The Third-Party Servers section (Official Integrations + Community
Servers) has been superseded by the MCP Registry at
https://registry.modelcontextprotocol.io/. The README already carried a
deprecation note and CONTRIBUTING.md froze new additions. This removes
the list, updates CONTRIBUTING.md to describe the new state, and
refreshes the readme-pr-check workflow's bot comment.
fix(filesystem): ensure bare Windows drive letters normalize to root
Appends path.sep to bare drive letters (e.g. "C:") before calling path.normalize(), preventing them from normalizing to "C:." (current directory on drive) instead of "C:\" (drive root). Includes test coverage with platform mocking.
Fixes#3418
fix(sequential-thinking): use z.coerce for number and safe preprocess for boolean params
Uses z.coerce.number() for number fields and a z.preprocess() helper for boolean fields to handle string-typed parameters from LLM clients. The preprocess approach correctly handles "false" → false, avoiding the z.coerce.boolean() footgun where Boolean("false") === true.
Fixes#3428
fix(git): add missing argument injection guards
Extends existing startswith("-") input validation to git_show, git_create_branch, git_log, and git_branch, preventing user-supplied values from being interpreted as CLI flags by GitPython's subprocess calls to git.
feat(time): add tool annotations
Adds MCP ToolAnnotations to both time server tools (get_current_time, convert_time). Both are read-only, non-destructive, idempotent, and closed-world.
Fixes#3574
feat(sequential-thinking): add tool annotations
Adds MCP ToolAnnotations (readOnlyHint, destructiveHint, idempotentHint, openWorldHint) to the sequential-thinking tool, bringing it in line with the annotation pattern established by the filesystem server.
Fixes#3403
fix(fetch): handle malformed input without crashing
Changes `raise_exceptions=True` to `raise_exceptions=False` in the fetch server's `Server.run()` call, preventing the server from crashing on malformed JSON-RPC input. This aligns with the SDK's intended default behavior and is consistent with other reference servers.
Fixes#3359
The uv installation section mentioned using uvx but didn't show the
actual command, unlike the PIP section which shows both install and run
commands. This adds the missing `uvx mcp-server-time` command.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fixes high-severity qs DoS vulnerability (GHSA-6rw7-vpxm-498p).
Remaining moderate-severity issues are in dev dependencies
(esbuild/vite/vitest) and require a breaking vitest v2->v4 upgrade.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Previously, `openNodes` and `searchNodes` only returned relations where
BOTH endpoints were in the result set (using `&&`). This silently
dropped all relations to/from nodes outside the set — making it
impossible to discover a node's connections without calling `read_graph`
and filtering the entire dataset client-side.
Changed the filter from `&&` to `||` so that any relation with at least
one endpoint in the result set is included. This matches the expected
graph-query semantics: when you open a node, you should see all its
edges, not just edges to other opened nodes.
Fixes#3137
Tests updated and new cases added covering:
- Outgoing relations to nodes not in the open set
- Incoming relations from nodes not in the open set
- Relations connected to a single opened node
- searchNodes returning outgoing relations to unmatched entities
Co-authored-by: Cursor <cursoragent@cursor.com>
The upstream main added simulate-research-query and async tools that
use server.experimental.tasks.registerToolTask. Update mock servers
to include this API.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Removed ~29 tests that were adding noise rather than coverage:
- Registration boilerplate tests (16): redundant with registrations.test.ts
- Redundant role/type checks (3): consolidated into behavioral tests
- "Should not throw" tests (6): consolidated into single lifecycle test
- Constant identity tests (2): provided no safety net
- expect(true).toBe(true) test (1): replaced with actual assertion
- Weak capability test (1): removed, handler check already exists
Strengthened remaining tests:
- Resource templates test now verifies specific resource names
- File resources test now asserts registerResource was called
Test count: 124 → 95 (29 removed)
Coverage unchanged at ~71%
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The httpx library renamed 'proxies' to 'proxy' in version 0.28.0.
This updates the fetch server to use the new parameter name and
removes the version cap on httpx.
Fixes#3287
