What's Changed

• mcp: update SDK for SEP 973 + add to example server by @jesselumarie in #904
• feat: add _meta field support to tool definitions by @knguyen-figma in #922
• Fix automatic log level handling for sessionless connections by @cliffhall in #917
• ignore icons for now by @ihrpr in #938

New Contributors 🙏

• @jesselumarie made their first contribution in #904
• @knguyen-figma made their first contribution in #922

Full Changelog: 1.17.5...1.18.0

What's Changed

• Automatic handling of logging level by @cliffhall in #882
• Fix the SDK vs Spec types test that is breaking CI by @cliffhall in #908

Full Changelog: 1.17.4...1.17.5

What's Changed

• feature(middleware): Composable fetch middleware for auth and cross‑cutting concerns by @m-paternostro in #485
• restrict url schemes allowed in oauth metadata by @pcarleton in #877
• [auth] OAuth protected-resource-metadata: fallback on 4xx not just 404 by @pcarleton in #879
• chore: bump version to 1.17.4 by @felixweinberger in #894

Full Changelog: 1.17.3...1.17.4

What's Changed

• Fix quit command in Example client with OAuth by @DaleSeo in #864
• fix: client import & server imports by @jatinsandilya in #851
• fix: pass fetchfn parameter to registerClient and refreshAuthorizatio… by @arjunkmrm in #850
• docs: correct parameter schema key in Dynamic Servers documentation by @bianbianzhu in #789
• version: patch to 0.17.3 by @felixweinberger in #878

New Contributors

• @DaleSeo made their first contribution in #864
• @jatinsandilya made their first contribution in #851
• @arjunkmrm made their first contribution in #850
• @bianbianzhu made their first contribution in #789

Full Changelog: 1.17.2...1.17.3

What's Changed

• fix: retry next endpoint on CORS error during auth server discovery by @xiaoyijun in #827

Full Changelog: 1.17.1...1.17.2

What's Changed

• (fix): Update fallbackRequestHandler type to match _requestHandlers leaves type by @fredericbarthelet in #784
• fix: prevent responses being sent to wrong client when multiple transports connect by @grimmerk in #820
• 1.17.1 by @ihrpr in #831

Full Changelog: 1.17.0...1.17.1

What's Changed

• Add CODEOWNERS file for sdk by @ihrpr in #781
• Add more robust base64 check by @cliffhall in #786
• update codeowners by @ihrpr in #803
• Fix indent by @jiec-msft in #807
• fix: Explicitly declare accpet type to json when exchanging oauth token by @JoJoJoJoJoJoJo in #801
• feat: support oidc discovery in client sdk by @xiaoyijun in #652
• fix: remove extraneous code block in README.md by @sd0ric4 in #791
• Bump form-data from 4.0.2 to 4.0.4 in the npm_and_yarn group across 1 directory by @dependabot[bot] in #798
• Bump version 1.17.0 by @ihrpr in #810

New Contributors 🙏

• @jiec-msft made their first contribution in #807
• @sd0ric4 made their first contribution in #791

Full Changelog: 1.16.0...1.17.0

What's Changed

• Add type compatibility test between SDK and spec types by @ochafik in #729
• Add OIDC ID token support by @dankelleher in #680
• Add prompt=consent for OIDC offline_access scope by @dankelleher in #681
• Non-critical: Readme syntax and typographical error fixes by @freakynit in #765
• make client side client_id generation configurable in the oauth router by @cdaguerre in #734
• Adding invalidateCredentials() to OAuthClientProvider by @geelen in #570
• fix: use authorization_server_url as issuer when fetching metadata by @JoJoJoJoJoJoJo in #763
• feat(protocol): Debounce notifications to improve network efficiancy by @jneums in #746
• fix(731): StreamableHTTPClientTransport Fails to Reconnect on Non-Resumable Streams by @jneums in #732
• fix: consistently use consumer-provided fetch function by @LucaButBoring in #767
• fix client id issuance date should only be sent when generated by @cdaguerre in #775
• 1.16.0 by @ihrpr in #779

New Contributors 🙏

• @dankelleher made their first contribution in #680
• @freakynit made their first contribution in #765
• @cdaguerre made their first contribution in #734
• @JoJoJoJoJoJoJo made their first contribution in #763
• @jneums made their first contribution in #746
• @LucaButBoring made their first contribution in #767

Full Changelog: 1.15.1...1.16.0

What's Changed

• fix(client): Some mcp server need default env(#393, #196) by @sunrabbit123 in #394
• feat: Add CORS configuration for browser-based MCP clients by @jerome3o-anthropic in #713
• Add onsessionclosed hook to StreamableHTTPServerTransport by @jerome3o-anthropic in #743
• add custom headers on initial _startOrAuth call by @anthonjn in #318
• Improve stdio test Windows compatibility and refactor command logic by @HoberMin in #284
• Add missing app.listen error handling to server examples by @ochafik in #749
• fix(server): validate expiresAt token value for non existence by @christian-bromann in #446
• [auth]: support oauth client_secret_basic / none / custom methods by @jaredhanson, @SightStudio, @ochafik in #720
• feat: support async callbacks for onsessioninitialized and onsessionclosed by @jerome3o-anthropic in #751
• Fix oauth well-known paths to retain path and query by @ihrpr in #756
• auth: fetch AS metadata in well-known subpath from serverUrl even when PRM returns external AS by @ochafik in #752

New Contributors

• @sunrabbit123 made their first contribution in #394
• @anthonjn made their first contribution in #318
• @HoberMin made their first contribution in #284

Full Changelog: 1.15.0...1.15.1

What's Changed

• Allow custom fetch in SSEClientTransport and StreamableHTTPClientTransport by @cliffhall in #721
• Revert "fix: add type safety for tool output schemas in ToolCallback" by @sushichan044 in #725
• bump version to 1.15.0 by @bhosmer-ant in #730

Full Changelog: 1.14.0...1.15.0