump and CHANGELOG entry land where users can see them.


## 2.0.0-alpha.1

Comment on lines +3 to 11
Copy link
Copy Markdown

@claude claude bot Apr 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 The isCallToolResult guard (introduced in PR #1842, now published in this alpha.2 version bump) returns false for any object missing an explicit content key, but CallToolResultSchema.safeParse({}).success returns true because content carries .default([]). The migration guide at docs/migration.md:450-454 explicitly presents isCallToolResult(value) as a direct drop-in replacement for CallToolResultSchema.safeParse(value).success; that equivalence claim is incorrect and will silently produce false negatives for users following the guide with objects lacking an explicit content field.

Extended reasoning...

What the bug is: isCallToolResult in packages/core/src/types/guards.ts contains an early-exit check !("content" in value) that short-circuits for any object without a content own-property, even if that object would parse successfully via the schema. Meanwhile, CallToolResultSchema defines content: z.array(ContentBlockSchema).default([]), so CallToolResultSchema.safeParse({}).success === true. The two are not equivalent.

The migration guide makes an explicit, incorrect equivalence claim: docs/migration.md:450-454 presents isCallToolResult(value) as a direct drop-in replacement for CallToolResultSchema.safeParse(value).success. Any user migrating by substituting isCallToolResult will silently get false for a valid CallToolResult whose content field was omitted in the raw object — e.g. a tool response carrying only structuredContent before going through Zod parsing.

Addressing the refutations: The refutations correctly observe that (a) the TypeScript output type for CallToolResult has content as a required field (Zod's .default([]) makes it required in the output, optional only in input), (b) the MCP spec says content is "always present" for backwards compatibility, and (c) values returned by client.callTool() have already been Zod-parsed so content will be present. These are valid, and they explain why real-world breakage is narrow in normal SDK usage.

However, the refutations do not resolve the issue: the migration guide's equivalence claim is stated unconditionally, without the caveat that it only holds for already-parsed values. A developer writing a custom validator, testing raw server responses, or constructing a CallToolResult-shaped object manually before parsing will encounter a false negative. The guard is intentionally stricter than safeParse, but the migration guide does not communicate this distinction.

Concrete proof: (1) Raw object: { isError: false } — no content key, but valid per schema since content defaults to []. (2) CallToolResultSchema.safeParse({ isError: false }).success returns true. (3) isCallToolResult({ isError: false }) returns false due to the !("content" in value) early exit. (4) A user following the migration guide who swaps step 2 for step 3 silently rejects a valid value.

Impact and fix: The bug's practical blast radius is limited to objects that have not been Zod-parsed yet; in the normal SDK flow those are rare. But this is a published migration guide making a false API contract claim. The fix is either to remove the !("content" in value) early-exit in guards.ts (making the guard consistent with safeParse semantics), or to update the migration guide to clearly document that isCallToolResult is stricter and requires content to be explicitly present in the raw object.

### Minor Changes
Expand Down
2 changes: 1 addition & 1 deletion packages/core/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"name": "@modelcontextprotocol/core",
"private": true,
"version": "2.0.0-alpha.1",
"version": "2.0.0-alpha.2",
Copy link
Copy Markdown

@claude claude bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟣 Pre-existing: packages/core/package.json lists zod in both dependencies (auto-installs) and peerDependencies with optional: false (signals manual install required) — these are contradictory. The drop-zod-peer-dep changeset cleaned this up for the public client and server packages but missed core. Since core is private: true, there is no npm consumer impact, but the redundant peer dependency entry should be removed for consistency.

Extended reasoning...

Analysis

packages/core/package.json currently has zod in two conflicting locations:

  1. dependencies (line 51): "zod": "catalog:runtimeShared" — this means zod is a direct dependency that auto-installs for any consumer of core.
  2. peerDependencies (line 55): "zod": "catalog:runtimeShared" — combined with peerDependenciesMeta.zod.optional: false (line 62), this signals to package managers that users must install zod themselves as a peer.

These two declarations are semantically contradictory. A direct dependency auto-installs and requires nothing from the consumer; a non-optional peer dependency generates package-manager warnings telling consumers they must install the dependency themselves.

Why existing code does not prevent this

The drop-zod-peer-dep changeset (documented in packages/client/CHANGELOG.md under the 2.0.0-alpha.1 entry) explicitly dropped zod from peerDependencies in @modelcontextprotocol/client and @modelcontextprotocol/server. The changeset file targets those two packages but the same cleanup was not applied to packages/core/package.json. The version bump in this PR touches packages/core/package.json (line 4, version field) but does not address this inconsistency.

Step-by-step proof

  1. Open packages/core/package.json.
  2. Observe "zod": "catalog:runtimeShared" under dependencies — zod will auto-install in any workspace consuming core.
  3. Observe "zod": "catalog:runtimeShared" under peerDependencies — a package manager resolving this package would also emit a peer dependency warning.
  4. Observe peerDependenciesMeta.zod.optional: false — this marks the peer as required, not optional, making the warning an error in strict tools.
  5. Compare with packages/client/package.json: zod is only in dependencies, no peerDependencies entry — the cleanup was done there.

Impact

Practical impact is minimal: core is "private": true and is never published to npm, so no external consumers will encounter the contradictory peer dependency warning. Within the pnpm workspace the direct dependency satisfies the peer requirement automatically. The issue is purely a documentation/consistency problem.

Fix

Remove the zod entry from peerDependencies and its corresponding peerDependenciesMeta.zod block in packages/core/package.json, matching what was done for the client and server packages in the drop-zod-peer-dep changeset.

"description": "Model Context Protocol implementation for TypeScript - Core package",
"license": "MIT",
"author": "Anthropic, PBC (https://anthropic.com)",
Expand Down
7 changes: 7 additions & 0 deletions packages/server/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,12 @@
# @modelcontextprotocol/server

## 2.0.0-alpha.3

### Patch Changes

- [#1788](https://github.com/modelcontextprotocol/typescript-sdk/pull/1788) [`df4b6cc`](https://github.com/modelcontextprotocol/typescript-sdk/commit/df4b6cc88d6f24fc857519cf506a7a039f532637) Thanks [@claygeo](https://github.com/claygeo)! - Prevent stack overflow in
StreamableHTTPServerTransport.close() with re-entrant guard
Comment on lines +7 to +8
Copy link
Copy Markdown

@claude claude bot Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 The CHANGELOG entry for 2.0.0-alpha.3 references a non-existent class name StreamableHTTPServerTransport.close(); the actual class is WebStandardStreamableHTTPServerTransport (there is also a separate NodeStreamableHTTPServerTransport). Update the entry to use the full, unambiguous class name to match both the codebase and the other entry in the same file.

Extended reasoning...

What the bug is

The new CHANGELOG entry in packages/server/CHANGELOG.md (lines 7–8) reads:

Prevent stack overflow in StreamableHTTPServerTransport.close() with re-entrant guard

No class named StreamableHTTPServerTransport exists anywhere in the codebase. The abbreviated name was informally used in the changeset file (fix-streamable-close-reentrant.md) and propagated into the CHANGELOG by the Changesets tooling.

The specific code that was changed

The re-entrancy fix (a _closed flag check) was applied to WebStandardStreamableHTTPServerTransport.close() in packages/server/src/server/streamableHttp.ts around line 224. A separate NodeStreamableHTTPServerTransport exists in packages/middleware/node. The abbreviated name is ambiguous between both implementations.

Why existing validation doesn't catch it

Changesets generates CHANGELOG prose from the markdown body of changeset files. The changeset author used the shorthand StreamableHTTPServerTransport, and no lint rule or automated check validates class name accuracy inside CHANGELOG prose. The error therefore passed through undetected.

Impact

Developers searching the CHANGELOG or codebase for StreamableHTTPServerTransport will find zero results and may conclude the entry refers to a different or removed class. The ambiguity between WebStandardStreamableHTTPServerTransport and NodeStreamableHTTPServerTransport could also cause confusion about which implementation received the fix. The other 2.0.0-alpha.2 entry in the same file (fix-onerror-callbacks) correctly names WebStandardStreamableHTTPServerTransport, making the inconsistency more jarring.

Step-by-step proof

  1. Open packages/server/CHANGELOG.md, lines 7–8: entry says StreamableHTTPServerTransport.close().
  2. Search the codebase for class StreamableHTTPServerTransport — zero matches.
  3. Search for class WebStandardStreamableHTTPServerTransport — found in packages/server/src/server/streamableHttp.ts:224.
  4. Search for class NodeStreamableHTTPServerTransport — found in packages/middleware/node.
  5. The same CHANGELOG file, line 99 (alpha.2 entry), correctly uses the full name WebStandardStreamableHTTPServerTransport.

How to fix

Change the CHANGELOG entry to: "Prevent stack overflow in WebStandardStreamableHTTPServerTransport.close() with re-entrant guard".


## 2.0.0-alpha.2

### Patch Changes
Expand Down
2 changes: 1 addition & 1 deletion packages/server/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@modelcontextprotocol/server",
"version": "2.0.0-alpha.2",
"version": "2.0.0-alpha.3",
"description": "Model Context Protocol implementation for TypeScript - Server package",
"license": "MIT",
"author": "Anthropic, PBC (https://anthropic.com)",
Comment on lines 1 to 6
Copy link
Copy Markdown

@claude claude bot Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 PR #1843 removed @cfworker/json-schema from peerDependencies of both @modelcontextprotocol/client and @modelcontextprotocol/server while simultaneously adding ./validators/cf-worker sub-path exports and workerd shims that depend on it at runtime, meaning any Cloudflare Workers consumer will get a module-not-found error. Re-add @cfworker/json-schema as an optional peerDependency in packages/client/package.json and packages/server/package.json before publishing these alpha.3 packages.

Extended reasoning...

@cfworker/json-schema removed from peerDependencies but required at runtime

What the bug is and how it manifests

PR #1843 (commit 7ba58da, merged before this version-bump PR) made two contradictory changes simultaneously: (1) it added new ./validators/cf-worker sub-path exports and workerd condition shims in both @modelcontextprotocol/client and @modelcontextprotocol/server that depend on @cfworker/json-schema, and (2) it removed @cfworker/json-schema from the peerDependencies of both published packages. As a result, any consumer who installs @modelcontextprotocol/server@2.0.0-alpha.3 or @modelcontextprotocol/client@2.0.0-alpha.3 will not have @cfworker/json-schema in their node_modules, and runtime module resolution will fail.

The specific code path that triggers it

The chain is: packages/server/src/shimsWorkerd.ts and packages/client/src/shimsWorkerd.ts export CfWorkerJsonSchemaValidator from '@modelcontextprotocol/core'. packages/core/src/validators/cfWorkerProvider.ts line 11 contains a top-level static import: . The tsdown.config.ts for both client and server uses , which inlines core code directly into the built output bundles. However, @cfworker/json-schema is NOT in noExternal — the config comment explicitly states 'treat all other dependencies as external'. Therefore, the built dist/shimsWorkerd.mjs and dist/validators/cfWorker.mjs both contain a bare external ESM import statement at the top of the file.

Why existing code doesn't prevent it

packages/core/package.json does list @cfworker/json-schema as an optional peerDependency. However, core is and is never published to npm — its peerDependencies declaration is invisible to external consumers. The only package.json files that matter to npm consumers are packages/client/package.json and packages/server/package.json, and in both of those @cfworker/json-schema appears only in devDependencies (not installed for consumers, only for local development).

Impact

There are two affected populations: (1) Any Cloudflare Workers user of either package — the workerd export condition is automatically selected by CF Workers bundlers (Wrangler), so even users who never explicitly import from /validators/cf-worker will get shimsWorkerd.mjs loaded, which immediately fails with a top-level import error. This breaks ALL CF Workers integrations. (2) Users who explicitly import from '@modelcontextprotocol/server/validators/cf-worker' or '@modelcontextprotocol/client/validators/cf-worker' in any environment also get the same failure. No package manager will warn about the missing dependency because there is no peerDependencies declaration in the published packages.

Step-by-step proof

  1. Developer runs — installs alpha.3 without @cfworker/json-schema (not in dependencies or peerDependencies).
  2. Developer deploys to Cloudflare Workers; Wrangler bundles the app and resolves the ./_shims export with the workerd condition → selects dist/shimsWorkerd.mjs.
  3. dist/shimsWorkerd.mjs contains: as a bare ESM import.
  4. Module resolution fails: .
  5. Deployment fails or the worker crashes on startup with a module-not-found error.

How to fix

Re-add @cfworker/json-schema as an optional peerDependency in both packages/client/package.json and packages/server/package.json, matching the pattern used before PR #1843:

This ensures package managers warn CF Workers users to install the dependency and makes the runtime requirement explicit in the published package metadata.

Comment on lines 1 to 6
Copy link
Copy Markdown

@claude claude bot Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 The server's ./_shims browser export condition points to dist/shimsWorkerd.mjs — the same file as the workerd condition — which contains a bare external import of @cfworker/json-schema, a package absent from dependencies and peerDependencies. Any user who bundles @modelcontextprotocol/server targeting a browser environment (Vite, webpack, Rollup, esbuild all apply the browser condition automatically) will get a module-not-found error for @cfworker/json-schema at build or runtime. Fix by either (a) adding @cfworker/json-schema as an optional peerDependency so consumers are warned to install it, or (b) removing the browser export condition so browser bundlers fall through to the default node shim.

Extended reasoning...

Server browser export condition routes to CF Workers shim, missing required dependency

What the bug is and how it manifests

packages/server/package.json maps the ./_shims export with the browser condition to dist/shimsWorkerd.d.mts / dist/shimsWorkerd.mjs — the exact same files used for the workerd condition. Standard browser bundlers (Vite, webpack, Rollup, esbuild) automatically select the browser export condition. Any developer bundling @modelcontextprotocol/server for a browser target will silently load shimsWorkerd.mjs, which contains a bare top-level ESM import of @cfworker/json-schema. That package is only listed in devDependencies of the server package — not in dependencies or peerDependencies — so no consumer will have it installed, causing a module-not-found error at build-time or runtime.

The specific code path

shimsWorkerd.ts line 6 re-exports CfWorkerJsonSchemaValidator as DefaultJsonSchemaValidator from @modelcontextprotocol/core. packages/core/src/validators/cfWorkerProvider.ts line 11 contains a static top-level import: import { Validator } from '@cfworker/json-schema'. The tsdown.config.ts for the server sets noExternal: ['@modelcontextprotocol/core'] (inlining core), but @cfworker/json-schema is not in noExternal, so the build leaves a bare external import in the output bundle.

Why existing code doesn't prevent it

The client package (packages/client/package.json) correctly provides a distinct shimsBrowser.mjs for the browser condition. The server has no shimsBrowser.ts at all (only shimsNode.ts and shimsWorkerd.ts). PR #1843 which added CF Workers support created the workerd/browser routing but neglected to either provide a server-specific browser shim or add @cfworker/json-schema to peerDependencies.

Addressing the refutation

One verifier argued that the browser→shimsWorkerd routing is intentional because the server needs CfWorkerJsonSchemaValidator (AJV has Node.js dependencies and cannot run in browsers) and both environments need identical behavior — unlike the client which requires distinct shimsBrowser for CORS_IS_POSSIBLE semantics. This argument about intent is plausible, but it does not resolve the functional bug: regardless of whether the routing is intentional, @cfworker/json-schema is not in dependencies or peerDependencies of the published server package, so no browser bundler user will have it installed. The intent and the implementation are misaligned.

Step-by-step proof

  1. Developer runs npm install @modelcontextprotocol/server@cfworker/json-schema is not installed (only in devDeps, never for consumers).
  2. Developer's Vite config targets browser; Vite resolves ./_shims via the browser export condition → gets dist/shimsWorkerd.mjs.
  3. dist/shimsWorkerd.mjs contains import { Validator } from '@cfworker/json-schema' as a top-level static import.
  4. Vite (or webpack/Rollup/esbuild) cannot resolve @cfworker/json-schema → build error or runtime Module not found crash.
  5. This affects all browser-bundled server users, not just CF Workers deployments.

How to fix

Option A (minimal): Add @cfworker/json-schema as an optional peerDependency in packages/server/package.json, matching the pattern in packages/core/package.json. This at minimum warns consumers to install it.

Option B (correct): Create a packages/server/src/shimsBrowser.ts that either provides a pure-browser-compatible JSON schema validator or re-exports from the node shim (process is unavailable in browsers anyway), then point the browser export condition to dist/shimsBrowser.mjs. This matches the client package's architecture and removes the dependency on @cfworker/json-schema for standard browser users entirely.

Option C (simplest safe fix): Remove the browser export condition from ./_shims in packages/server/package.json so browser bundlers fall through to the default (node) shim. If the node shim works in browser contexts for the server use case, this is the least-risk change.

🔬 also observed by 3035194589

Comment thread
claude[bot] marked this conversation as resolved.
Expand Down
Loading