Version Packages (alpha)

[github-actions]

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

⚠️⚠️⚠️⚠️⚠️⚠️

main is currently in pre mode so this branch has prereleases rather than normal releases. If you want to exit prereleases, run changeset pre exit on main.

⚠️⚠️⚠️⚠️⚠️⚠️

Releases

@modelcontextprotocol/client@2.0.0-alpha.1

Major Changes

• #1783 045c62a Thanks @felixweinberger! - Remove
  WebSocketClientTransport. WebSocket is not a spec-defined transport; use stdio or Streamable HTTP. The Transport interface remains exported for custom implementations. See Missing WebSocketServerTransport? #142.

Minor Changes

• #1527 dc896e1 Thanks @felixweinberger! - Add
  discoverOAuthServerInfo() function and unified discovery state caching for OAuth

  • New discoverOAuthServerInfo(serverUrl) export that performs RFC 9728 protected resource metadata discovery followed by authorization server metadata discovery in a single call. Use this for operations like token refresh and revocation that need the authorization server
    URL outside of auth().
  • New OAuthDiscoveryState type and optional OAuthClientProvider methods saveDiscoveryState() / discoveryState() allow providers to persist all discovery results (auth server URL, resource metadata URL, resource metadata, auth server metadata) across sessions. This
    avoids redundant discovery requests and handles browser redirect scenarios where discovery state would otherwise be lost.
  • New 'discovery' scope for invalidateCredentials() to clear cached discovery state.
  • New OAuthServerInfo type exported for the return value of discoverOAuthServerInfo().

• #1673 462c3fc Thanks @KKonstantinov! - refactor: extract task
  orchestration from Protocol into TaskManager

  Breaking changes:

  • taskStore, taskMessageQueue, defaultTaskPollInterval, and maxTaskQueueSize moved from ProtocolOptions to capabilities.tasks on ClientOptions/ServerOptions

• #1763 6711ed9 Thanks @felixweinberger! - Add
  reconnectionScheduler option to StreamableHTTPClientTransport. Lets non-persistent environments (serverless, mobile, desktop sleep/wake) override the default setTimeout-based SSE reconnection scheduling. The scheduler may return a cancel function that is invoked on
  transport.close().

• #1443 4aec5f7 Thanks @NSeydoux! - The client credentials providers now
  support scopes being added to the token request.

• #1689 0784be1 Thanks @felixweinberger! - Support Standard Schema
  for tool and prompt schemas

  Tool and prompt registration now accepts any schema library that implements the Standard Schema spec: Zod v4, Valibot, ArkType, and others. RegisteredTool.inputSchema, RegisteredTool.outputSchema, and RegisteredPrompt.argsSchema now use
  StandardSchemaWithJSON (requires both ~standard.validate and ~standard.jsonSchema) instead of the Zod-specific AnySchema type.

  Zod v4 schemas continue to work unchanged — Zod v4 implements the required interfaces natively.

  import { type } from 'arktype';
  
  server.registerTool(
      'greet',
      {
          inputSchema: type({ name: 'string' })
      },
      async ({ name }) => ({ content: [{ type: 'text', text: `Hello, ${name}!` }] })
  );

  For raw JSON Schema (e.g. TypeBox output), use the new fromJsonSchema adapter:

  import { fromJsonSchema, AjvJsonSchemaValidator } from '@modelcontextprotocol/core';
  
  server.registerTool(
      'greet',
      {
          inputSchema: fromJsonSchema({ type: 'object', properties: { name: { type: 'string' } } }, new AjvJsonSchemaValidator())
      },
      handler
  );

  Breaking changes:

  • experimental.tasks.getTaskResult() no longer accepts a resultSchema parameter. Returns GetTaskPayloadResult (a loose Result); cast to the expected type at the call site.
  • Removed unused exports from @modelcontextprotocol/core: SchemaInput, schemaToJson, parseSchemaAsync, getSchemaShape, getSchemaDescription, isOptionalSchema, unwrapOptionalSchema. Use the new standardSchemaToJsonSchema and validateStandardSchema instead.
  • completable() remains Zod-specific (it relies on Zod's .shape introspection).

• #1710 e563e63 Thanks @felixweinberger! - Add AuthProvider for
  composable bearer-token auth; transports adapt OAuthClientProvider automatically

  • New AuthProvider interface: { token(): Promise<string | undefined>; onUnauthorized?(ctx): Promise<void> }. Transports call token() before every request and onUnauthorized() on 401 (then retry once).

  • Transport authProvider option now accepts AuthProvider | OAuthClientProvider. OAuth providers are adapted internally via adaptOAuthProvider() — no changes needed to existing OAuthClientProvider implementations.

  • For simple bearer tokens (API keys, gateway-managed tokens, service accounts): { authProvider: { token: async () => myKey } } — one-line object literal, no class.

  • New adaptOAuthProvider(provider) export for explicit adaptation.

  • New handleOAuthUnauthorized(provider, ctx) helper — the standard OAuth onUnauthorized behavior.

  • New isOAuthClientProvider() type guard.

  • New UnauthorizedContext type.

  • Exported previously-internal auth helpers for building custom flows: applyBasicAuth, applyPostAuth, applyPublicAuth, executeTokenRequest.

    Transports are simplified internally — ~50 lines of inline OAuth orchestration (auth() calls, WWW-Authenticate parsing, circuit-breaker state) moved into the adapter's onUnauthorized() implementation. OAuthClientProvider itself is unchanged.

• #1614 1a78b01 Thanks @pcarleton! - Apply resolved scope consistently
  to both DCR and the authorization URL (SEP-835)

  When scopes_supported is present in the protected resource metadata (/.well-known/oauth-protected-resource), the SDK already uses it as the default scope for the authorization URL. This change applies the same resolved scope to the dynamic client registration request
  body, ensuring both use a consistent value.

  • registerClient() now accepts an optional scope parameter that overrides clientMetadata.scope in the registration body.
  • auth() now computes the resolved scope once (WWW-Authenticate → PRM scopes_supported → clientMetadata.scope) and passes it to both DCR and the authorization request.

Patch Changes

• #1758 e86b183 Thanks @KKonstantinov! - tasks - disallow requesting
  a null TTL

• #1824 fcde488 Thanks @felixweinberger! - Drop zod from
  peerDependencies (kept as direct dependency)

  Since Standard Schema support landed, zod is purely an internal runtime dependency used for protocol message parsing. User-facing schemas (registerTool, registerPrompt) accept any Standard Schema library. zod remains in dependencies and auto-installs; users no
  longer need to install it alongside the SDK.

• #1761 01954e6 Thanks @felixweinberger! - Convert remaining
  capability-assertion throws to SdkError(SdkErrorCode.CapabilityNotSupported, ...). Follow-up to v2: Errors refactor (ProtocolError, SdkError, OAuthError) #1454 which missed Client.assertCapability(), the task capability helpers in experimental/tasks/helpers.ts, and the sampling/elicitation capability checks in
  experimental/tasks/server.ts.

• #1632 d99f3ee Thanks @matantsach! - Continue OAuth metadata discovery
  on 502 (Bad Gateway) responses, matching the existing behavior for 4xx. This fixes MCP servers behind reverse proxies that return 502 for path-aware metadata URLs. Other 5xx errors still throw to avoid retrying against overloaded servers.

• #1772 5276439 Thanks @felixweinberger! - Always set
  windowsHide when spawning stdio server processes on Windows, not just in Electron environments. Prevents unwanted console windows in non-Electron Windows applications.

• #1390 9bc9abc Thanks @DePasqualeOrg! - Fix
  StreamableHTTPClientTransport to handle error responses in SSE streams

• #1343 4b5fdcb Thanks @christso! - Fix OAuth error handling for servers
  returning errors with HTTP 200 status

  Some OAuth servers (e.g., GitHub) return error responses with HTTP 200 status instead of 4xx. The SDK now checks for an error field in the JSON response before attempting to parse it as tokens, providing users with meaningful error messages.

• #1534 69a0626 Thanks @josefaidt! - remove npm references, use pnpm

• #1386 00249ce Thanks @PederHP! - Respect capability negotiation in list
  methods by returning empty lists when server lacks capability

  The Client now returns empty lists instead of sending requests to servers that don't advertise the corresponding capability:

  • listPrompts() returns { prompts: [] } if server lacks prompts capability

  • listResources() returns { resources: [] } if server lacks resources capability

  • listResourceTemplates() returns { resourceTemplates: [] } if server lacks resources capability

  • listTools() returns { tools: [] } if server lacks tools capability

    This respects the MCP spec requirement that "Both parties SHOULD respect capability negotiation" and avoids unnecessary server warnings and traffic. The existing enforceStrictCapabilities option continues to throw errors when set to true.

• #1534 69a0626 Thanks @josefaidt! - clean up package manager usage, all
  pnpm

• #1595 13a0d34 Thanks @bhosmer-ant! - Don't swallow fetch TypeError
  as CORS in non-browser environments. Network errors (DNS resolution failure, connection refused, invalid URL) in Node.js and Cloudflare Workers now propagate from OAuth discovery instead of being silently misattributed to CORS and returning undefined. This surfaces the real
  error to callers rather than masking it as "metadata not found."

• #1279 71ae3ac Thanks @KKonstantinov! - Initial 2.0.0-alpha.0
  client and server package

@modelcontextprotocol/server@2.0.0-alpha.1

Major Changes

• #1389 108f2f3 Thanks @DePasqualeOrg! - Fix error handling for
  unknown tools and resources per MCP spec.

  Tools: Unknown or disabled tool calls now return JSON-RPC protocol errors with code -32602 (InvalidParams) instead of CallToolResult with isError: true. Callers who checked result.isError for unknown tools should catch rejected promises instead.

  Resources: Unknown resource reads now return error code -32002 (ResourceNotFound) instead of -32602 (InvalidParams).

  Added ProtocolErrorCode.ResourceNotFound.

Minor Changes

• #1673 462c3fc Thanks @KKonstantinov! - refactor: extract task
  orchestration from Protocol into TaskManager

  Breaking changes:

  • taskStore, taskMessageQueue, defaultTaskPollInterval, and maxTaskQueueSize moved from ProtocolOptions to capabilities.tasks on ClientOptions/ServerOptions

• #1689 0784be1 Thanks @felixweinberger! - Support Standard Schema
  for tool and prompt schemas

  Tool and prompt registration now accepts any schema library that implements the Standard Schema spec: Zod v4, Valibot, ArkType, and others. RegisteredTool.inputSchema, RegisteredTool.outputSchema, and RegisteredPrompt.argsSchema now use
  StandardSchemaWithJSON (requires both ~standard.validate and ~standard.jsonSchema) instead of the Zod-specific AnySchema type.

  Zod v4 schemas continue to work unchanged — Zod v4 implements the required interfaces natively.

  import { type } from 'arktype';
  
  server.registerTool(
      'greet',
      {
          inputSchema: type({ name: 'string' })
      },
      async ({ name }) => ({ content: [{ type: 'text', text: `Hello, ${name}!` }] })
  );

  For raw JSON Schema (e.g. TypeBox output), use the new fromJsonSchema adapter:

  import { fromJsonSchema, AjvJsonSchemaValidator } from '@modelcontextprotocol/core';
  
  server.registerTool(
      'greet',
      {
          inputSchema: fromJsonSchema({ type: 'object', properties: { name: { type: 'string' } } }, new AjvJsonSchemaValidator())
      },
      handler
  );

  Breaking changes:

  • experimental.tasks.getTaskResult() no longer accepts a resultSchema parameter. Returns GetTaskPayloadResult (a loose Result); cast to the expected type at the call site.
  • Removed unused exports from @modelcontextprotocol/core: SchemaInput, schemaToJson, parseSchemaAsync, getSchemaShape, getSchemaDescription, isOptionalSchema, unwrapOptionalSchema. Use the new standardSchemaToJsonSchema and validateStandardSchema instead.
  • completable() remains Zod-specific (it relies on Zod's .shape introspection).

Patch Changes

• #1758 e86b183 Thanks @KKonstantinov! - tasks - disallow requesting
  a null TTL

• #1363 0a75810 Thanks @DevJanderson! - Fix ReDoS vulnerability in
  UriTemplate regex patterns (CVE-2026-0621)

• #1372 3466a9e Thanks @mattzcarey! - missing change for fix(client):
  replace body.cancel() with text() to prevent hanging

• #1824 fcde488 Thanks @felixweinberger! - Drop zod from
  peerDependencies (kept as direct dependency)

  Since Standard Schema support landed, zod is purely an internal runtime dependency used for protocol message parsing. User-facing schemas (registerTool, registerPrompt) accept any Standard Schema library. zod remains in dependencies and auto-installs; users no
  longer need to install it alongside the SDK.

• #1761 01954e6 Thanks @felixweinberger! - Convert remaining
  capability-assertion throws to SdkError(SdkErrorCode.CapabilityNotSupported, ...). Follow-up to v2: Errors refactor (ProtocolError, SdkError, OAuthError) #1454 which missed Client.assertCapability(), the task capability helpers in experimental/tasks/helpers.ts, and the sampling/elicitation capability checks in
  experimental/tasks/server.ts.

• #1433 78bae74 Thanks @codewithkenzo! - Fix transport errors being
  silently swallowed by adding missing onerror callback invocations before all createJsonErrorResponse calls in WebStandardStreamableHTTPServerTransport. This ensures errors like parse failures, invalid headers, and session validation errors are properly reported via the
  onerror callback.

• #1660 689148d Thanks @rechedev9! - fix(server): propagate negotiated
  protocol version to transport in _oninitialize

• #1568 f1ade75 Thanks @stakeswky! - Handle stdout errors (e.g. EPIPE)
  in StdioServerTransport gracefully instead of crashing. When the client disconnects abruptly, the transport now catches the stdout error, surfaces it via onerror, and closes.

• #1419 dcf708d Thanks @KKonstantinov! - remove deprecated .tool,
  .prompt, .resource method signatures

• #1388 f66a55b Thanks @mattzcarey! - reverting application/json in
  notifications

• #1534 69a0626 Thanks @josefaidt! - remove npm references, use pnpm

• #1534 69a0626 Thanks @josefaidt! - clean up package manager usage, all
  pnpm

• #1419 dcf708d Thanks @KKonstantinov! - deprecated .tool, .prompt,
  .resource method removal

• #1279 71ae3ac Thanks @KKonstantinov! - Initial 2.0.0-alpha.0
  client and server package

@modelcontextprotocol/fastify@2.0.0-alpha.1

Minor Changes

• #1536 81e4b2a Thanks @andyfleming! - Add Fastify middleware adapter
  for MCP servers, following the same pattern as the Express and Hono adapters.

Patch Changes

• Updated dependencies [e86b183, 0a75810,
  3466a9e, fcde488,
  462c3fc, 01954e6,
  78bae74, 689148d,
  f1ade75, 108f2f3,
  dcf708d, f66a55b,
  69a0626, 69a0626,
  dcf708d, 0784be1,
  71ae3ac]:
  • @modelcontextprotocol/server@2.0.0-alpha.1

@modelcontextprotocol/express@2.0.0-alpha.1

Patch Changes

• #1534 69a0626 Thanks @josefaidt! - remove npm references, use pnpm

• #1534 69a0626 Thanks @josefaidt! - clean up package manager usage, all
  pnpm

• #1625 1fe9eda Thanks @rameshreddy-adutla! - Add jsonLimit
  option to createMcpExpressApp

• Updated dependencies [e86b183, 0a75810,
  3466a9e, fcde488,
  462c3fc, 01954e6,
  78bae74, 689148d,
  f1ade75, 108f2f3,
  dcf708d, f66a55b,
  69a0626, 69a0626,
  dcf708d, 0784be1,
  71ae3ac]:

  • @modelcontextprotocol/server@2.0.0-alpha.1

@modelcontextprotocol/hono@2.0.0-alpha.1

Patch Changes

• #1534 69a0626 Thanks @josefaidt! - remove npm references, use pnpm

• #1534 69a0626 Thanks @josefaidt! - clean up package manager usage, all
  pnpm

• Updated dependencies [e86b183, 0a75810,
  3466a9e, fcde488,
  462c3fc, 01954e6,
  78bae74, 689148d,
  f1ade75, 108f2f3,
  dcf708d, f66a55b,
  69a0626, 69a0626,
  dcf708d, 0784be1,
  71ae3ac]:

  • @modelcontextprotocol/server@2.0.0-alpha.1

@modelcontextprotocol/node@2.0.0-alpha.1

Patch Changes

• #1504 327243c Thanks @corvid-agent! - Add missing hono peer
  dependency to @modelcontextprotocol/node. The package already depends on @hono/node-server which requires hono at runtime, but hono was only listed in the workspace root, not as a peer dependency of the package itself.

• #1410 9296459 Thanks @mattzcarey! - Prevent Hono from overriding
  global Response object by passing overrideGlobalObjects: false to getRequestListener(). This fixes compatibility with frameworks like Next.js whose response classes extend the native Response.

• #1419 dcf708d Thanks @KKonstantinov! - remove deprecated .tool,
  .prompt, .resource method signatures

• #1534 69a0626 Thanks @josefaidt! - remove npm references, use pnpm

• #1534 69a0626 Thanks @josefaidt! - clean up package manager usage, all
  pnpm

• #1419 dcf708d Thanks @KKonstantinov! - deprecated .tool, .prompt,
  .resource method removal

• Updated dependencies [e86b183, 0a75810,
  3466a9e, fcde488,
  462c3fc, 01954e6,
  78bae74, 689148d,
  f1ade75, 108f2f3,
  dcf708d, f66a55b,
  69a0626, 69a0626,
  dcf708d, 0784be1,
  71ae3ac]:

  • @modelcontextprotocol/server@2.0.0-alpha.1

@modelcontextprotocol/core@2.0.0-alpha.1

Minor Changes

• #1673 462c3fc Thanks @KKonstantinov! - refactor: extract task
  orchestration from Protocol into TaskManager

  Breaking changes:

  • taskStore, taskMessageQueue, defaultTaskPollInterval, and maxTaskQueueSize moved from ProtocolOptions to capabilities.tasks on ClientOptions/ServerOptions

• #1389 108f2f3 Thanks @DePasqualeOrg! - Fix error handling for
  unknown tools and resources per MCP spec.

  Tools: Unknown or disabled tool calls now return JSON-RPC protocol errors with code -32602 (InvalidParams) instead of CallToolResult with isError: true. Callers who checked result.isError for unknown tools should catch rejected promises instead.

  Resources: Unknown resource reads now return error code -32002 (ResourceNotFound) instead of -32602 (InvalidParams).

  Added ProtocolErrorCode.ResourceNotFound.

• #1689 0784be1 Thanks @felixweinberger! - Support Standard Schema
  for tool and prompt schemas

  Tool and prompt registration now accepts any schema library that implements the Standard Schema spec: Zod v4, Valibot, ArkType, and others. RegisteredTool.inputSchema, RegisteredTool.outputSchema, and RegisteredPrompt.argsSchema now use
  StandardSchemaWithJSON (requires both ~standard.validate and ~standard.jsonSchema) instead of the Zod-specific AnySchema type.

  Zod v4 schemas continue to work unchanged — Zod v4 implements the required interfaces natively.

  import { type } from 'arktype';
  
  server.registerTool(
      'greet',
      {
          inputSchema: type({ name: 'string' })
      },
      async ({ name }) => ({ content: [{ type: 'text', text: `Hello, ${name}!` }] })
  );

  For raw JSON Schema (e.g. TypeBox output), use the new fromJsonSchema adapter:

  import { fromJsonSchema, AjvJsonSchemaValidator } from '@modelcontextprotocol/core';
  
  server.registerTool(
      'greet',
      {
          inputSchema: fromJsonSchema({ type: 'object', properties: { name: { type: 'string' } } }, new AjvJsonSchemaValidator())
      },
      handler
  );

  Breaking changes:

  • experimental.tasks.getTaskResult() no longer accepts a resultSchema parameter. Returns GetTaskPayloadResult (a loose Result); cast to the expected type at the call site.
  • Removed unused exports from @modelcontextprotocol/core: SchemaInput, schemaToJson, parseSchemaAsync, getSchemaShape, getSchemaDescription, isOptionalSchema, unwrapOptionalSchema. Use the new standardSchemaToJsonSchema and validateStandardSchema instead.
  • completable() remains Zod-specific (it relies on Zod's .shape introspection).

Patch Changes

• #1735 a2e5037 Thanks @felixweinberger! - Abort in-flight request
  handlers when the connection closes. Previously, request handlers would continue running after the transport disconnected, wasting resources and preventing proper cleanup. Also fixes InMemoryTransport.close() firing onclose twice on the initiating side.

• #1574 379392d Thanks @olaservo! - Add missing size field to
  ResourceSchema to match the MCP specification

• #1363 0a75810 Thanks @DevJanderson! - Fix ReDoS vulnerability in
  UriTemplate regex patterns (CVE-2026-0621)

• #1761 01954e6 Thanks @felixweinberger! - Convert remaining
  capability-assertion throws to SdkError(SdkErrorCode.CapabilityNotSupported, ...). Follow-up to v2: Errors refactor (ProtocolError, SdkError, OAuthError) #1454 which missed Client.assertCapability(), the task capability helpers in experimental/tasks/helpers.ts, and the sampling/elicitation capability checks in
  experimental/tasks/server.ts.

• #1790 89fb094 Thanks @felixweinberger! - Consolidate per-request
  cleanup in _requestWithSchema into a single .finally() block. This fixes an abort signal listener leak (listeners accumulated when a caller reused one AbortSignal across requests) and two cases where _responseHandlers entries leaked on send-failure paths.

• #1486 65bbcea Thanks @localden! - Fix InMemoryTaskStore to enforce
  session isolation. Previously, sessionId was accepted but ignored on all TaskStore methods, allowing any session to enumerate, read, and mutate tasks created by other sessions. The store now persists sessionId at creation time and enforces ownership on all reads and writes.

• #1766 48aba0d Thanks @felixweinberger! - Add explicit
  | undefined to optional properties on the Transport interface and TransportSendOptions (onclose, onerror, onmessage, sessionId, setProtocolVersion, setSupportedProtocolVersions, onresumptiontoken).

  This fixes TS2420 errors for consumers using exactOptionalPropertyTypes: true without skipLibCheck, where the emitted .d.ts for implementing classes included | undefined but the interface did not.

  Workaround for older SDK versions: enable skipLibCheck: true in your tsconfig.

• #1419 dcf708d Thanks @KKonstantinov! - remove deprecated .tool,
  .prompt, .resource method signatures

• #1534 69a0626 Thanks @josefaidt! - remove npm references, use pnpm

• #1534 69a0626 Thanks @josefaidt! - clean up package manager usage, all
  pnpm

• #1796 d6a02c8 Thanks @felixweinberger! - Ensure
  standardSchemaToJsonSchema emits type: "object" at the root, fixing discriminated-union tool/prompt schemas that previously produced {oneOf: [...]} without the MCP-required top-level type. Also throws a clear error when given an explicitly non-object schema (e.g.
  z.string()). Fixes registerTool() silently drops inputSchema for z.discriminatedUnion() — normalizeObjectSchema only passes z.object() #1643.

• #1419 dcf708d Thanks @KKonstantinov! - deprecated .tool, .prompt,
  .resource method removal

• #1762 64897f7 Thanks @felixweinberger! -
  ReadBuffer.readMessage() now silently skips non-JSON lines instead of throwing SyntaxError. This prevents noisy onerror callbacks when hot-reload tools (tsx, nodemon) write debug output like "Gracefully restarting..." to stdout. Lines that parse as JSON but fail JSONRPC
  schema validation still throw.

@modelcontextprotocol/test-integration@2.0.0-alpha.1

Patch Changes

• #1419 dcf708d Thanks @KKonstantinov! - remove deprecated .tool,
  .prompt, .resource method signatures

• #1419 dcf708d Thanks @KKonstantinov! - deprecated .tool, .prompt,
  .resource method removal

[km-anthropic]

@claude review

[claude]

LGTM — standard Changesets automated release PR with only version bumps and generated changelogs.

Extended reasoning...

Overview

This is an automated PR generated by the Changesets release action. All 17 changed files are version bumps (2.0.0-alpha.0 → 2.0.0-alpha.1) in package.json files, newly generated CHANGELOG.md files, and an updated .changeset/pre.json with the accumulated changeset IDs. No production logic is modified.

Security Risks

None. The changes are purely metadata — version strings and changelog prose. No auth, crypto, or permission-sensitive code is touched.

Level of Scrutiny

Low. Automated release PRs of this kind are mechanical and deterministic; the Changesets tooling generates them from the changeset files already merged into main. The correct review focus is on the individual feature PRs whose changesets are being collected here, not on the release aggregation itself.

Other Factors

The bug report flags two pre-existing issues in test/integration/package.json (missing typecheck script causing pnpm check to fail, and residual npm run references) and in the express/fastify middleware packages. Both issues predate this PR and are not introduced or worsened by it. The inline comments will track them for follow-up. The affected packages are either private (test-integration) or the scripts-level inconsistency has no runtime impact on published artifacts.

[claude]

🟣 This is a pre-existing issue: test/integration/package.json defines a check script calling npm run typecheck but no typecheck script exists in that package, so pnpm check will fail with missing script: typecheck. Additionally, packages/middleware/express/package.json, packages/middleware/fastify/package.json, and test/integration/package.json still use npm run in scripts despite changeset #1534 claiming to remove npm references — with test/integration/package.json being especially inconsistent as it explicitly declares packageManager: pnpm@10.24.0. Both issues predate this version-bump PR.

Extended reasoning...

These are two related pre-existing issues that survive into this PR because the only change here is a version number bump.

Bug 1 – missing typecheck script causing check to always fail. In test/integration/package.json the check script is defined as npm run typecheck && npm run lint. The full scripts section in that file lists: lint, lint:fix, check, test, test:watch, start, server, client, test:integration:bun, test:integration:deno. There is no typecheck entry. Step-by-step: (1) a developer or CI job runs pnpm check in test/integration; (2) pnpm/npm tries to invoke the typecheck script; (3) it does not exist, so the process exits with ERR_PNPM_NO_SCRIPT Missing script: typecheck; (4) the lint step never runs. This is a real functional failure for anyone who calls pnpm check on this workspace member.

Bug 2 – npm run used in a pnpm workspace. PR #1534 (changeset 69a0626) is credited in the CHANGELOG of multiple packages with descriptions 'remove npm references, use pnpm' and 'clean up package manager usage, all pnpm'. Despite this, the following npm references remain in the modified files: packages/middleware/express/package.json prepack uses npm run build; packages/middleware/fastify/package.json prepack uses npm run build and check uses npm run typecheck && npm run lint; test/integration/package.json check uses npm run typecheck && npm run lint and start uses npm run server. The test/integration case is particularly glaring because that same file declares "packageManager": "pnpm@10.24.0". In practice npm run <script> in a pnpm workspace resolves local scripts correctly, so there is no runtime breakage beyond the missing typecheck already described — but it contradicts the stated intent of #1534 and the project convention enforced in CLAUDE.md.

Why the existing code does not prevent this. There is no CI lint rule checking for npm references in scripts, and changeset #1534 simply missed these files. The Changesets release bot that opened this PR performs no script-content validation.

Addressing the refutations. The refuting verifiers correctly note that this version-bump PR does not introduce either issue — both predated it. That is why the severity is pre_existing rather than normal. However the bugs are confirmed real: the check script in test/integration is broken today, and the npm/pnpm inconsistency contradicts the stated #1534 cleanup. Flagging them here ensures they are tracked and fixed before or alongside the release.

Fix. (1) Add "typecheck": "tsgo -p tsconfig.json --noEmit" (or equivalent) to test/integration/package.json scripts to unblock the check script. (2) Replace all npm run occurrences in scripts with pnpm run across packages/middleware/express/package.json, packages/middleware/fastify/package.json, and test/integration/package.json.

[pkg-pr-new]

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@1420

@modelcontextprotocol/server

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@1420

@modelcontextprotocol/express

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/express@1420

@modelcontextprotocol/fastify

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/fastify@1420

@modelcontextprotocol/hono

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/hono@1420

@modelcontextprotocol/node

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/node@1420

commit: 2506841

[claude]

🟡 The newly-created packages/core/CHANGELOG.md incorrectly claims that changeset fcde488 dropped zod from peerDependencies, but packages/core/package.json still lists zod as a required (non-optional) peerDependency. Since core is private:true this has no npm consumer impact, but the CHANGELOG entry is factually wrong.

Extended reasoning...

What the bug is and how it manifests

Changeset fcde488 (Drop zod from peerDependencies) was applied to @modelcontextprotocol/client and @modelcontextprotocol/server - both correctly removed zod from their peerDependencies. However, the same changeset was also attributed to @modelcontextprotocol/core in the newly-generated packages/core/CHANGELOG.md, even though packages/core/package.json was never updated to match.

The specific code path that triggers it

In packages/core/package.json, zod remains in both peerDependencies and peerDependenciesMeta with optional:false. Meanwhile, packages/server/package.json and packages/client/package.json only have zod in dependencies, not peerDependencies, correctly reflecting the drop.

Why existing code does not prevent it

The Changesets release bot generates CHANGELOG entries automatically from the changeset files. Changeset drop-zod-peer-dep targeted @modelcontextprotocol/core (among other packages), causing the CHANGELOG entry to be generated - but core/package.json itself was never updated. There is no automated validation that CHANGELOG claims match actual package.json contents.

Step-by-step proof

1. packages/core/CHANGELOG.md (new file added in this PR) includes fcde488 under Patch Changes: Drop zod from peerDependencies (kept as direct dependency).
2. packages/core/package.json: peerDependencies still contains zod:catalog:runtimeShared and peerDependenciesMeta marks it optional:false.
3. packages/server/package.json: peerDependencies only contains @cfworker/json-schema; zod appears only in dependencies.
4. The CHANGELOG claim for core is factually incorrect - the drop never happened in core.

Impact

Because core is private:true, it is never published to npm and peerDependency declarations in private workspace packages are not enforced by package managers. There is zero runtime or consumer impact. The sole harm is that contributors reading the CHANGELOG will believe a change was made that was not.

How to fix

Either (a) remove zod from peerDependencies and peerDependenciesMeta in packages/core/package.json to match the CHANGELOG claim - consistent with stated intent since zod is already in dependencies and is an internal detail - or (b) remove the fcde488 entry from packages/core/CHANGELOG.md since the change was not applied there.

[claude]

🟡 Two pairs of duplicate changeset files cause each affected CHANGELOG to list the same change twice: funky-baths-attack.md and shy-times-learn.md both document PR #1419 (deprecated method removal) for the same 4 packages, and quick-islands-occur.md and rich-hounds-report.md both document PR #1534 (pnpm cleanup) for the same 6 packages. Before merging, delete one file from each duplicate pair (e.g. keep funky-baths-attack.md and quick-islands-occur.md).

Extended reasoning...

What the bug is and how it manifests

Two pairs of changeset files describe identical code changes, causing Changesets to generate two separate CHANGELOG bullet points for each pair. Pair 1: .changeset/funky-baths-attack.md and .changeset/shy-times-learn.md both target @modelcontextprotocol/server, @modelcontextprotocol/core, @modelcontextprotocol/node, and @modelcontextprotocol/test-integration with near-identical descriptions of the deprecated method removal from PR #1419. Pair 2: .changeset/quick-islands-occur.md and .changeset/rich-hounds-report.md both target @modelcontextprotocol/express, @modelcontextprotocol/hono, @modelcontextprotocol/node, @modelcontextprotocol/client, @modelcontextprotocol/server, and @modelcontextprotocol/core with near-identical pnpm-cleanup descriptions from PR #1534.

Step-by-step proof

In the newly-generated packages/server/CHANGELOG.md added by this PR:

1. Line 94–95: [#1419][dcf708d] remove deprecated .tool, .prompt, .resource method signatures (from funky-baths-attack.md)
2. Line 100–101: [#1534][69a0626] remove npm references, use pnpm (from quick-islands-occur.md)
3. Line 102–103: [#1534][69a0626] clean up package manager usage, all pnpm (from rich-hounds-report.md) — same PR, same commit, listed immediately after
4. Line 105–106: [#1419][dcf708d] deprecated .tool, .prompt, .resource method removal (from shy-times-learn.md) — same PR and commit as item 1, listed 11 lines later

The same pattern appears in packages/core/CHANGELOG.md, packages/middleware/node/CHANGELOG.md, packages/client/CHANGELOG.md, packages/middleware/express/CHANGELOG.md, packages/middleware/hono/CHANGELOG.md, and test/integration/CHANGELOG.md.

Why existing code does not prevent it

The Changesets release bot faithfully processes every .md file listed in .changeset/pre.json. All four duplicate files are listed there (funky-baths-attack, shy-times-learn, quick-islands-occur, rich-hounds-report). There is no deduplication logic — Changesets intentionally allows multiple changesets per PR to capture independent changes, and it has no way to know these describe the same change.

Impact

A developer upgrading from 2.0.0-alpha.0 to 2.0.0-alpha.1 and reading the CHANGELOG for @modelcontextprotocol/server will see what looks like two separate deprecation-removal passes and two separate pnpm-cleanup passes. The entries share the same PR number and commit hash, which is a clue, but many developers read only the description text. This could cause confusion about whether a second API change happened, leading to unnecessary investigation. The impact is limited to documentation clarity; there is no runtime or functional consequence.

Addressing the refutation

One verifier noted that bug_005 is a duplicate of bug_004 since both describe the same class of problem. This is accurate — they share the same root cause and the same affected files. The synthesis agent correctly merged them into a single report (merged_bug_004) covering both duplicate pairs. Reporting them as one issue avoids filing two comments for what is ultimately one cleanup task: delete one file from each of the two duplicate pairs.

How to fix

Delete one file from each duplicate pair before merging: remove either funky-baths-attack.md or shy-times-learn.md, and remove either quick-islands-occur.md or rich-hounds-report.md. Then update pre.json to remove the deleted filenames from the changesets array and regenerate the CHANGELOG files.