npm - mcp-proxy - Versions diffs - 6.4.6 → 6.5.1 - Mend

mcp-proxy 6.4.6 → 6.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md +37 -1
package/dist/bin/mcp-proxy.mjs +15 -1
package/dist/bin/mcp-proxy.mjs.map +1 -1
package/dist/index.mjs +1 -1
package/dist/{stdio-BGZrO8Rz.mjs → stdio-DN-u_q7a.mjs} +5 -1
package/dist/{stdio-BGZrO8Rz.mjs.map → stdio-DN-u_q7a.mjs.map} +1 -1
package/jsr.json +1 -1
package/package.json +1 -1
package/src/bin/mcp-proxy.ts +23 -0
package/src/startHTTPServer.ts +8 -1

package/README.md CHANGED Viewed

@@ -62,6 +62,25 @@ options:
 - `--sslKey`: Private keys filename in PEM format
 - `--tunnel`: Expose the proxy via a public tunnel (see [Public Tunnel](#public-tunnel))
 - `--tunnelSubdomain`: Request a specific subdomain for the tunnel (availability not guaranteed)
+- `--corsAddAllowedHeader`: Add a header name to `Access-Control-Allow-Headers` (defaults preserved). Repeat to add multiple. Useful when running with `--apiKey` so browser preflights for `X-API-Key` succeed.
+### Troubleshooting Python stdio servers
+If a Python stdio MCP server times out with an error such as `Expected server to respond to ping`, make sure Python is running in unbuffered mode. Buffered stdout can delay MCP JSON-RPC messages long enough for the proxy to treat the server as unresponsive.
+Use `python -u` when launching the server:
+```bash
+npx mcp-proxy -- python -u -m your_package.mcp_server
+```
+Alternatively, set `PYTHONUNBUFFERED=1`:
+```bash
+PYTHONUNBUFFERED=1 npx mcp-proxy -- python -m your_package.mcp_server
+```
+MCP stdio servers should also reserve stdout for protocol messages. Send logs, warnings, and other diagnostic output to stderr, and use `--debug` when you need proxy-side logs.
 ### Public Tunnel
@@ -84,7 +103,7 @@ tunnel established at https://abcdefghij.tunnel.gla.ma
 > [!NOTE]
 > The requested subdomain may not be available. The actual URL will be displayed when the tunnel is established.
-This feature is powered by [pipenet](https://github.com/AugmentHQ/pipenet) and sponsored by [glama.ai](https://glama.ai). For more information, see the [pipenet announcement](https://glama.ai/blog/2026-01-19-pipenet).
+This feature is powered by [pipenet](https://github.com/punkpeye/pipenet) and sponsored by [glama.ai](https://glama.ai). For more information, see the [pipenet announcement](https://glama.ai/blog/2026-01-19-pipenet).
 ### Stateless Mode
@@ -318,6 +337,23 @@ await startHTTPServer({
 });
 ```
+#### CLI: adding allowed headers
+The CLI exposes a single `--corsAddAllowedHeader` flag that appends to the
+default `Access-Control-Allow-Headers` list (defaults preserved). The most
+common use is unblocking the browser preflight for a custom auth header when
+the proxy is started with `--apiKey`:
+```bash
+npx mcp-proxy --port 8080 --apiKey secret \
+  --corsAddAllowedHeader X-API-Key \
+  -- npx -y @modelcontextprotocol/server-filesystem /srv
+```
+Repeat the flag to add more (`--corsAddAllowedHeader X-API-Key --corsAddAllowedHeader X-Other`).
+For broader CORS overrides (origin allowlist, wildcard headers, disabling CORS),
+use the programmatic `cors` option below.
 #### Migration from Older Versions
 If you were using mcp-proxy 5.5.6 and want the same permissive behavior in 5.9.0+:

package/dist/bin/mcp-proxy.mjs CHANGED Viewed

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-import { D as __toESM, E as __commonJSMin, a as startHTTPServer, i as Client, n as serializeMessage, o as proxyServer, r as Server, t as ReadBuffer, w as InMemoryEventStore } from "../stdio-BGZrO8Rz.mjs";
+import { D as __toESM, E as __commonJSMin, a as startHTTPServer, i as Client, n as serializeMessage, o as proxyServer, r as Server, t as ReadBuffer, w as InMemoryEventStore } from "../stdio-DN-u_q7a.mjs";
 import { createRequire } from "node:module";
 import { basename, dirname, extname, join, normalize, relative, resolve } from "path";
 import { format, inspect } from "util";
@@ -5053,6 +5053,11 @@ const argv = await yargs_default(hideBin(process.argv)).scriptName("mcp-proxy").
 		describe: "The timeout (in milliseconds) for initial connection to the MCP server (default: 60 seconds)",
 		type: "number"
 	},
+	corsAddAllowedHeader: {
+		array: true,
+		describe: "Add a header name to Access-Control-Allow-Headers (defaults preserved). Repeat to add multiple, e.g. `--corsAddAllowedHeader X-API-Key`.",
+		type: "string"
+	},
 	debug: {
 		default: false,
 		describe: "Enable debug logging",
@@ -5129,6 +5134,14 @@ const argv = await yargs_default(hideBin(process.argv)).scriptName("mcp-proxy").
 		type: "string"
 	}
 }).help().parseAsync();
+const corsOption = argv.corsAddAllowedHeader && argv.corsAddAllowedHeader.length > 0 ? { allowedHeaders: [...[
+	"Content-Type",
+	"Authorization",
+	"Accept",
+	"Mcp-Session-Id",
+	"Mcp-Protocol-Version",
+	"Last-Event-Id"
+], ...argv.corsAddAllowedHeader] } : void 0;
 const dashDashArgs = argv["--"];
 let finalCommand;
 let finalArgs;
@@ -5180,6 +5193,7 @@ const proxy = async () => {
 	};
 	const server = await startHTTPServer({
 		apiKey: argv.apiKey,
+		cors: corsOption,
 		createServer,
 		eventStore: new InMemoryEventStore(),
 		host: argv.host,