github modelcontextprotocol/typescript-sdk @modelcontextprotocol/node@2.0.0-alpha.4

Minor Changes

  • #2286 1823aae Thanks @felixweinberger! - createMcpHandler now returns a web-standards-only { fetch, close, notify, bus } handler — the shape Workers/Bun/Deno expect from export default. The duck-typed .node(req, res, parsedBody?) face is removed; Node frameworks (Express, Fastify, plain node:http) wrap the
    handler once with the new toNodeHandler(handler, { onerror? }) exported from @modelcontextprotocol/node, which converts the Node request to a web-standard Request, calls handler.fetch, and writes the Response back honoring write backpressure. The optional onerror
    receives the adapter-level error fallback (request conversion / handler.fetch throw) before the 500 response is written, restoring observability parity with the removed .node face. NodeIncomingMessageLike and NodeServerResponseLike move from
    @modelcontextprotocol/server to @modelcontextprotocol/node.

  • #2390 6cc7b1c Thanks @felixweinberger! - Export toWebRequest(req, parsedBody?, options?) — the Node IncomingMessage → web-standard Request conversion toNodeHandler already performs internally. Use it to feed isLegacyRequest() (or handler.fetch()) from a hand-wired Node/Express (req, res) handler instead of assembling a globalThis.Request from req.headers by hand. When a body parser already consumed the Node stream (express.json()), pass the parsed value as parsedBody; pass options.signal to tie the constructed request to client disconnect, the way toNodeHandler does.

  • #2286 1823aae Thanks @felixweinberger! - Add Origin header validation alongside the existing Host header validation. The server package gains framework-agnostic helpers (validateOriginHeader, localhostAllowedOrigins, originValidationResponse); the Express, Hono and Fastify adapters gain originValidation /
    localhostOriginValidation middleware and a new allowedOrigins option on their app factories, which now arm Origin validation by default for localhost-class binds (mirroring the Host validation ladder; the 0.0.0.0-without-allowlist warning is unchanged). Requests
    without an Origin header pass — non-browser MCP clients are unaffected — while a present Origin that is not allowed or cannot be parsed (including the opaque null origin) is rejected with 403. The Node adapter ships hostHeaderValidation / originValidation
    request guards for plain node:http servers, which previously had no validation helpers.

Patch Changes

  • #2394 801111e Thanks @felixweinberger! - Fix the published declaration files for consumers compiling with skipLibCheck: false: the bundled .d.mts no longer leaves a dangling URIComponent reference (ajv's published types import it from fast-uri, whose export-assigned namespace the dts bundler cannot link — the type is now inlined via a dts-only path mapping), and no longer imports json-schema-typed from an undeclared dependency (it is inlined via dts.resolve). @modelcontextprotocol/node and @modelcontextprotocol/server drop stale typesVersions entries pointing at subpaths that never shipped. Package READMEs note that TypeScript >=6.0 requires "types": ["node"] since the published declarations reference Buffer.

  • #2286 1823aae Thanks @felixweinberger! - Forward setSupportedProtocolVersions from NodeStreamableHTTPServerTransport to the wrapped Web Standard transport. Previously a server's supportedProtocolVersions option never reached the Node adapter's MCP-Protocol-Version header validation, which silently kept
    validating against the default version list.

  • Updated dependencies [1823aae, 1823aae, 1823aae, 1823aae, 1823aae, 1823aae, 1823aae, 801111e, 1823aae, 1823aae, 6cc7b1c, f0bf785, 1823aae, 1823aae, 1823aae, 1823aae, 1823aae, 1823aae, 1823aae, 1823aae, 1823aae, 1823aae, 1823aae, 1823aae, 1823aae, 1823aae, 1823aae, 1823aae, 1823aae, 1823aae]:

    • @modelcontextprotocol/server@2.0.0-alpha.4

Don't miss a new typescript-sdk release

NewReleases is sending notifications on new releases.