@ai-sdk/mcp 0.0.17 → 0.0.19

package/CHANGELOG.md

@@ -1,5 +1,34 @@
 # @ai-sdk/mcp
 
+## 0.0.19
+
+### Patch Changes
+
+- d872a7a: fix(mcp): lock first sse endpoint received via event
+- f4cd468: fix(mcp): prevent prototype-named tools from bypassing the `schemas` allowlist
+
+  When using `client.tools({ schemas })` to expose only an explicitly allowed
+  subset of an MCP server's tools, the allowlist check used the `in` operator,
+  which also matches inherited `Object.prototype` properties. A server-advertised
+  tool named `constructor`, `toString`, `__proto__`, etc. would pass the check
+  even though the developer never defined it in `schemas`, and was then exposed to
+  the model and executable. The check now uses `Object.hasOwn`, so only
+  explicitly defined tools are returned.
+
+- Updated dependencies [9f67efe]
+- Updated dependencies [eea9166]
+  - @ai-sdk/provider-utils@3.0.26
+
+## 0.0.18
+
+### Patch Changes
+
+- 783fa6c: chore: ensure consistent import handling and avoid import duplicates or cycles
+- c327fb9: fix(mcp): prevent prototype pollution by using secureJsonParse
+- Updated dependencies [783fa6c]
+  - @ai-sdk/provider-utils@3.0.25
+  - @ai-sdk/provider@2.0.3
+
 ## 0.0.17
 
 ### Patch Changes

package/dist/index.js

@@ -39,7 +39,7 @@ __export(index_exports, {
 module.exports = __toCommonJS(index_exports);
 
 // src/tool/mcp-client.ts
-var import_provider_utils3 = require("@ai-sdk/provider-utils");
+var import_provider_utils5 = require("@ai-sdk/provider-utils");
 
 // src/error/mcp-client-error.ts
 var import_provider = require("@ai-sdk/provider");
@@ -66,9 +66,10 @@ var MCPClientError = class extends (_b = import_provider.AISDKError, _a = symbol
 };
 
 // src/tool/mcp-sse-transport.ts
-var import_provider_utils = require("@ai-sdk/provider-utils");
+var import_provider_utils3 = require("@ai-sdk/provider-utils");
 
 // src/tool/json-rpc-message.ts
+var import_provider_utils = require("@ai-sdk/provider-utils");
 var import_v42 = require("zod/v4");
 
 // src/tool/types.ts
@@ -288,6 +289,9 @@ var JSONRPCMessageSchema = import_v42.z.union([
   JSONRPCResponseSchema,
   JSONRPCErrorSchema
 ]);
+async function parseJSONRPCMessage(text) {
+  return JSONRPCMessageSchema.parse(await (0, import_provider_utils.parseJSON)({ text }));
+}
 
 // src/version.ts
 var VERSION = typeof __PACKAGE_VERSION__ !== "undefined" ? __PACKAGE_VERSION__ : "0.0.0-test";
@@ -465,6 +469,7 @@ function checkResourceAllowed({
 }
 
 // src/tool/oauth.ts
+var import_provider_utils2 = require("@ai-sdk/provider-utils");
 var UnauthorizedError = class extends Error {
   constructor(message = "Unauthorized") {
     super(message);
@@ -743,7 +748,9 @@ async function parseErrorResponse(input) {
   const statusCode = input instanceof Response ? input.status : void 0;
   const body = input instanceof Response ? await input.text() : input;
   try {
-    const result = OAuthErrorResponseSchema.parse(JSON.parse(body));
+    const result = OAuthErrorResponseSchema.parse(
+      await (0, import_provider_utils2.parseJSON)({ text: body })
+    );
     const { error, error_description, error_uri } = result;
     const errorClass = OAUTH_ERRORS[error] || ServerError;
     return new errorClass({
@@ -1057,10 +1064,10 @@ var SseMCPTransport = class {
         headers["Authorization"] = `Bearer ${tokens.access_token}`;
       }
     }
-    return (0, import_provider_utils.withUserAgentSuffix)(
+    return (0, import_provider_utils3.withUserAgentSuffix)(
       headers,
       `ai-sdk/${VERSION}`,
-      (0, import_provider_utils.getRuntimeEnvironmentUserAgent)()
+      (0, import_provider_utils3.getRuntimeEnvironmentUserAgent)()
     );
   }
   async start() {
@@ -1108,10 +1115,10 @@ var SseMCPTransport = class {
             (_d = this.onerror) == null ? void 0 : _d.call(this, error);
             return reject(error);
           }
-          const stream = response.body.pipeThrough(new TextDecoderStream()).pipeThrough(new import_provider_utils.EventSourceParserStream());
+          const stream = response.body.pipeThrough(new TextDecoderStream()).pipeThrough(new import_provider_utils3.EventSourceParserStream());
           const reader = stream.getReader();
           const processEvents = async () => {
-            var _a4, _b4, _c2;
+            var _a4, _b4, _c2, _d2, _e2;
             try {
               while (true) {
                 const { done, value } = await reader.read();
@@ -1126,26 +1133,32 @@ var SseMCPTransport = class {
                 }
                 const { event, data } = value;
                 if (event === "endpoint") {
-                  this.endpoint = new URL(data, this.url);
-                  if (this.endpoint.origin !== this.url.origin) {
+                  if (this.endpoint) {
+                    continue;
+                  }
+                  const endpoint = new URL(data, this.url);
+                  if (endpoint.origin !== this.url.origin) {
+                    this.connected = false;
+                    this.endpoint = void 0;
+                    (_a4 = this.sseConnection) == null ? void 0 : _a4.close();
+                    (_b4 = this.abortController) == null ? void 0 : _b4.abort();
                     throw new MCPClientError({
-                      message: `MCP SSE Transport Error: Endpoint origin does not match connection origin: ${this.endpoint.origin}`
+                      message: `MCP SSE Transport Error: Endpoint origin does not match connection origin: ${endpoint.origin}`
                     });
                   }
+                  this.endpoint = endpoint;
                   this.connected = true;
                   resolve();
                 } else if (event === "message") {
                   try {
-                    const message = JSONRPCMessageSchema.parse(
-                      JSON.parse(data)
-                    );
-                    (_a4 = this.onmessage) == null ? void 0 : _a4.call(this, message);
+                    const message = await parseJSONRPCMessage(data);
+                    (_c2 = this.onmessage) == null ? void 0 : _c2.call(this, message);
                   } catch (error) {
                     const e = new MCPClientError({
                       message: "MCP SSE Transport Error: Failed to parse message",
                       cause: error
                     });
-                    (_b4 = this.onerror) == null ? void 0 : _b4.call(this, e);
+                    (_d2 = this.onerror) == null ? void 0 : _d2.call(this, e);
                   }
                 }
               }
@@ -1153,7 +1166,7 @@ var SseMCPTransport = class {
               if (error instanceof Error && error.name === "AbortError") {
                 return;
               }
-              (_c2 = this.onerror) == null ? void 0 : _c2.call(this, error);
+              (_e2 = this.onerror) == null ? void 0 : _e2.call(this, error);
               reject(error);
             }
           };
@@ -1175,6 +1188,7 @@ var SseMCPTransport = class {
   async close() {
     var _a3, _b3, _c;
     this.connected = false;
+    this.endpoint = void 0;
     (_a3 = this.sseConnection) == null ? void 0 : _a3.close();
     (_b3 = this.abortController) == null ? void 0 : _b3.abort();
     (_c = this.onclose) == null ? void 0 : _c.call(this);
@@ -1235,7 +1249,7 @@ var SseMCPTransport = class {
 };
 
 // src/tool/mcp-http-transport.ts
-var import_provider_utils2 = require("@ai-sdk/provider-utils");
+var import_provider_utils4 = require("@ai-sdk/provider-utils");
 var HttpMCPTransport = class {
   constructor({
     url,
@@ -1268,10 +1282,10 @@ var HttpMCPTransport = class {
         headers["Authorization"] = `Bearer ${tokens.access_token}`;
       }
     }
-    return (0, import_provider_utils2.withUserAgentSuffix)(
+    return (0, import_provider_utils4.withUserAgentSuffix)(
       headers,
       `ai-sdk/${VERSION}`,
-      (0, import_provider_utils2.getRuntimeEnvironmentUserAgent)()
+      (0, import_provider_utils4.getRuntimeEnvironmentUserAgent)()
     );
   }
   async start() {
@@ -1369,7 +1383,7 @@ var HttpMCPTransport = class {
             (_e = this.onerror) == null ? void 0 : _e.call(this, error2);
             throw error2;
           }
-          const stream = response.body.pipeThrough(new TextDecoderStream()).pipeThrough(new import_provider_utils2.EventSourceParserStream());
+          const stream = response.body.pipeThrough(new TextDecoderStream()).pipeThrough(new import_provider_utils4.EventSourceParserStream());
           const reader = stream.getReader();
           const processEvents = async () => {
             var _a4, _b4, _c2;
@@ -1380,7 +1394,7 @@ var HttpMCPTransport = class {
                 const { event, data } = value;
                 if (event === "message") {
                   try {
-                    const msg = JSONRPCMessageSchema.parse(JSON.parse(data));
+                    const msg = await parseJSONRPCMessage(data);
                     (_a4 = this.onmessage) == null ? void 0 : _a4.call(this, msg);
                   } catch (error2) {
                     const e = new MCPClientError({
@@ -1491,7 +1505,7 @@ var HttpMCPTransport = class {
         (_d = this.onerror) == null ? void 0 : _d.call(this, error);
         return;
       }
-      const stream = response.body.pipeThrough(new TextDecoderStream()).pipeThrough(new import_provider_utils2.EventSourceParserStream());
+      const stream = response.body.pipeThrough(new TextDecoderStream()).pipeThrough(new import_provider_utils4.EventSourceParserStream());
       const reader = stream.getReader();
       const processEvents = async () => {
         var _a4, _b4, _c2, _d2;
@@ -1505,7 +1519,7 @@ var HttpMCPTransport = class {
             }
             if (event === "message") {
               try {
-                const msg = JSONRPCMessageSchema.parse(JSON.parse(data));
+                const msg = await parseJSONRPCMessage(data);
                 (_a4 = this.onmessage) == null ? void 0 : _a4.call(this, msg);
               } catch (error) {
                 const e = new MCPClientError({
@@ -1858,7 +1872,7 @@ var DefaultMCPClient = class {
     try {
       const listToolsResult = await this.listTools();
       for (const { name: name3, description, inputSchema } of listToolsResult.tools) {
-        if (schemas !== "automatic" && !(name3 in schemas)) {
+        if (schemas !== "automatic" && !Object.prototype.hasOwnProperty.call(schemas, name3)) {
           continue;
         }
         const self = this;
@@ -1867,15 +1881,15 @@ var DefaultMCPClient = class {
           (_a4 = options == null ? void 0 : options.abortSignal) == null ? void 0 : _a4.throwIfAborted();
           return self.callTool({ name: name3, args, options });
         };
-        const toolWithExecute = schemas === "automatic" ? (0, import_provider_utils3.dynamicTool)({
+        const toolWithExecute = schemas === "automatic" ? (0, import_provider_utils5.dynamicTool)({
           description,
-          inputSchema: (0, import_provider_utils3.jsonSchema)({
+          inputSchema: (0, import_provider_utils5.jsonSchema)({
             ...inputSchema,
             properties: (_a3 = inputSchema.properties) != null ? _a3 : {},
             additionalProperties: false
           }),
           execute
-        }) : (0, import_provider_utils3.tool)({
+        }) : (0, import_provider_utils5.tool)({
           description,
           inputSchema: schemas[name3].inputSchema,
           execute