mcp-proxy 6.4.6 → 6.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/README.md +37 -1
  2. package/dist/bin/mcp-proxy.mjs +15 -1
  3. package/dist/bin/mcp-proxy.mjs.map +1 -1
  4. package/dist/index.mjs +1 -1
  5. package/dist/{stdio-BGZrO8Rz.mjs → stdio-DN-u_q7a.mjs} +5 -1
  6. package/dist/{stdio-BGZrO8Rz.mjs.map → stdio-DN-u_q7a.mjs.map} +1 -1
  7. package/jsr.json +1 -1
  8. package/package.json +1 -1
  9. package/src/bin/mcp-proxy.ts +23 -0
  10. package/src/startHTTPServer.ts +8 -1
package/jsr.json CHANGED
@@ -3,5 +3,5 @@
3
3
  "include": ["src/index.ts", "src/bin/mcp-proxy.ts"],
4
4
  "license": "MIT",
5
5
  "name": "@punkpeye/mcp-proxy",
6
- "version": "6.4.6"
6
+ "version": "6.5.1"
7
7
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "mcp-proxy",
3
- "version": "6.4.6",
3
+ "version": "6.5.1",
4
4
  "main": "dist/index.mjs",
5
5
  "scripts": {
6
6
  "build": "tsdown",
package/src/bin/mcp-proxy.ts CHANGED
@@ -55,6 +55,12 @@ const argv = await yargs(hideBin(process.argv))
55
55
  "The timeout (in milliseconds) for initial connection to the MCP server (default: 60 seconds)",
56
56
  type: "number",
57
57
  },
58
+ corsAddAllowedHeader: {
59
+ array: true,
60
+ describe:
61
+ "Add a header name to Access-Control-Allow-Headers (defaults preserved). Repeat to add multiple, e.g. `--corsAddAllowedHeader X-API-Key`.",
62
+ type: "string",
63
+ },
58
64
  debug: {
59
65
  default: false,
60
66
  describe: "Enable debug logging",
@@ -137,6 +143,22 @@ const argv = await yargs(hideBin(process.argv))
137
143
  .help()
138
144
  .parseAsync();
139
145
 
146
+ // Default Access-Control-Allow-Headers list — must stay in sync with
147
+ // `defaultCorsOptions.allowedHeaders` in src/startHTTPServer.ts.
148
+ const DEFAULT_ALLOWED_HEADERS = [
149
+ "Content-Type",
150
+ "Authorization",
151
+ "Accept",
152
+ "Mcp-Session-Id",
153
+ "Mcp-Protocol-Version",
154
+ "Last-Event-Id",
155
+ ];
156
+
157
+ const corsOption =
158
+ argv.corsAddAllowedHeader && argv.corsAddAllowedHeader.length > 0
159
+ ? { allowedHeaders: [...DEFAULT_ALLOWED_HEADERS, ...argv.corsAddAllowedHeader] }
160
+ : undefined;
161
+
140
162
  // If -- separator was used, everything after -- is the command and its args
141
163
  const dashDashArgs = argv["--"] as string[] | undefined;
142
164
 
@@ -218,6 +240,7 @@ const proxy = async () => {
218
240
 
219
241
  const server = await startHTTPServer({
220
242
  apiKey: argv.apiKey,
243
+ cors: corsOption,
221
244
  createServer,
222
245
  eventStore: new InMemoryEventStore(),
223
246
  host: argv.host,
package/src/startHTTPServer.ts CHANGED
@@ -688,7 +688,14 @@ const handleStreamRequest = async <T extends ServerLike>({
688
688
  }
689
689
  | undefined = sessionId ? activeTransports[sessionId] : undefined;
690
690
 
691
- if (!sessionId) {
691
+ if (!sessionId) {
692
+ // Return METHOD_NOT_ALLOWED so stateless clients' transport stops reconnecting
693
+ if (stateless) {
694
+ res.writeHead(405, { Allow: "POST" }).end("Method Not Allowed");
695
+
696
+ return true;
697
+ }
698
+
692
699
  res.writeHead(400).end("No sessionId");
693
700
 
694
701
  return true;