npm - @ai-sdk/mcp - Versions diffs - 2.0.0-beta.0 → 2.0.0-beta.10 - Mend

@ai-sdk/mcp 2.0.0-beta.0 → 2.0.0-beta.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/CHANGELOG.md +78 -8
package/dist/index.d.mts +10 -0
package/dist/index.d.ts +10 -0
package/dist/index.js +33 -11
package/dist/index.js.map +1 -1
package/dist/index.mjs +30 -8
package/dist/index.mjs.map +1 -1
package/dist/mcp-stdio/index.js +3 -3
package/dist/mcp-stdio/index.js.map +1 -1
package/dist/mcp-stdio/index.mjs +1 -1
package/dist/mcp-stdio/index.mjs.map +1 -1
package/package.json +6 -8
package/src/tool/mcp-http-transport.ts +7 -0
package/src/tool/mcp-sse-transport.ts +6 -0
package/src/tool/mcp-transport.ts +8 -0
package/src/tool/mock-mcp-transport.ts +2 -1
package/src/tool/oauth.ts +17 -0
package/src/tool/types.ts +2 -1

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,75 @@
 # @ai-sdk/mcp
+## 2.0.0-beta.10
+### Patch Changes
+- Updated dependencies [3887c70]
+  - @ai-sdk/provider-utils@5.0.0-beta.6
+  - @ai-sdk/provider@4.0.0-beta.4
+## 2.0.0-beta.9
+### Patch Changes
+- Updated dependencies [776b617]
+  - @ai-sdk/provider-utils@5.0.0-beta.5
+  - @ai-sdk/provider@4.0.0-beta.3
+## 2.0.0-beta.8
+### Patch Changes
+- Updated dependencies [61753c3]
+  - @ai-sdk/provider-utils@5.0.0-beta.4
+## 2.0.0-beta.7
+### Major Changes
+- 23fa161: fix(mcp): setting redirect: error for MCP transport
+## 2.0.0-beta.6
+### Patch Changes
+- 58c9eb1: feat(mcp): add `redirect` option to `MCPTransportConfig` for controlling HTTP redirect behavior
+## 2.0.0-beta.5
+### Patch Changes
+- Updated dependencies [f7d4f01]
+  - @ai-sdk/provider-utils@5.0.0-beta.3
+  - @ai-sdk/provider@4.0.0-beta.2
+## 2.0.0-beta.4
+### Patch Changes
+- Updated dependencies [5c2a5a2]
+  - @ai-sdk/provider@4.0.0-beta.1
+  - @ai-sdk/provider-utils@5.0.0-beta.2
+## 2.0.0-beta.3
+### Patch Changes
+- b9b3899: fix(mcp): validate state param in oauth flow
+## 2.0.0-beta.2
+### Patch Changes
+- 9ecd8ae: fix(mcp): add MCP protocol version 2025-11-25 to supported versions
+## 2.0.0-beta.1
+### Patch Changes
+- Updated dependencies [531251e]
+  - @ai-sdk/provider-utils@5.0.0-beta.1
 ## 2.0.0-beta.0
 ### Major Changes
@@ -200,15 +270,15 @@
   This change replaces
   ```ts
-  import { experimental_createMCPClient } from 'ai';
-  import { Experimental_StdioMCPTransport } from 'ai/mcp-stdio';
+  import { experimental_createMCPClient } from "ai";
+  import { Experimental_StdioMCPTransport } from "ai/mcp-stdio";
   ```
   with
   ```ts
-  import { experimental_createMCPClient } from '@ai-sdk/mcp';
-  import { Experimental_StdioMCPTransport } from '@ai-sdk/mcp/mcp-stdio';
+  import { experimental_createMCPClient } from "@ai-sdk/mcp";
+  import { Experimental_StdioMCPTransport } from "@ai-sdk/mcp/mcp-stdio";
   ```
 ### Patch Changes
@@ -574,13 +644,13 @@
   This change replaces
   ```ts
-  import { experimental_createMCPClient } from 'ai';
-  import { Experimental_StdioMCPTransport } from 'ai/mcp-stdio';
+  import { experimental_createMCPClient } from "ai";
+  import { Experimental_StdioMCPTransport } from "ai/mcp-stdio";
   ```
   with
   ```ts
-  import { experimental_createMCPClient } from '@ai-sdk/mcp';
-  import { Experimental_StdioMCPTransport } from '@ai-sdk/mcp/mcp-stdio';
+  import { experimental_createMCPClient } from "@ai-sdk/mcp";
+  import { Experimental_StdioMCPTransport } from "@ai-sdk/mcp/mcp-stdio";
   ```

package/dist/index.d.mts CHANGED Viewed

@@ -182,6 +182,8 @@ interface OAuthClientProvider {
     clientInformation(): OAuthClientInformation | undefined | Promise<OAuthClientInformation | undefined>;
     saveClientInformation?(clientInformation: OAuthClientInformation): void | Promise<void>;
     state?(): string | Promise<string>;
+    saveState?(state: string): void | Promise<void>;
+    storedState?(): string | undefined | Promise<string | undefined>;
     validateResourceURL?(serverUrl: string | URL, resource?: string): Promise<URL | undefined>;
 }
 declare class UnauthorizedError extends Error {
@@ -190,6 +192,7 @@ declare class UnauthorizedError extends Error {
 declare function auth(provider: OAuthClientProvider, options: {
     serverUrl: string | URL;
     authorizationCode?: string;
+    callbackState?: string;
     scope?: string;
     resourceMetadataUrl?: URL;
     fetchFn?: FetchFunction;
@@ -240,6 +243,13 @@ type MCPTransportConfig = {
      * An optional OAuth client provider to use for authentication for MCP servers.
      */
     authProvider?: OAuthClientProvider;
+    /**
+     * Controls how HTTP redirects are handled for transport requests.
+     * - `'follow'`: Follow redirects automatically (standard fetch behavior).
+     * - `'error'`: Reject any redirect response with an error.
+     * @default 'error'
+     */
+    redirect?: 'follow' | 'error';
 };
 /** MCP tool metadata - keys should follow MCP _meta key format specification */

package/dist/index.d.ts CHANGED Viewed

@@ -182,6 +182,8 @@ interface OAuthClientProvider {
     clientInformation(): OAuthClientInformation | undefined | Promise<OAuthClientInformation | undefined>;
     saveClientInformation?(clientInformation: OAuthClientInformation): void | Promise<void>;
     state?(): string | Promise<string>;
+    saveState?(state: string): void | Promise<void>;
+    storedState?(): string | undefined | Promise<string | undefined>;
     validateResourceURL?(serverUrl: string | URL, resource?: string): Promise<URL | undefined>;
 }
 declare class UnauthorizedError extends Error {
@@ -190,6 +192,7 @@ declare class UnauthorizedError extends Error {
 declare function auth(provider: OAuthClientProvider, options: {
     serverUrl: string | URL;
     authorizationCode?: string;
+    callbackState?: string;
     scope?: string;
     resourceMetadataUrl?: URL;
     fetchFn?: FetchFunction;
@@ -240,6 +243,13 @@ type MCPTransportConfig = {
      * An optional OAuth client provider to use for authentication for MCP servers.
      */
     authProvider?: OAuthClientProvider;
+    /**
+     * Controls how HTTP redirects are handled for transport requests.
+     * - `'follow'`: Follow redirects automatically (standard fetch behavior).
+     * - `'error'`: Reject any redirect response with an error.
+     * @default 'error'
+     */
+    redirect?: 'follow' | 'error';
 };
 /** MCP tool metadata - keys should follow MCP _meta key format specification */

package/dist/index.js CHANGED Viewed

@@ -28,8 +28,8 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 // src/index.ts
-var src_exports = {};
-__export(src_exports, {
+var index_exports = {};
+__export(index_exports, {
   ElicitResultSchema: () => ElicitResultSchema,
   ElicitationRequestSchema: () => ElicitationRequestSchema,
   UnauthorizedError: () => UnauthorizedError,
@@ -37,7 +37,7 @@ __export(src_exports, {
   createMCPClient: () => createMCPClient,
   experimental_createMCPClient: () => createMCPClient
 });
-module.exports = __toCommonJS(src_exports);
+module.exports = __toCommonJS(index_exports);
 // src/tool/mcp-client.ts
 var import_provider_utils3 = require("@ai-sdk/provider-utils");
@@ -74,9 +74,10 @@ var import_v42 = require("zod/v4");
 // src/tool/types.ts
 var import_v4 = require("zod/v4");
-var LATEST_PROTOCOL_VERSION = "2025-06-18";
+var LATEST_PROTOCOL_VERSION = "2025-11-25";
 var SUPPORTED_PROTOCOL_VERSIONS = [
   LATEST_PROTOCOL_VERSION,
+  "2025-06-18",
   "2025-03-26",
   "2024-11-05"
 ];
@@ -948,6 +949,7 @@ async function selectResourceURL(serverUrl, provider, resourceMetadata) {
 async function authInternal(provider, {
   serverUrl,
   authorizationCode,
+  callbackState,
   scope,
   resourceMetadataUrl,
   fetchFn
@@ -1000,6 +1002,14 @@ async function authInternal(provider, {
     clientInformation = fullInformation;
   }
   if (authorizationCode !== void 0) {
+    if (provider.storedState) {
+      const expectedState = await provider.storedState();
+      if (expectedState !== void 0 && expectedState !== callbackState) {
+        throw new Error(
+          "OAuth state parameter mismatch - possible CSRF attack"
+        );
+      }
+    }
     const codeVerifier2 = await provider.codeVerifier();
     const tokens2 = await exchangeAuthorization(authorizationServerUrl, {
       metadata,
@@ -1038,6 +1048,9 @@ async function authInternal(provider, {
     }
   }
   const state = provider.state ? await provider.state() : void 0;
+  if (state && provider.saveState) {
+    await provider.saveState(state);
+  }
   const { authorizationUrl, codeVerifier } = await startAuthorization(
     authorizationServerUrl,
     {
@@ -1059,12 +1072,14 @@ var SseMCPTransport = class {
   constructor({
     url,
     headers,
-    authProvider
+    authProvider,
+    redirect = "error"
   }) {
     this.connected = false;
     this.url = new URL(url);
     this.headers = headers;
     this.authProvider = authProvider;
+    this.redirectMode = redirect;
   }
   async commonHeaders(base) {
     const headers = {
@@ -1098,7 +1113,8 @@ var SseMCPTransport = class {
           });
           const response = await fetch(this.url.href, {
             headers,
-            signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal
+            signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal,
+            redirect: this.redirectMode
           });
           if (response.status === 401 && this.authProvider && !triedAuth) {
             this.resourceMetadataUrl = extractResourceMetadataUrl(response);
@@ -1217,7 +1233,8 @@ var SseMCPTransport = class {
           method: "POST",
           headers,
           body: JSON.stringify(message),
-          signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal
+          signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal,
+          redirect: this.redirectMode
         };
         const response = await fetch(endpoint, init);
         if (response.status === 401 && this.authProvider && !triedAuth) {
@@ -1261,7 +1278,8 @@ var HttpMCPTransport = class {
   constructor({
     url,
     headers,
-    authProvider
+    authProvider,
+    redirect = "error"
   }) {
     this.inboundReconnectAttempts = 0;
     this.reconnectionOptions = {
@@ -1273,6 +1291,7 @@ var HttpMCPTransport = class {
     this.url = new URL(url);
     this.headers = headers;
     this.authProvider = authProvider;
+    this.redirectMode = redirect;
   }
   async commonHeaders(base) {
     const headers = {
@@ -1313,7 +1332,8 @@ var HttpMCPTransport = class {
         await fetch(this.url, {
           method: "DELETE",
           headers,
-          signal: this.abortController.signal
+          signal: this.abortController.signal,
+          redirect: this.redirectMode
         }).catch(() => void 0);
       }
     } catch (e) {
@@ -1333,7 +1353,8 @@ var HttpMCPTransport = class {
           method: "POST",
           headers,
           body: JSON.stringify(message),
-          signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal
+          signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal,
+          redirect: this.redirectMode
         };
         const response = await fetch(this.url, init);
         const sessionId = response.headers.get("mcp-session-id");
@@ -1482,7 +1503,8 @@ var HttpMCPTransport = class {
       const response = await fetch(this.url.href, {
         method: "GET",
         headers,
-        signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal
+        signal: (_a3 = this.abortController) == null ? void 0 : _a3.signal,
+        redirect: this.redirectMode
       });
       const sessionId = response.headers.get("mcp-session-id");
       if (sessionId) {