Update dependency @modelcontextprotocol/sdk to v1.24.0 [SECURITY]

[tinyfish-github-bot]

This PR contains the following updates:

Package	Type	Update	Change
@modelcontextprotocol/sdk (source)	dependencies	minor	1.6.1 -> 1.24.0

GitHub Vulnerability Alerts

CVE-2025-66414

The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with StreamableHTTPServerTransport or SSEServerTransport and has not enabled enableDnsRebindingProtection, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances.

Note that running HTTP-based MCP servers locally without authentication is not recommended per MCP security best practices. This issue does not affect servers using stdio transport.

Servers created via createMcpExpressApp() now have this protection enabled by default when binding to localhost. Users with custom Express configurations are advised to update to version 1.24.0 and apply the exported hostHeaderValidation() middleware when running an unauthenticated server on localhost.

---

Release Notes

modelcontextprotocol/typescript-sdk (@​modelcontextprotocol/sdk)

v1.24.0

Compare Source

Summary

This release brings us up to speed with the latest MCP spec 2025-11-25. Take a look at the latest spec as well as the release blog post.

What's Changed

• fix: update spec links from latest to draft by @​domdomegg in https://github.com/modelcontextprotocol/typescript-sdk/pull/1171
• Make sure to consume HTTP error response bodies by @​GreenStage in https://github.com/modelcontextprotocol/typescript-sdk/pull/1173
• docs: add GET request handling for streamableHttp stateless mode by @​saharis9988 in https://github.com/modelcontextprotocol/typescript-sdk/pull/1161
• SEP-1686: Tasks by @​LucaButBoring in https://github.com/modelcontextprotocol/typescript-sdk/pull/1041
• Fix JSON parse error on SSE events with empty data by @​felixweinberger in https://github.com/modelcontextprotocol/typescript-sdk/pull/1184
• Fix StreamableHTTPClientTransport instantiation by @​yuwzho in https://github.com/modelcontextprotocol/typescript-sdk/pull/944
• feat: eslint rule to prefer node protocols by @​mattzcarey in https://github.com/modelcontextprotocol/typescript-sdk/pull/1187
• fix: call tasks/result to deliver side-channel messages by @​felixweinberger in https://github.com/modelcontextprotocol/typescript-sdk/pull/1185
• Add invalid_target oauth error (rfc 8707) by @​GreenStage in https://github.com/modelcontextprotocol/typescript-sdk/pull/1183
• fix(client): use StreamableHTTPError instead of plain Error in send() by @​yamadashy in https://github.com/modelcontextprotocol/typescript-sdk/pull/1178
• coerce 'expires_in' to be a number by @​adam-kuhn in https://github.com/modelcontextprotocol/typescript-sdk/pull/1111
• Allow HTTP issuer URLs when MCP_DEV_MODE is enabled by @​jerome3o-anthropic in https://github.com/modelcontextprotocol/typescript-sdk/pull/1189
• fix: update registerTool signature for proper typed ToolCallback by @​mattzcarey in https://github.com/modelcontextprotocol/typescript-sdk/pull/1188
• SEP-1046: Client credentials flow for M2M without user interaction by @​KKonstantinov in https://github.com/modelcontextprotocol/typescript-sdk/pull/1157
• adds the transitive @​types/express-serve-static-core dependency as a direct devDependency by @​mgyarmathy in https://github.com/modelcontextprotocol/typescript-sdk/pull/1078
• Fix optional argument handling in prompts for Zod V4 by @​filip-bartuska-ipf in https://github.com/modelcontextprotocol/typescript-sdk/pull/1199
• fix hanging stdio servers by @​mattzcarey in https://github.com/modelcontextprotocol/typescript-sdk/pull/1200
• README refactor by @​KKonstantinov in https://github.com/modelcontextprotocol/typescript-sdk/pull/1197
• [Docs] Fix typo by @​koic in https://github.com/modelcontextprotocol/typescript-sdk/pull/1067
• feat: add closeSSEStream callback to RequestHandlerExtra by @​felixweinberger in https://github.com/modelcontextprotocol/typescript-sdk/pull/1166
• fix: improve SSE reconnection behavior by @​felixweinberger in https://github.com/modelcontextprotocol/typescript-sdk/pull/1191
• fix: normalize headers in sse transport by @​marcrasi in https://github.com/modelcontextprotocol/typescript-sdk/pull/856
• feat: add closeStandaloneSSEStream for GET stream polling by @​felixweinberger in https://github.com/modelcontextprotocol/typescript-sdk/pull/1203
• fix: normalize null to undefined in ElicitResultSchema content field by @​mattzcarey in https://github.com/modelcontextprotocol/typescript-sdk/pull/1204
• Modify Origin header validation in validateRequestHeaders (streamableHttp.ts and sse.ts) to allow requests without an Origin, as they are not relevant to server DNS rebinding protection. by @​jacopoc in https://github.com/modelcontextprotocol/typescript-sdk/pull/1205
• fix: allow zod 4 transformations by @​mattzcarey in https://github.com/modelcontextprotocol/typescript-sdk/pull/1213
• feat: backwards-compatible createMessage overloads for SEP-1577 by @​felixweinberger in https://github.com/modelcontextprotocol/typescript-sdk/pull/1212
• chore: bump version for release by @​felixweinberger in https://github.com/modelcontextprotocol/typescript-sdk/pull/1215

New Contributors

• @​GreenStage made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/1173
• @​saharis9988 made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/1161
• @​yuwzho made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/944
• @​yamadashy made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/1178
• @​adam-kuhn made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/1111
• @​mgyarmathy made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/1078
• @​filip-bartuska-ipf made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/1199
• @​koic made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/1067
• @​marcrasi made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/856
• @​jacopoc made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/1205

Full Changelog: modelcontextprotocol/typescript-sdk@1.23.0...1.24.0

v1.23.0

Compare Source

What's Changed

• Migrate to vitest from jest by @​mattzcarey in https://github.com/modelcontextprotocol/typescript-sdk/pull/1074
• ci: add workflow_dispatch trigger for manual CI runs by @​felixweinberger in https://github.com/modelcontextprotocol/typescript-sdk/pull/1114
• Fix: @​types/node incompatibility with vite warnings on npm install by @​KKonstantinov in https://github.com/modelcontextprotocol/typescript-sdk/pull/1121
• Fix: clean up accidental spec.types.ts by @​KKonstantinov in https://github.com/modelcontextprotocol/typescript-sdk/pull/1122
• fix: Pass RequestInit options to auth requests by @​dsp-ant in https://github.com/modelcontextprotocol/typescript-sdk/pull/1066
• SEP-1036: URL Elicitation by @​nbarbettini in https://github.com/modelcontextprotocol/typescript-sdk/pull/1105
• add none to test and the router. by @​m-henderson in https://github.com/modelcontextprotocol/typescript-sdk/pull/1116
• [auth] Adjust scope management to line up with SEP-835 by @​pcarleton in https://github.com/modelcontextprotocol/typescript-sdk/pull/1133
• chore: add .idea/ to .gitignore by @​maxisbey in https://github.com/modelcontextprotocol/typescript-sdk/pull/1134
• chore: remove unused @​types/eslint__js dependency by @​mattzcarey in https://github.com/modelcontextprotocol/typescript-sdk/pull/1128
• feat: url based client metadata registration (SEP 991) by @​mattzcarey in https://github.com/modelcontextprotocol/typescript-sdk/pull/1127
• feat: zod v4 with backwards compatibility for v3.25+ by @​dclark27 in https://github.com/modelcontextprotocol/typescript-sdk/pull/1040
• fix: remove pnpm lock and regenerate package-lock by @​mattzcarey in https://github.com/modelcontextprotocol/typescript-sdk/pull/1138
• docs: update installation instructions for zod peer dependency by @​mattzcarey in https://github.com/modelcontextprotocol/typescript-sdk/pull/1139
• Implement SEP-1577 - Sampling With Tools by @​ochafik in https://github.com/modelcontextprotocol/typescript-sdk/pull/1101
• Follow up: unify v3 and v4 zod types via describe matrix and a test helper by @​KKonstantinov in https://github.com/modelcontextprotocol/typescript-sdk/pull/1141
• chore: Add deprecated marker to old elicitInput overload by @​nbarbettini in https://github.com/modelcontextprotocol/typescript-sdk/pull/1142
• fix: Connect error in URL elicitation example by @​nbarbettini in https://github.com/modelcontextprotocol/typescript-sdk/pull/1136
• Support upscoping on insufficient_scope 403 by @​Nayana-Parameswarappa in https://github.com/modelcontextprotocol/typescript-sdk/pull/1115
• Support beta releases by publishing with --tag beta by @​felixweinberger in https://github.com/modelcontextprotocol/typescript-sdk/pull/1146
• Bump version to 1.23.0-beta.0 by @​felixweinberger in https://github.com/modelcontextprotocol/typescript-sdk/pull/1147
• SEP-1613: use.catchall() on inputSchema/outputSchema to support JSON Schema 2020-12 by @​felixweinberger in https://github.com/modelcontextprotocol/typescript-sdk/pull/1135
• sampling: validate tools, tool_use, tool_result constraints by @​ochafik in https://github.com/modelcontextprotocol/typescript-sdk/pull/1156
• fix: React to upstream RC schema changes for form mode elicitation requests by @​felixweinberger in https://github.com/modelcontextprotocol/typescript-sdk/pull/1164
• feat: implement SEP-1699 SSE polling via server-side disconnect by @​felixweinberger in https://github.com/modelcontextprotocol/typescript-sdk/pull/1129
• chore: bump package number for release by @​felixweinberger in https://github.com/modelcontextprotocol/typescript-sdk/pull/1170

New Contributors

• @​nbarbettini made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/1105
• @​m-henderson made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/1116
• @​maxisbey made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/1134
• @​dclark27 made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/1040
• @​Nayana-Parameswarappa made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/1115

Full Changelog: modelcontextprotocol/typescript-sdk@1.22.0...1.23.0

v1.22.0

Compare Source

What's Changed

• registerTool: accept ZodType for input and output schema by @​ksinder in https://github.com/modelcontextprotocol/typescript-sdk/pull/816
• SEP-1319: Decouple Request Payloads, Remove passthrough iteration, Typecheck fixes by @​KKonstantinov in https://github.com/modelcontextprotocol/typescript-sdk/pull/1086
• add pkg-pr-new bot by @​pcarleton in https://github.com/modelcontextprotocol/typescript-sdk/pull/1088
• Upgrade to Node LTS by @​mattzcarey in https://github.com/modelcontextprotocol/typescript-sdk/pull/1072
• change step name by @​pcarleton in https://github.com/modelcontextprotocol/typescript-sdk/pull/1089
• SEP-1034: Default values for Elicitation Schemas by @​KKonstantinov in https://github.com/modelcontextprotocol/typescript-sdk/pull/1096
• SEP-1330: Compatibility with SEP-1034 by @​KKonstantinov in https://github.com/modelcontextprotocol/typescript-sdk/pull/1100
• Implementation of SEP-986: Specify Format for Tool Names by @​kentcdodds in https://github.com/modelcontextprotocol/typescript-sdk/pull/900
• [auth] Fix march spec fallback for metadata discovery by @​pcarleton in https://github.com/modelcontextprotocol/typescript-sdk/pull/1108
• chore: bump version for release by @​felixweinberger in https://github.com/modelcontextprotocol/typescript-sdk/pull/1110

New Contributors

• @​ksinder made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/816

Full Changelog: modelcontextprotocol/typescript-sdk@1.21.1...1.22.0

v1.21.2

Compare Source

What's changed

This is a patch release for a regression highlighted by #​1103

This patch contains only the cherry picked fix in #​1108

Full Changelog: modelcontextprotocol/typescript-sdk@1.21.1...1.21.2

v1.21.1

Compare Source

What's Changed

• Only use path-based discovery URLs from the authorization server to discover metadata by @​roadmapper in https://github.com/modelcontextprotocol/typescript-sdk/pull/1070
• Add @​deprecated annotations to legacy APIs by @​domdomegg in https://github.com/modelcontextprotocol/typescript-sdk/pull/1018
• fix: Support WWW-Authenticate scope param for SEP-835 by @​chipgpt in https://github.com/modelcontextprotocol/typescript-sdk/pull/983
• move CLI script to dedicated scripts directory by @​mattzcarey in https://github.com/modelcontextprotocol/typescript-sdk/pull/1073
• Check script which typechecks using Typescripts new Go port by @​mattzcarey in https://github.com/modelcontextprotocol/typescript-sdk/pull/1075
• FIX: use a nightly spec.types.ts by @​mattzcarey in https://github.com/modelcontextprotocol/typescript-sdk/pull/1087
• chore: bump version for release by @​felixweinberger in https://github.com/modelcontextprotocol/typescript-sdk/pull/1085

New Contributors

• @​roadmapper made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/1070

Full Changelog: modelcontextprotocol/typescript-sdk@1.21.0...1.21.1

v1.21.0

Compare Source

What's Changed

• feat: pluggable JSON schema validator providers by @​mattzcarey in https://github.com/modelcontextprotocol/typescript-sdk/pull/1012
• Update metadata.ts by @​pcarleton in https://github.com/modelcontextprotocol/typescript-sdk/pull/1010
• fix: Prefer the token_endpoint_auth_method response from DCR registration by @​chipgpt in https://github.com/modelcontextprotocol/typescript-sdk/pull/1022
• Fix: Non-existent tool, disabled tool and inputSchema validation return MCP protocol level instead of CallToolResult with isError: true by @​KKonstantinov in https://github.com/modelcontextprotocol/typescript-sdk/pull/1044
• chore: bump version to 1.21.0 for release by @​felixweinberger in https://github.com/modelcontextprotocol/typescript-sdk/pull/1062

New Contributors

• @​chipgpt made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/1022

Full Changelog: modelcontextprotocol/typescript-sdk@1.20.2...1.21.0

v1.20.2

Compare Source

What's Changed

• fix: Zod to JSONSchema pipe strategies by @​pierreliefauche in https://github.com/modelcontextprotocol/typescript-sdk/pull/962
• chore: bump version for weekly release by @​felixweinberger in https://github.com/modelcontextprotocol/typescript-sdk/pull/1042

New Contributors

• @​pierreliefauche made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/962

Full Changelog: modelcontextprotocol/typescript-sdk@1.20.1...1.20.2

v1.20.1

Compare Source

What's Changed

• fix: Add Accept header to auth metadata request by @​SVLaursen in https://github.com/modelcontextprotocol/typescript-sdk/pull/901
• Allow empty string as valid URL in DCR workflow by @​fredericbarthelet in https://github.com/modelcontextprotocol/typescript-sdk/pull/987
• docs: fix summary contents at readme by @​starfish719 in https://github.com/modelcontextprotocol/typescript-sdk/pull/1025
• chore: bump version to 1.20.1 for release by @​felixweinberger in https://github.com/modelcontextprotocol/typescript-sdk/pull/1032

New Contributors

• @​SVLaursen made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/901
• @​starfish719 made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/1025

Full Changelog: modelcontextprotocol/typescript-sdk@1.20.0...1.20.1

v1.20.0

Compare Source

What's Changed

• docs: improve main README with better quick start, include examples of stateless HTTP, explain tools v resources v prompts by @​domdomegg in https://github.com/modelcontextprotocol/typescript-sdk/pull/980
• chore: add lint:fix script by @​mattzcarey in https://github.com/modelcontextprotocol/typescript-sdk/pull/1013
• Default to S256 code challenge if not specified in authorization server metadata by @​LucaButBoring in https://github.com/modelcontextprotocol/typescript-sdk/pull/992

New Contributors 🙏

• @​mattzcarey made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/1013

Full Changelog: modelcontextprotocol/typescript-sdk@1.19.0...1.20.0

v1.19.1

Compare Source

v1.18.2

Compare Source

What's Changed

• Updates the sampling code example in the README by @​viniciuscsouza in https://github.com/modelcontextprotocol/typescript-sdk/pull/958
• Use redirect Uri passed in in demoInMemoryOAuthProvider by @​TylerLeonhardt in https://github.com/modelcontextprotocol/typescript-sdk/pull/931
• fix(auth-router): correct Protected Resource Metadata for pathful RS and add explicit resourceServerUrl (RFC 9728) by @​blustAI in https://github.com/modelcontextprotocol/typescript-sdk/pull/858
• chore: update version to 1.18.2 for weekly release by @​felixweinberger in https://github.com/modelcontextprotocol/typescript-sdk/pull/970

New Contributors

• @​viniciuscsouza made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/958
• @​TylerLeonhardt made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/931
• @​blustAI made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/858

Full Changelog: modelcontextprotocol/typescript-sdk@1.18.1...1.18.2

v1.18.1

Compare Source

What's Changed

• fix: prevent streamable http wite after end from crashing the node process by @​MQ37 in https://github.com/modelcontextprotocol/typescript-sdk/pull/933
• chore: update version to 1.18.1 for weekly release by @​felixweinberger in https://github.com/modelcontextprotocol/typescript-sdk/pull/950

New Contributors

• @​MQ37 made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/933

Full Changelog: modelcontextprotocol/typescript-sdk@1.18.0...1.18.1

v1.18.0

Compare Source

What's Changed

• mcp: update SDK for SEP 973 + add to example server by @​jesselumarie in https://github.com/modelcontextprotocol/typescript-sdk/pull/904
• feat: add _meta field support to tool definitions by @​knguyen-figma in https://github.com/modelcontextprotocol/typescript-sdk/pull/922
• Fix automatic log level handling for sessionless connections by @​cliffhall in https://github.com/modelcontextprotocol/typescript-sdk/pull/917
• 1.17.6 by @​ihrpr in https://github.com/modelcontextprotocol/typescript-sdk/pull/936
• 1.18.0 by @​ihrpr in https://github.com/modelcontextprotocol/typescript-sdk/pull/937
• ignore icons for now by @​ihrpr in https://github.com/modelcontextprotocol/typescript-sdk/pull/938

New Contributors

• @​jesselumarie made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/904
• @​knguyen-figma made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/922

Full Changelog: modelcontextprotocol/typescript-sdk@1.17.5...1.18.0

v1.17.5

Compare Source

What's Changed

• Automatic handling of logging level by @​cliffhall in https://github.com/modelcontextprotocol/typescript-sdk/pull/882
• Fix the SDK vs Spec types test that is breaking CI by @​cliffhall in https://github.com/modelcontextprotocol/typescript-sdk/pull/908

Full Changelog: modelcontextprotocol/typescript-sdk@1.17.4...1.17.5

v1.17.4

Compare Source

What's Changed

• feature(middleware): Composable fetch middleware for auth and cross‑cutting concerns by @​m-paternostro in https://github.com/modelcontextprotocol/typescript-sdk/pull/485
• restrict url schemes allowed in oauth metadata by @​pcarleton in https://github.com/modelcontextprotocol/typescript-sdk/pull/877
• [auth] OAuth protected-resource-metadata: fallback on 4xx not just 404 by @​pcarleton in https://github.com/modelcontextprotocol/typescript-sdk/pull/879
• chore: bump version to 1.17.4 by @​felixweinberger in https://github.com/modelcontextprotocol/typescript-sdk/pull/894

Full Changelog: modelcontextprotocol/typescript-sdk@1.17.3...1.17.4

v1.17.3

Compare Source

What's Changed

• Fix quit command in Example client with OAuth by @​DaleSeo in https://github.com/modelcontextprotocol/typescript-sdk/pull/864
• fix: client import & server imports by @​jatinsandilya in https://github.com/modelcontextprotocol/typescript-sdk/pull/851
• fix: pass fetchfn parameter to registerClient and refreshAuthorizatio… by @​arjunkmrm in https://github.com/modelcontextprotocol/typescript-sdk/pull/850
• docs: correct parameter schema key in Dynamic Servers documentation by @​bianbianzhu in https://github.com/modelcontextprotocol/typescript-sdk/pull/789
• version: patch to 0.17.3 by @​felixweinberger in https://github.com/modelcontextprotocol/typescript-sdk/pull/878

New Contributors

• @​DaleSeo made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/864
• @​jatinsandilya made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/851
• @​arjunkmrm made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/850
• @​bianbianzhu made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/789

Full Changelog: modelcontextprotocol/typescript-sdk@1.17.2...1.17.3

v1.17.2

Compare Source

What's Changed

• fix: retry next endpoint on CORS error during auth server discovery by @​xiaoyijun in https://github.com/modelcontextprotocol/typescript-sdk/pull/827

Full Changelog: modelcontextprotocol/typescript-sdk@1.17.1...1.17.2

v1.17.1

Compare Source

What's Changed

• (fix): Update fallbackRequestHandler type to match _requestHandlers leaves type by @​fredericbarthelet in https://github.com/modelcontextprotocol/typescript-sdk/pull/784
• fix: prevent responses being sent to wrong client when multiple transports connect by @​grimmerk in https://github.com/modelcontextprotocol/typescript-sdk/pull/820
• 1.17.1 by @​ihrpr in https://github.com/modelcontextprotocol/typescript-sdk/pull/831

Full Changelog: modelcontextprotocol/typescript-sdk@1.17.0...1.17.1

v1.17.0

Compare Source

What's Changed

• Add CODEOWNERS file for sdk by @​ihrpr in https://github.com/modelcontextprotocol/typescript-sdk/pull/781
• Add more robust base64 check by @​cliffhall in https://github.com/modelcontextprotocol/typescript-sdk/pull/786
• update codeowners by @​ihrpr in https://github.com/modelcontextprotocol/typescript-sdk/pull/803
• Fix indent by @​jiec-msft in https://github.com/modelcontextprotocol/typescript-sdk/pull/807
• fix: Explicitly declare accpet type to json when exchanging oauth token by @​JoJoJoJoJoJoJo in https://github.com/modelcontextprotocol/typescript-sdk/pull/801
• feat: support oidc discovery in client sdk by @​xiaoyijun in https://github.com/modelcontextprotocol/typescript-sdk/pull/652
• fix: remove extraneous code block in README.md by @​sd0ric4 in https://github.com/modelcontextprotocol/typescript-sdk/pull/791
• Bump form-data from 4.0.2 to 4.0.4 in the npm_and_yarn group across 1 directory by @​dependabot[bot] inhttps://github.com/modelcontextprotocol/typescript-sdk/pull/7988
• Bump version 1.17.0 by @​ihrpr in https://github.com/modelcontextprotocol/typescript-sdk/pull/810

New Contributors 🙏

• @​jiec-msft made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/807
• @​sd0ric4 made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/791

Full Changelog: modelcontextprotocol/typescript-sdk@1.16.0...1.17.0

v1.16.0

Compare Source

What's Changed

• Add type compatibility test between SDK and spec types by @​ochafik in https://github.com/modelcontextprotocol/typescript-sdk/pull/729
• Add OIDC ID token support by @​dankelleher in https://github.com/modelcontextprotocol/typescript-sdk/pull/680
• Add prompt=consent for OIDC offline_access scope by @​dankelleher in https://github.com/modelcontextprotocol/typescript-sdk/pull/681
• Non-critical: Readme syntax and typographical error fixes by @​freakynit in https://github.com/modelcontextprotocol/typescript-sdk/pull/765
• make client side client_id generation configurable in the oauth router by @​cdaguerre in https://github.com/modelcontextprotocol/typescript-sdk/pull/734
• Adding invalidateCredentials() to OAuthClientProvider by @​geelen in https://github.com/modelcontextprotocol/typescript-sdk/pull/570
• fix: use authorization_server_url as issuer when fetching metadata by @​JoJoJoJoJoJoJo in https://github.com/modelcontextprotocol/typescript-sdk/pull/763
• feat(protocol): Debounce notifications to improve network efficiancy by @​jneums in https://github.com/modelcontextprotocol/typescript-sdk/pull/746
• fix(731): StreamableHTTPClientTransport Fails to Reconnect on Non-Resumable Streams by @​jneums in https://github.com/modelcontextprotocol/typescript-sdk/pull/732
• fix: consistently use consumer-provided fetch function by @​LucaButBoring in https://github.com/modelcontextprotocol/typescript-sdk/pull/767
• fix client id issuance date should only be sent when generated by @​cdaguerre in https://github.com/modelcontextprotocol/typescript-sdk/pull/775
• 1.16.0 by @​ihrpr in https://github.com/modelcontextprotocol/typescript-sdk/pull/779

New Contributors 🙏

• @​dankelleher made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/680
• @​freakynit made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/765
• @​cdaguerre made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/734
• @​JoJoJoJoJoJoJo made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/763
• @​jneums made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/746
• @​LucaButBoring made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/767

Full Changelog: modelcontextprotocol/typescript-sdk@1.15.1...1.16.0

v1.15.1

Compare Source

What's Changed

• fix(client): Some mcp server need default env(#​393, #​196) by @​sunrabbit123 in https://github.com/modelcontextprotocol/typescript-sdk/pull/394
• feat: Add CORS configuration for browser-based MCP clients by @​jerome3o-anthropic in https://github.com/modelcontextprotocol/typescript-sdk/pull/713
• Add onsessionclosed hook to StreamableHTTPServerTransport by @​jerome3o-anthropic in https://github.com/modelcontextprotocol/typescript-sdk/pull/743
• add custom headers on initial _startOrAuth call by @​anthonjn in https://github.com/modelcontextprotocol/typescript-sdk/pull/318
• Improve stdio test Windows compatibility and refactor command logic by @​HoberMin in https://github.com/modelcontextprotocol/typescript-sdk/pull/284
• Add missing app.listen error handling to server examples by @​ochafik in https://github.com/modelcontextprotocol/typescript-sdk/pull/749
• fix(server): validate expiresAt token value for non existence by @​christian-bromann in https://github.com/modelcontextprotocol/typescript-sdk/pull/446
• [auth]: support oauth client_secret_basic / none / custom methods by @​jaredhanson, @​SightStudio, @​ochafik in https://github.com/modelcontextprotocol/typescript-sdk/pull/720
• feat: support async callbacks for onsessioninitialized and onsessionclosed by @​jerome3o-anthropic in https://github.com/modelcontextprotocol/typescript-sdk/pull/751
• Fix oauth well-known paths to retain path and query by @​ihrpr in https://github.com/modelcontextprotocol/typescript-sdk/pull/756
• auth: fetch AS metadata in well-known subpath from serverUrl even when PRM returns external AS by @​ochafik in https://github.com/modelcontextprotocol/typescript-sdk/pull/752

New Contributors

• @​sunrabbit123 made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/394
• @​anthonjn made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/318
• @​HoberMin made their first contribution in https://github.com/modelcontextprotocol/typescript-sdk/pull/284

Full Changelog: modelcontextprotocol/typescript-sdk@1.15.0...1.15.1

v1.15.0

Compare Source

What's Changed

[!NOTE]
This release reverts a breaking change introduced in version 1.13.3.

• Allow custom fetch in SSEClientTransport and StreamableHTTPClientTransport by [@​cliffhall](https://redirect.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}