Minor Changes
-
#2286
1823aaeThanks @felixweinberger! -createMcpHandlernow returns a web-standards-only{ fetch, close, notify, bus }handler — the shape Workers/Bun/Deno expect fromexport default. The duck-typed.node(req, res, parsedBody?)face is removed; Node frameworks (Express, Fastify, plainnode:http) wrap the
handler once with the newtoNodeHandler(handler, { onerror? })exported from@modelcontextprotocol/node, which converts the Node request to a web-standardRequest, callshandler.fetch, and writes theResponseback honoring write backpressure. The optionalonerror
receives the adapter-level error fallback (request conversion /handler.fetchthrow) before the500response is written, restoring observability parity with the removed.nodeface.NodeIncomingMessageLikeandNodeServerResponseLikemove from
@modelcontextprotocol/serverto@modelcontextprotocol/node. -
#2390
6cc7b1cThanks @felixweinberger! - ExporttoWebRequest(req, parsedBody?, options?)— the NodeIncomingMessage→ web-standardRequestconversiontoNodeHandleralready performs internally. Use it to feedisLegacyRequest()(orhandler.fetch()) from a hand-wired Node/Express(req, res)handler instead of assembling aglobalThis.Requestfromreq.headersby hand. When a body parser already consumed the Node stream (express.json()), pass the parsed value asparsedBody; passoptions.signalto tie the constructed request to client disconnect, the waytoNodeHandlerdoes. -
#2286
1823aaeThanks @felixweinberger! - Add Origin header validation alongside the existing Host header validation. The server package gains framework-agnostic helpers (validateOriginHeader,localhostAllowedOrigins,originValidationResponse); the Express, Hono and Fastify adapters gainoriginValidation/
localhostOriginValidationmiddleware and a newallowedOriginsoption on their app factories, which now arm Origin validation by default for localhost-class binds (mirroring the Host validation ladder; the 0.0.0.0-without-allowlist warning is unchanged). Requests
without anOriginheader pass — non-browser MCP clients are unaffected — while a presentOriginthat is not allowed or cannot be parsed (including the opaquenullorigin) is rejected with403. The Node adapter shipshostHeaderValidation/originValidation
request guards for plainnode:httpservers, which previously had no validation helpers.
Patch Changes
-
#2394
801111eThanks @felixweinberger! - Fix the published declaration files for consumers compiling withskipLibCheck: false: the bundled.d.mtsno longer leaves a danglingURIComponentreference (ajv's published types import it fromfast-uri, whose export-assigned namespace the dts bundler cannot link — the type is now inlined via a dts-only path mapping), and no longer importsjson-schema-typedfrom an undeclared dependency (it is inlined viadts.resolve).@modelcontextprotocol/nodeand@modelcontextprotocol/serverdrop staletypesVersionsentries pointing at subpaths that never shipped. Package READMEs note that TypeScript >=6.0 requires"types": ["node"]since the published declarations referenceBuffer. -
#2286
1823aaeThanks @felixweinberger! - ForwardsetSupportedProtocolVersionsfromNodeStreamableHTTPServerTransportto the wrapped Web Standard transport. Previously a server'ssupportedProtocolVersionsoption never reached the Node adapter'sMCP-Protocol-Versionheader validation, which silently kept
validating against the default version list. -
Updated dependencies [
1823aae,1823aae,1823aae,1823aae,1823aae,1823aae,1823aae,801111e,1823aae,1823aae,6cc7b1c,f0bf785,1823aae,1823aae,1823aae,1823aae,1823aae,1823aae,1823aae,1823aae,1823aae,1823aae,1823aae,1823aae,1823aae,1823aae,1823aae,1823aae,1823aae,1823aae]:- @modelcontextprotocol/server@2.0.0-alpha.4