Version Packages

[github-actions]

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@modelcontextprotocol/client@2.0.0

Patch Changes

• #1343 4b5fdcb Thanks @christso! - Fix OAuth error handling for servers
  returning errors with HTTP 200 status

  Some OAuth servers (e.g., GitHub) return error responses with HTTP 200 status instead of 4xx. The SDK now checks for an error field in the JSON response before attempting to parse it as tokens, providing users with meaningful error messages.

• #1386 00249ce Thanks @PederHP! - Respect capability negotiation in list
  methods by returning empty lists when server lacks capability

  The Client now returns empty lists instead of sending requests to servers that don't advertise the corresponding capability:

  • listPrompts() returns { prompts: [] } if server lacks prompts capability

  • listResources() returns { resources: [] } if server lacks resources capability

  • listResourceTemplates() returns { resourceTemplates: [] } if server lacks resources capability

  • listTools() returns { tools: [] } if server lacks tools capability

    This respects the MCP spec requirement that "Both parties SHOULD respect capability negotiation" and avoids unnecessary server warnings and traffic. The existing enforceStrictCapabilities option continues to throw errors when set to true.

• #1279 71ae3ac Thanks @KKonstantinov! - Initial 2.0.0-alpha.0
  client and server package

@modelcontextprotocol/node@2.0.0

Patch Changes

• #1410 9296459 Thanks @mattzcarey! - Prevent Hono from overriding
  global Response object by passing overrideGlobalObjects: false to getRequestListener(). This fixes compatibility with frameworks like Next.js whose response classes extend the native Response.

• #1419 dcf708d Thanks @KKonstantinov! - remove deprecated .tool,
  .prompt, .resource method signatures

• #1419 dcf708d Thanks @KKonstantinov! - deprecated .tool, .prompt,
  .resource method removal

• Updated dependencies [0a75810, 3466a9e,
  dcf708d, f66a55b,
  dcf708d, 71ae3ac]:

  • @modelcontextprotocol/server@2.0.0

@modelcontextprotocol/server@2.0.0

Patch Changes

• #1363 0a75810 Thanks @DevJanderson! - Fix ReDoS vulnerability in
  UriTemplate regex patterns (CVE-2026-0621)

• #1372 3466a9e Thanks @mattzcarey! - missing change for fix(client):
  replace body.cancel() with text() to prevent hanging

• #1419 dcf708d Thanks @KKonstantinov! - remove deprecated .tool,
  .prompt, .resource method signatures

• #1388 f66a55b Thanks @mattzcarey! - reverting application/json in
  notifications

• #1419 dcf708d Thanks @KKonstantinov! - deprecated .tool, .prompt,
  .resource method removal

• #1279 71ae3ac Thanks @KKonstantinov! - Initial 2.0.0-alpha.0
  client and server package

@modelcontextprotocol/core@2.0.0

Patch Changes

• #1363 0a75810 Thanks @DevJanderson! - Fix ReDoS vulnerability in
  UriTemplate regex patterns (CVE-2026-0621)

• #1486 65bbcea Thanks @localden! - Fix InMemoryTaskStore to enforce
  session isolation. Previously, sessionId was accepted but ignored on all TaskStore methods, allowing any session to enumerate, read, and mutate tasks created by other sessions. The store now persists sessionId at creation time and enforces ownership on all reads and writes.

• #1419 dcf708d Thanks @KKonstantinov! - remove deprecated .tool,
  .prompt, .resource method signatures

• #1419 dcf708d Thanks @KKonstantinov! - deprecated .tool, .prompt,
  .resource method removal

@modelcontextprotocol/test-integration@2.0.0

Patch Changes

• #1419 dcf708d Thanks @KKonstantinov! - remove deprecated .tool,
  .prompt, .resource method signatures

• #1419 dcf708d Thanks @KKonstantinov! - deprecated .tool, .prompt,
  .resource method removal