v1.26.0

Addresses "Sharing server/transport instances can leak cross-client response data" in this GHSA GHSA-345p-7cg4-v4c7

What's Changed

• chore: bump v1.25.3 for backport fixes by @pcarleton in #1412
• fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x backport) by @samuv in #1382
• Fix #1430: Client Credentials providers scopes support (backported) by @NSeydoux in #1442
• chore: bump version to 1.26.0 by @pcarleton in #1479

New Contributors

• @samuv made their first contribution in #1382
• @NSeydoux made their first contribution in #1442

Full Changelog: v1.25.3...v1.26.0

v1.25.3

What's Changed

• [v1.x backport] Use correct schema for client sampling validation when tools are present by @olaservo in #1407
• fix: prevent Hono from overriding global Response object (v1.x) by @mattzcarey in #1411

Full Changelog: v1.25.2...v1.25.3

v1.25.2

What's Changed

• ci: trigger workflow on v1.x branch by @felixweinberger in #1319
• fix: README badges links destinations by @antonpk1 in #907
• fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport) by @pcarleton in #1365

New Contributors

• @antonpk1 made their first contribution in #907

Full Changelog: 1.25.1...v1.25.2

1.25.1

What's Changed

• spec types - backwards compatibility changes by @KKonstantinov in #1306
• chore: bump version for patch fix by @felixweinberger in #1307

Full Changelog: 1.25.0...1.25.1

1.25.0

What's Changed

• list changed handlers on client constructor by @mattzcarey in #1206
• Role - moved from inline to reusable type by @KKonstantinov in #1221
• fix: use versioned npm tag for non-main branch releases by @pcarleton in #1236
• No automatic completion support unless needed - Revisited yet again by @cliffhall in #1237
• fix: Support updating output schema by @vincent0426 in #1048
• Remove type dependency on @cfworker/json-schema by @LucaButBoring in #1229
• Relocate tests under /test by @KKonstantinov in #1220
• Fix tsconfig: remove tests by @KKonstantinov in #1240
• tsconfig - tests and build fix by @KKonstantinov in #1243
• fix a typo in examples README by @DaleSeo in #1246
• Protocol date validation by @mattzcarey in #1247
• Flaky test fix on Types.test.ts by @KKonstantinov in #1244
• SPEC COMPLIANCE: Remove loose/passthrough types not allowed/defined by MCP spec + Task types by @KKonstantinov in #1242
• Follow-up fixes for PR #1242 by @felixweinberger in #1274
• Update server examples and docs by @DaleSeo in #1285
• Update TypeScript config to ES2020 to fix AJV imports by @mattzcarey in #1297
• Fix Zod v4 schema description extraction by @felixweinberger in #1296
• Add optional description field to Implementation schema by @calclavia in #1295
• Add theme property to Icon schema by @DaleSeo in #1290
• feat: fetch transport by @mattzcarey in #1209
• chore: bump version for release by @felixweinberger in #1301

New Contributors

• @vincent0426 made their first contribution in #1048

Full Changelog: 1.24.3...1.25.0

1.24.3

What's Changed

• chore: fix dev dependency security vulnerabilities by @felixweinberger in #1227
• chore(deps): bump express from 5.0.1 to 5.2.1 in the npm_and_yarn group across 1 directory by @dependabot[bot] in #1228
• fix: release HTTP connections after POST responses by @mattzcarey in #1214
• fix: skip priming events and closeSSEStream for old protocol versions by @felixweinberger in #1233
• chore: bump version for patch release by @felixweinberger in #1235

Full Changelog: 1.24.2...1.24.3

1.23.1

Fixed:

• Disabled SSE priming events to fix backwards compatibility - 1.23.x clients crash on empty SSE data (JSON.parse(""))

This is a patch for servers still on 1.23.x that were breaking clients not handling the the 2025-11-25 priming event behavior with empty SSE data fields. See #1233 for more details.

Full Changelog: 1.23.0...1.23.1

1.24.2

What's Changed

• feat: add optional resource annotations by @vhorvath2010 in #954
• chore: refresh CLAUDE.md by @LucaButBoring in #1217
• refactor: make Server class framework-agnostic by moving express to separate module by @cytle in #1223
• chore: bump version to 1.24.2 by @pcarleton in #1224

New Contributors

• @vhorvath2010 made their first contribution in #954
• @cytle made their first contribution in #1223

Full Changelog: 1.24.1...1.24.2

1.24.1

What's Changed

• fix(streamableHttp): fix infinite retries when maxRetries is set to 0 by @mrorigo in #1216
• chore: update protocol version to 2025-11-25 by @dsp-ant in #1218
• chore: bump version for release by @felixweinberger in #1219

New Contributors

• @mrorigo made their first contribution in #1216

Full Changelog: 1.24.0...1.24.1

1.24.0

Summary

This release brings us up to speed with the latest MCP spec 2025-11-25. Take a look at the latest spec as well as the release blog post.

What's Changed

• fix: update spec links from latest to draft by @domdomegg in #1171
• Make sure to consume HTTP error response bodies by @GreenStage in #1173
• docs: add GET request handling for streamableHttp stateless mode by @saharis9988 in #1161
• SEP-1686: Tasks by @LucaButBoring in #1041
• Fix JSON parse error on SSE events with empty data by @felixweinberger in #1184
• Fix StreamableHTTPClientTransport instantiation by @yuwzho in #944
• feat: eslint rule to prefer node protocols by @mattzcarey in #1187
• fix: call tasks/result to deliver side-channel messages by @felixweinberger in #1185
• Add invalid_target oauth error (rfc 8707) by @GreenStage in #1183
• fix(client): use StreamableHTTPError instead of plain Error in send() by @yamadashy in #1178
• coerce 'expires_in' to be a number by @adam-kuhn in #1111
• Allow HTTP issuer URLs when MCP_DEV_MODE is enabled by @jerome3o-anthropic in #1189
• fix: update registerTool signature for proper typed ToolCallback by @mattzcarey in #1188
• SEP-1046: Client credentials flow for M2M without user interaction by @KKonstantinov in #1157
• adds the transitive @types/express-serve-static-core dependency as a direct devDependency by @mgyarmathy in #1078
• Fix optional argument handling in prompts for Zod V4 by @filip-bartuska-ipf in #1199
• fix hanging stdio servers by @mattzcarey in #1200
• README refactor by @KKonstantinov in #1197
• [Docs] Fix typo by @koic in #1067
• feat: add closeSSEStream callback to RequestHandlerExtra by @felixweinberger in #1166
• fix: improve SSE reconnection behavior by @felixweinberger in #1191
• fix: normalize headers in sse transport by @marcrasi in #856
• feat: add closeStandaloneSSEStream for GET stream polling by @felixweinberger in #1203
• fix: normalize null to undefined in ElicitResultSchema content field by @mattzcarey in #1204
• Modify Origin header validation in validateRequestHeaders (streamableHttp.ts and sse.ts) to allow requests without an Origin, as they are not relevant to server DNS rebinding protection. by @jacopoc in #1205
• fix: allow zod 4 transformations by @mattzcarey in #1213
• feat: backwards-compatible createMessage overloads for SEP-1577 by @felixweinberger in #1212
• chore: bump version for release by @felixweinberger in #1215

New Contributors

• @GreenStage made their first contribution in #1173
• @saharis9988 made their first contribution in #1161
• @yuwzho made their first contribution in #944
• @yamadashy made their first contribution in #1178
• @adam-kuhn made their first contribution in #1111
• @mgyarmathy made their first contribution in #1078
• @filip-bartuska-ipf made their first contribution in #1199
• @koic made their first contribution in #1067
• @marcrasi made their first contribution in #856
• @jacopoc made their first contribution in #1205

Full Changelog: 1.23.0...1.24.0