npm - @ai-sdk/mcp - Versions diffs - 1.0.37 → 1.0.38 - Mend

@ai-sdk/mcp 1.0.37 → 1.0.38

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/CHANGELOG.md +10 -0
package/dist/index.js +27 -22
package/dist/index.js.map +1 -1
package/dist/index.mjs +11 -6
package/dist/index.mjs.map +1 -1
package/dist/mcp-stdio/index.js +15 -10
package/dist/mcp-stdio/index.js.map +1 -1
package/dist/mcp-stdio/index.mjs +15 -10
package/dist/mcp-stdio/index.mjs.map +1 -1
package/package.json +4 -4
package/src/tool/json-rpc-message.ts +7 -0
package/src/tool/mcp-client.ts +29 -29
package/src/tool/mcp-http-transport.ts +10 -6
package/src/tool/mcp-sse-transport.ts +9 -9
package/src/tool/mcp-stdio/create-child-process.ts +2 -2
package/src/tool/mcp-stdio/mcp-stdio-transport.ts +17 -14
package/src/tool/mcp-transport.ts +3 -3
package/src/tool/mock-mcp-transport.ts +6 -6
package/src/tool/oauth.ts +10 -8
package/src/tool/types.ts +2 -2

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,15 @@
 # @ai-sdk/mcp
+## 1.0.38
+### Patch Changes
+- a727da4: chore: ensure consistent import handling and avoid import duplicates or cycles
+- 5fee301: fix(mcp): prevent prototype pollution by using secureJsonParse
+- Updated dependencies [a727da4]
+  - @ai-sdk/provider-utils@4.0.25
+  - @ai-sdk/provider@3.0.10
 ## 1.0.37
 ### Patch Changes

package/dist/index.js CHANGED Viewed

@@ -40,7 +40,7 @@ __export(index_exports, {
 module.exports = __toCommonJS(index_exports);
 // src/tool/mcp-client.ts
-var import_provider_utils3 = require("@ai-sdk/provider-utils");
+var import_provider_utils5 = require("@ai-sdk/provider-utils");
 // src/error/mcp-client-error.ts
 var import_provider = require("@ai-sdk/provider");
@@ -67,9 +67,10 @@ var MCPClientError = class extends (_b = import_provider.AISDKError, _a = symbol
 };
 // src/tool/mcp-sse-transport.ts
-var import_provider_utils = require("@ai-sdk/provider-utils");
+var import_provider_utils3 = require("@ai-sdk/provider-utils");
 // src/tool/json-rpc-message.ts
+var import_provider_utils = require("@ai-sdk/provider-utils");
 var import_v42 = require("zod/v4");
 // src/tool/types.ts
@@ -310,6 +311,9 @@ var JSONRPCMessageSchema = import_v42.z.union([
   JSONRPCResponseSchema,
   JSONRPCErrorSchema
 ]);
+async function parseJSONRPCMessage(text) {
+  return JSONRPCMessageSchema.parse(await (0, import_provider_utils.parseJSON)({ text }));
+}
 // src/version.ts
 var VERSION = typeof __PACKAGE_VERSION__ !== "undefined" ? __PACKAGE_VERSION__ : "0.0.0-test";
@@ -494,6 +498,7 @@ function checkResourceAllowed({
 }
 // src/tool/oauth.ts
+var import_provider_utils2 = require("@ai-sdk/provider-utils");
 var UnauthorizedError = class extends Error {
   constructor(message = "Unauthorized") {
     super(message);
@@ -775,7 +780,9 @@ async function parseErrorResponse(input) {
   const statusCode = input instanceof Response ? input.status : void 0;
   const body = input instanceof Response ? await input.text() : input;
   try {
-    const result = OAuthErrorResponseSchema.parse(JSON.parse(body));
+    const result = OAuthErrorResponseSchema.parse(
+      await (0, import_provider_utils2.parseJSON)({ text: body })
+    );
     const { error, error_description, error_uri } = result;
     const errorClass = OAUTH_ERRORS[error] || ServerError;
     return new errorClass({
@@ -1106,10 +1113,10 @@ var SseMCPTransport = class {
         headers["Authorization"] = `Bearer ${tokens.access_token}`;
       }
     }
-    return (0, import_provider_utils.withUserAgentSuffix)(
+    return (0, import_provider_utils3.withUserAgentSuffix)(
       headers,
       `ai-sdk/${VERSION}`,
-      (0, import_provider_utils.getRuntimeEnvironmentUserAgent)()
+      (0, import_provider_utils3.getRuntimeEnvironmentUserAgent)()
     );
   }
   async start() {
@@ -1159,7 +1166,7 @@ var SseMCPTransport = class {
             (_d = this.onerror) == null ? void 0 : _d.call(this, error);
             return reject(error);
           }
-          const stream = response.body.pipeThrough(new TextDecoderStream()).pipeThrough(new import_provider_utils.EventSourceParserStream());
+          const stream = response.body.pipeThrough(new TextDecoderStream()).pipeThrough(new import_provider_utils3.EventSourceParserStream());
           const reader = stream.getReader();
           const processEvents = async () => {
             var _a4, _b4, _c2;
@@ -1187,9 +1194,7 @@ var SseMCPTransport = class {
                   resolve();
                 } else if (event === "message") {
                   try {
-                    const message = JSONRPCMessageSchema.parse(
-                      JSON.parse(data)
-                    );
+                    const message = await parseJSONRPCMessage(data);
                     (_a4 = this.onmessage) == null ? void 0 : _a4.call(this, message);
                   } catch (error) {
                     const e = new MCPClientError({
@@ -1288,7 +1293,7 @@ var SseMCPTransport = class {
 };
 // src/tool/mcp-http-transport.ts
-var import_provider_utils2 = require("@ai-sdk/provider-utils");
+var import_provider_utils4 = require("@ai-sdk/provider-utils");
 var HttpMCPTransport = class {
   constructor({
     url,
@@ -1325,10 +1330,10 @@ var HttpMCPTransport = class {
         headers["Authorization"] = `Bearer ${tokens.access_token}`;
       }
     }
-    return (0, import_provider_utils2.withUserAgentSuffix)(
+    return (0, import_provider_utils4.withUserAgentSuffix)(
       headers,
       `ai-sdk/${VERSION}`,
-      (0, import_provider_utils2.getRuntimeEnvironmentUserAgent)()
+      (0, import_provider_utils4.getRuntimeEnvironmentUserAgent)()
     );
   }
   async start() {
@@ -1433,7 +1438,7 @@ var HttpMCPTransport = class {
             (_e = this.onerror) == null ? void 0 : _e.call(this, error2);
             throw error2;
           }
-          const stream = response.body.pipeThrough(new TextDecoderStream()).pipeThrough(new import_provider_utils2.EventSourceParserStream());
+          const stream = response.body.pipeThrough(new TextDecoderStream()).pipeThrough(new import_provider_utils4.EventSourceParserStream());
           const reader = stream.getReader();
           const processEvents = async () => {
             var _a4, _b4, _c2;
@@ -1444,7 +1449,7 @@ var HttpMCPTransport = class {
                 const { event, data } = value;
                 if (event === "message") {
                   try {
-                    const msg = JSONRPCMessageSchema.parse(JSON.parse(data));
+                    const msg = await parseJSONRPCMessage(data);
                     (_a4 = this.onmessage) == null ? void 0 : _a4.call(this, msg);
                   } catch (error2) {
                     const e = new MCPClientError({
@@ -1557,7 +1562,7 @@ var HttpMCPTransport = class {
         (_d = this.onerror) == null ? void 0 : _d.call(this, error);
         return;
       }
-      const stream = response.body.pipeThrough(new TextDecoderStream()).pipeThrough(new import_provider_utils2.EventSourceParserStream());
+      const stream = response.body.pipeThrough(new TextDecoderStream()).pipeThrough(new import_provider_utils4.EventSourceParserStream());
       const reader = stream.getReader();
       const processEvents = async () => {
         var _a4, _b4, _c2, _d2;
@@ -1571,7 +1576,7 @@ var HttpMCPTransport = class {
             }
             if (event === "message") {
               try {
-                const msg = JSONRPCMessageSchema.parse(JSON.parse(data));
+                const msg = await parseJSONRPCMessage(data);
                 (_a4 = this.onmessage) == null ? void 0 : _a4.call(this, msg);
               } catch (error) {
                 const e = new MCPClientError({
@@ -1982,17 +1987,17 @@ var DefaultMCPClient = class {
         }
         return result;
       };
-      const toolWithExecute = schemas === "automatic" ? (0, import_provider_utils3.dynamicTool)({
+      const toolWithExecute = schemas === "automatic" ? (0, import_provider_utils5.dynamicTool)({
         description,
         title: resolvedTitle,
-        inputSchema: (0, import_provider_utils3.jsonSchema)({
+        inputSchema: (0, import_provider_utils5.jsonSchema)({
           ...inputSchema,
           properties: (_b3 = inputSchema.properties) != null ? _b3 : {},
           additionalProperties: false
         }),
         execute,
         toModelOutput: mcpToModelOutput
-      }) : (0, import_provider_utils3.tool)({
+      }) : (0, import_provider_utils5.tool)({
         description,
         title: resolvedTitle,
         inputSchema: schemas[name3].inputSchema,
@@ -2009,9 +2014,9 @@ var DefaultMCPClient = class {
    */
   async extractStructuredContent(result, outputSchema, toolName) {
     if ("structuredContent" in result && result.structuredContent != null) {
-      const validationResult = await (0, import_provider_utils3.safeValidateTypes)({
+      const validationResult = await (0, import_provider_utils5.safeValidateTypes)({
         value: result.structuredContent,
-        schema: (0, import_provider_utils3.asSchema)(outputSchema)
+        schema: (0, import_provider_utils5.asSchema)(outputSchema)
       });
       if (!validationResult.success) {
         throw new MCPClientError({
@@ -2024,7 +2029,7 @@ var DefaultMCPClient = class {
     if ("content" in result && Array.isArray(result.content)) {
       const textContent = result.content.find((c) => c.type === "text");
       if (textContent && "text" in textContent) {
-        const parseResult = await (0, import_provider_utils3.safeParseJSON)({
+        const parseResult = await (0, import_provider_utils5.safeParseJSON)({
           text: textContent.text,
           schema: outputSchema
         });