fix(fetch): handle malformed input without crashing#3509
Closed
echo-lumen wants to merge 4063 commits intomodelcontextprotocol:mainfrom
Closed
fix(fetch): handle malformed input without crashing#3509echo-lumen wants to merge 4063 commits intomodelcontextprotocol:mainfrom
echo-lumen wants to merge 4063 commits intomodelcontextprotocol:mainfrom
Conversation
* bump: gitpython dependency from 3.1.43 to 3.1.45 * test: use default branch name instead of hardcoding 'master' * fix: handle d.diff as string in GitPython 3.1.45+
…tprotocol#2956) * docs: add CODEX CLI installation * fix: command syntax in README for npx usage
docs: add Webrix enterprise MCP gateway
MCP server for Mobile Development and Automation | iOS, Android, Simulator, Emulator, and Real Devices
…tocol#3035) * feat: add Airwallex Developer MCP to Official integrations * Update README.md --------- Co-authored-by: adam jones <domdomegg+git@gmail.com>
As mentioned in makenotion/notion-mcp-server#142 by @jamiecool, the official open-sourced Notion MCP server does not work well. It returns the raw JSON response from the Notion API, which is way to verbose. This fork of the Notion Server converts read responses to usable Markdown content which is more token efficient.
…l#3000) ## Description Adds a new MCP server for industrial machinery diagnostics and predictive maintenance. ## Server Details - **Name**: Predictive Maintenance MCP Server - **Repository**: https://github.com/LGDiMaggio/predictive-maintenance-mcp - **Category**: Industrial Automation / Data Science - **Language**: Python - **Features**: - 25+ diagnostic tools (FFT, envelope analysis, ISO 20816 compliance) - ML-based anomaly detection (OneClassSVM, LocalOutlierFactor) - Interactive HTML reports with Plotly ## Checklist - [x] Documentation is complete (README, examples, setup guides) - [x] MIT License - [x] Follows MCP protocol standards - [x] Added to appropriate section in README
…ntextprotocol#3010) This PR fixes the `nextThoughtNeeded` parameter that was missed in modelcontextprotocol#3004.
Add Destinia MCP server to search for hotels
Add deployhq-mcp-server to third-party servers Co-authored-by: adam jones <domdomegg+git@gmail.com>
…ol#2985) Co-authored-by: Paddy Walsh <paddy.walsh@diffusiondata.com>
…col#2986) An MCP server that implements the HTTP 402 standard (client and server side).
Signed-off-by: Manabu McCloskey <manabu.mccloskey@gmail.com>
* Add Context Processor to Third-Party Servers - Intelligent context management MCP server - Configurable pre-processing strategies (clarify, analyze, search, fetch) - Published on npm at context-processor v1.0.0 - 81 passing tests with comprehensive documentation - GitHub: https://github.com/mschultheiss83/context-processor * Move Context Processor to Community Servers section The reviewer requested moving Context Processor from Official Integrations to Community Servers section, as it is a community-developed server rather than an official company integration.
…-unavailable-paths fix(filesystem): gracefully handle unavailable directories
The httpx library renamed 'proxies' to 'proxy' in version 0.28.0. This updates the fetch server to use the new parameter name and removes the version cap on httpx. Fixes modelcontextprotocol#3287
Adds comprehensive test coverage for the Everything Server including: Tools (10 tools tested): - echo: message echoing with validation - get-sum: number addition with edge cases - get-env: environment variable retrieval - get-tiny-image: image content blocks - get-structured-content: weather data for all cities - get-annotated-message: priority/audience annotations - trigger-long-running-operation: progress notifications - get-resource-links: dynamic resource link generation - get-resource-reference: text/blob resource validation Prompts (4 prompts tested): - simple-prompt: no-argument prompt - args-prompt: city/state arguments - completable-prompt: department/name completions - resource-prompt: embedded resource references Resources: - templates.ts: URI generation, text/blob resources - session.ts: session-scoped resource registration Test infrastructure: - vitest.config.ts with v8 coverage - Mock server helper for capturing registered handlers - 81 tests, all passing Closes modelcontextprotocol#2925 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Complete test coverage for all 16 Everything Server tools: New tests added: - toggle-simulated-logging: start/stop logging toggle, session handling - toggle-subscriber-updates: start/stop updates toggle, session handling - trigger-sampling-request: capability check, sampling request/response - trigger-elicitation-request: capability check, accept/decline/cancel actions - get-roots-list: capability check, registration - gzip-file-as-resource: compression, resource/resourceLink output types Test count: 102 tests (was 81) Coverage: 64.73% overall, 90.93% tools (was 34%, 40%) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Additional test coverage: - server/index.ts: createServer factory, cleanup function (91% coverage) - tools/index.ts: registerTools, registerConditionalTools (100% coverage) - prompts/index.ts: registerPrompts (100% coverage) - resources/index.ts: registerResources, readInstructions (88% coverage) - resources/files.ts: registerFileResources (54% coverage) - resources/subscriptions.ts: handlers, begin/stop updates (47% coverage) Test count: 124 tests (was 102) Coverage: 71.35% overall (was 64.73%) - Tools: 93.12% - Prompts: 90.53% - Server: 62.93% - Resources: 65.44% Note: Transport files (stdio.ts, sse.ts, streamableHttp.ts) are entry points that start Express servers. These require integration tests rather than unit tests. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Removed ~29 tests that were adding noise rather than coverage: - Registration boilerplate tests (16): redundant with registrations.test.ts - Redundant role/type checks (3): consolidated into behavioral tests - "Should not throw" tests (6): consolidated into single lifecycle test - Constant identity tests (2): provided no safety net - expect(true).toBe(true) test (1): replaced with actual assertion - Weak capability test (1): removed, handler check already exists Strengthened remaining tests: - Resource templates test now verifies specific resource names - File resources test now asserts registerResource was called Test count: 124 → 95 (29 removed) Coverage unchanged at ~71% Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The upstream main added simulate-research-query and async tools that use server.experimental.tasks.registerToolTask. Update mock servers to include this API. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…es/searchNodes Previously, `openNodes` and `searchNodes` only returned relations where BOTH endpoints were in the result set (using `&&`). This silently dropped all relations to/from nodes outside the set — making it impossible to discover a node's connections without calling `read_graph` and filtering the entire dataset client-side. Changed the filter from `&&` to `||` so that any relation with at least one endpoint in the result set is included. This matches the expected graph-query semantics: when you open a node, you should see all its edges, not just edges to other opened nodes. Fixes modelcontextprotocol#3137 Tests updated and new cases added covering: - Outgoing relations to nodes not in the open set - Incoming relations from nodes not in the open set - Relations connected to a single opened node - searchNodes returning outgoing relations to unmatched entities Co-authored-by: Cursor <cursoragent@cursor.com>
…erything-server-tests Add Vitest tests for Everything Server
Fixes high-severity qs DoS vulnerability (GHSA-6rw7-vpxm-498p). Remaining moderate-severity issues are in dev dependencies (esbuild/vite/vitest) and require a breaking vitest v2->v4 upgrade. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The uv installation section mentioned using uvx but didn't show the actual command, unlike the PIP section which shows both install and run commands. This adds the missing `uvx mcp-server-time` command. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…update docs(time): add explicit uvx command to installation section
Bumps the uv group with 1 update in the /src/fetch directory: [cryptography](https://github.com/pyca/cryptography). Bumps the uv group with 1 update in the /src/git directory: [cryptography](https://github.com/pyca/cryptography). Bumps the uv group with 1 update in the /src/time directory: [cryptography](https://github.com/pyca/cryptography). Updates `cryptography` from 46.0.3 to 46.0.5 - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@46.0.3...46.0.5) Updates `cryptography` from 46.0.3 to 46.0.5 - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@46.0.3...46.0.5) Updates `cryptography` from 46.0.3 to 46.0.5 - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@46.0.3...46.0.5) --- updated-dependencies: - dependency-name: cryptography dependency-version: 46.0.5 dependency-type: indirect dependency-group: uv - dependency-name: cryptography dependency-version: 46.0.5 dependency-type: indirect dependency-group: uv - dependency-name: cryptography dependency-version: 46.0.5 dependency-type: indirect dependency-group: uv ... Signed-off-by: dependabot[bot] <support@github.com>
…l/dependabot/uv/src/fetch/uv-7997262317 Bump the uv group across 3 directories with 1 update
…l/claude/issue-2526-20250824-0240 fix: resolve relative paths against allowed directories instead of process.cwd()
…l/localden/sec-doc-update Update SECURITY.md to use GitHub Security Advisories
…system-macos-symlink-path-resolution fix(filesystem): resolve symlinked allowed directories to both forms
…l/localden/servers Update README.md
…em-move-file-destructive-hint fix(filesystem): mark move_file as destructive operation
…ory-open-nodes-relations fix(memory): return relations connected to requested nodes in openNodes/searchNodes
…ion-resource-reregistration fix(everything): allow re-registration of session resources
…ttpx-proxy-arg fix(fetch): update to httpx 0.28+ proxy parameter
Change `raise_exceptions=True` to `raise_exceptions=False` in server.run() so that malformed JSON-RPC messages on stdin are handled gracefully instead of terminating the server process. This aligns mcp-server-fetch with other reference servers (e.g. mcp-server-time) that use the default raise_exceptions=False. Fixes modelcontextprotocol#3359
echo-lumen
force-pushed
the
fix/fetch-malformed-input-crash
branch
from
16627ed to
ee8773e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #3359
mcp-server-fetchcrashes on any malformed JSON-RPC input becauseserver.run()is called withraise_exceptions=True, causing parse errors to propagate as unhandledExceptionGroups and terminate the process.This PR changes
raise_exceptions=Truetoraise_exceptions=Falseon line 288 ofserver.py, which makes the server handle malformed input gracefully — consistent with other reference servers likemcp-server-timethat already use the defaultraise_exceptions=False.Changes
src/fetch/src/mcp_server_fetch/server.py: Changeraise_exceptions=Truetoraise_exceptions=Falseinserver.run()callsrc/fetch/tests/test_server.py: Add regression test verifyingserve()passesraise_exceptions=Falsetoserver.run()Test plan
TestServeRaiseExceptions::test_serve_does_not_crash_on_malformed_inputpassesecho "NOT VALID JSON" | mcp-server-fetchno longer crashes the server