Add missing runtime dependencies for strict package managers#1144
Open
herakles-dev wants to merge 1 commit intomodelcontextprotocol:mainfrom
Open
Add missing runtime dependencies for strict package managers#1144herakles-dev wants to merge 1 commit intomodelcontextprotocol:mainfrom
herakles-dev wants to merge 1 commit intomodelcontextprotocol:mainfrom
Conversation
When installed with strict package managers like pnpm, the published package fails because bundled workspace files import packages not declared in the root package.json. Add the 5 missing runtime dependencies that are directly imported by files in the `files` array: - commander (cli/src/cli.ts, cli/src/index.ts) - cors (server/src/index.ts) - express (server/src/index.ts) - express-rate-limit (server/src/index.ts) - serve-handler (client/bin/client.js) Fixes modelcontextprotocol#873
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds 5 missing runtime dependencies to the root
package.json. These are imported directly by the bundled workspace files but only declared in sub-packages, which breaks pnpm and yarn PnP installs.Type of Change
Changes Made
Added
commander,cors,express,express-rate-limit, andserve-handlerto rootdependencies, matching the versions already in the workspace packages.I traced the imports in the published build output and these 5 were missing from root.
wswas not — it's only pulled in transitively via@modelcontextprotocol/sdk.Related Issues
Fixes #873
Testing
Traced every
import/requirein the bundled entry points back to source to confirm which packages need root-level declarations.Checklist
npm run prettier-fix)Additional Context
FYI
express-rate-limitandserve-handlerhave known CVEs at these versions (GHSA-46wh-pxpv-q5gq, minimatch ReDoS) — both pre-exist in the workspace packages, this just mirrors them. Happy to bump those separately.