@ai-sdk/mcp 0.0.16 → 0.0.18

package/CHANGELOG.md

@@ -1,5 +1,24 @@
 # @ai-sdk/mcp
 
+## 0.0.18
+
+### Patch Changes
+
+- 783fa6c: chore: ensure consistent import handling and avoid import duplicates or cycles
+- c327fb9: fix(mcp): prevent prototype pollution by using secureJsonParse
+- Updated dependencies [783fa6c]
+  - @ai-sdk/provider-utils@3.0.25
+  - @ai-sdk/provider@2.0.3
+
+## 0.0.17
+
+### Patch Changes
+
+- 0a00b9b: trigger release for all packages after provenance setup
+- Updated dependencies [0a00b9b]
+  - @ai-sdk/provider@2.0.2
+  - @ai-sdk/provider-utils@3.0.24
+
 ## 0.0.16
 
 ### Patch Changes

package/dist/index.js

@@ -39,7 +39,7 @@ __export(index_exports, {
 module.exports = __toCommonJS(index_exports);
 
 // src/tool/mcp-client.ts
-var import_provider_utils3 = require("@ai-sdk/provider-utils");
+var import_provider_utils5 = require("@ai-sdk/provider-utils");
 
 // src/error/mcp-client-error.ts
 var import_provider = require("@ai-sdk/provider");
@@ -66,9 +66,10 @@ var MCPClientError = class extends (_b = import_provider.AISDKError, _a = symbol
 };
 
 // src/tool/mcp-sse-transport.ts
-var import_provider_utils = require("@ai-sdk/provider-utils");
+var import_provider_utils3 = require("@ai-sdk/provider-utils");
 
 // src/tool/json-rpc-message.ts
+var import_provider_utils = require("@ai-sdk/provider-utils");
 var import_v42 = require("zod/v4");
 
 // src/tool/types.ts
@@ -288,6 +289,9 @@ var JSONRPCMessageSchema = import_v42.z.union([
   JSONRPCResponseSchema,
   JSONRPCErrorSchema
 ]);
+async function parseJSONRPCMessage(text) {
+  return JSONRPCMessageSchema.parse(await (0, import_provider_utils.parseJSON)({ text }));
+}
 
 // src/version.ts
 var VERSION = typeof __PACKAGE_VERSION__ !== "undefined" ? __PACKAGE_VERSION__ : "0.0.0-test";
@@ -465,6 +469,7 @@ function checkResourceAllowed({
 }
 
 // src/tool/oauth.ts
+var import_provider_utils2 = require("@ai-sdk/provider-utils");
 var UnauthorizedError = class extends Error {
   constructor(message = "Unauthorized") {
     super(message);
@@ -743,7 +748,9 @@ async function parseErrorResponse(input) {
   const statusCode = input instanceof Response ? input.status : void 0;
   const body = input instanceof Response ? await input.text() : input;
   try {
-    const result = OAuthErrorResponseSchema.parse(JSON.parse(body));
+    const result = OAuthErrorResponseSchema.parse(
+      await (0, import_provider_utils2.parseJSON)({ text: body })
+    );
     const { error, error_description, error_uri } = result;
     const errorClass = OAUTH_ERRORS[error] || ServerError;
     return new errorClass({
@@ -1057,10 +1064,10 @@ var SseMCPTransport = class {
         headers["Authorization"] = `Bearer ${tokens.access_token}`;
       }
     }
-    return (0, import_provider_utils.withUserAgentSuffix)(
+    return (0, import_provider_utils3.withUserAgentSuffix)(
       headers,
       `ai-sdk/${VERSION}`,
-      (0, import_provider_utils.getRuntimeEnvironmentUserAgent)()
+      (0, import_provider_utils3.getRuntimeEnvironmentUserAgent)()
     );
   }
   async start() {
@@ -1108,7 +1115,7 @@ var SseMCPTransport = class {
             (_d = this.onerror) == null ? void 0 : _d.call(this, error);
             return reject(error);
           }
-          const stream = response.body.pipeThrough(new TextDecoderStream()).pipeThrough(new import_provider_utils.EventSourceParserStream());
+          const stream = response.body.pipeThrough(new TextDecoderStream()).pipeThrough(new import_provider_utils3.EventSourceParserStream());
           const reader = stream.getReader();
           const processEvents = async () => {
             var _a4, _b4, _c2;
@@ -1136,9 +1143,7 @@ var SseMCPTransport = class {
                   resolve();
                 } else if (event === "message") {
                   try {
-                    const message = JSONRPCMessageSchema.parse(
-                      JSON.parse(data)
-                    );
+                    const message = await parseJSONRPCMessage(data);
                     (_a4 = this.onmessage) == null ? void 0 : _a4.call(this, message);
                   } catch (error) {
                     const e = new MCPClientError({
@@ -1235,7 +1240,7 @@ var SseMCPTransport = class {
 };
 
 // src/tool/mcp-http-transport.ts
-var import_provider_utils2 = require("@ai-sdk/provider-utils");
+var import_provider_utils4 = require("@ai-sdk/provider-utils");
 var HttpMCPTransport = class {
   constructor({
     url,
@@ -1268,10 +1273,10 @@ var HttpMCPTransport = class {
         headers["Authorization"] = `Bearer ${tokens.access_token}`;
       }
     }
-    return (0, import_provider_utils2.withUserAgentSuffix)(
+    return (0, import_provider_utils4.withUserAgentSuffix)(
       headers,
       `ai-sdk/${VERSION}`,
-      (0, import_provider_utils2.getRuntimeEnvironmentUserAgent)()
+      (0, import_provider_utils4.getRuntimeEnvironmentUserAgent)()
     );
   }
   async start() {
@@ -1369,7 +1374,7 @@ var HttpMCPTransport = class {
             (_e = this.onerror) == null ? void 0 : _e.call(this, error2);
             throw error2;
           }
-          const stream = response.body.pipeThrough(new TextDecoderStream()).pipeThrough(new import_provider_utils2.EventSourceParserStream());
+          const stream = response.body.pipeThrough(new TextDecoderStream()).pipeThrough(new import_provider_utils4.EventSourceParserStream());
           const reader = stream.getReader();
           const processEvents = async () => {
             var _a4, _b4, _c2;
@@ -1380,7 +1385,7 @@ var HttpMCPTransport = class {
                 const { event, data } = value;
                 if (event === "message") {
                   try {
-                    const msg = JSONRPCMessageSchema.parse(JSON.parse(data));
+                    const msg = await parseJSONRPCMessage(data);
                     (_a4 = this.onmessage) == null ? void 0 : _a4.call(this, msg);
                   } catch (error2) {
                     const e = new MCPClientError({
@@ -1491,7 +1496,7 @@ var HttpMCPTransport = class {
         (_d = this.onerror) == null ? void 0 : _d.call(this, error);
         return;
       }
-      const stream = response.body.pipeThrough(new TextDecoderStream()).pipeThrough(new import_provider_utils2.EventSourceParserStream());
+      const stream = response.body.pipeThrough(new TextDecoderStream()).pipeThrough(new import_provider_utils4.EventSourceParserStream());
       const reader = stream.getReader();
       const processEvents = async () => {
         var _a4, _b4, _c2, _d2;
@@ -1505,7 +1510,7 @@ var HttpMCPTransport = class {
             }
             if (event === "message") {
               try {
-                const msg = JSONRPCMessageSchema.parse(JSON.parse(data));
+                const msg = await parseJSONRPCMessage(data);
                 (_a4 = this.onmessage) == null ? void 0 : _a4.call(this, msg);
               } catch (error) {
                 const e = new MCPClientError({
@@ -1867,15 +1872,15 @@ var DefaultMCPClient = class {
           (_a4 = options == null ? void 0 : options.abortSignal) == null ? void 0 : _a4.throwIfAborted();
           return self.callTool({ name: name3, args, options });
         };
-        const toolWithExecute = schemas === "automatic" ? (0, import_provider_utils3.dynamicTool)({
+        const toolWithExecute = schemas === "automatic" ? (0, import_provider_utils5.dynamicTool)({
           description,
-          inputSchema: (0, import_provider_utils3.jsonSchema)({
+          inputSchema: (0, import_provider_utils5.jsonSchema)({
             ...inputSchema,
             properties: (_a3 = inputSchema.properties) != null ? _a3 : {},
             additionalProperties: false
           }),
           execute
-        }) : (0, import_provider_utils3.tool)({
+        }) : (0, import_provider_utils5.tool)({
           description,
           inputSchema: schemas[name3].inputSchema,
           execute