Skip to content

Fix tools/list error by pinning SDK and Zod versions#142

Merged
kapravel merged 6 commits intomainfrom
fix/pin-zod-version
Feb 12, 2026
Merged

Fix tools/list error by pinning SDK and Zod versions#142
kapravel merged 6 commits intomainfrom
fix/pin-zod-version

Conversation

@dc-larsen
Copy link
Contributor

@dc-larsen dc-larsen commented Jan 27, 2026

Summary

Fixes the hosted MCP server at mcp.socket.dev failing on tools/list with error:

MCP error -32603: Cannot read properties of null (reading '_def')

Root cause: Zod version incompatibility. The MCP SDK 1.25.x requires zod ^3.25 which has internal _def structure changes that break schema serialization during tools/list.

Changes:

  • Pin @modelcontextprotocol/sdk to 1.22.0 (last version compatible with older Zod)
  • Pin zod to 3.24.1
  • Add npm overrides to force all transitive dependencies to use compatible versions

Test plan

  • Reproduced the issue on mcp.socket.dev (initialize works, tools/list fails)
  • Tested fix locally: both initialize and tools/list now return valid responses
  • Deploy to mcp.socket.dev and verify fix in production

@dc-larsen
Fix tools/list error by pinning SDK and Zod versions
c42db2c 
The hosted MCP server at mcp.socket.dev fails on tools/list with:
"Cannot read properties of null (reading '_def')"

This is caused by Zod version incompatibility. SDK 1.25.x requires
zod ^3.25 which has internal _def structure changes that break
schema serialization.

Changes:
- Pin @modelcontextprotocol/sdk to 1.22.0 (last version using zod ^3.23.8)
- Pin zod to 3.24.1
- Add overrides to force all transitive deps to use compatible versions
@socket-security
Copy link

socket-security bot commented Jan 27, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednpm/​zod@​3.25.76 ⏵ 3.25.0100 +310074 -2696 +1100
Updatednpm/​@​types/​node@​24.10.1 ⏵ 24.10.9100 +110081 +196100
Updatednpm/​pino-pretty@​13.1.2 ⏵ 13.1.399 +110010086100
Updatednpm/​pino@​10.1.0 ⏵ 10.3.099 +110010098100
Updatednpm/​@​modelcontextprotocol/​sdk@​1.22.0 ⏵ 1.26.099100 +3110098 -1100

View full report

@socket-security-staging
Copy link

socket-security-staging bot commented Jan 27, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednpm/​zod@​3.25.76 ⏵ 3.25.0100 +310076 -2496 +1100
Updatednpm/​@​types/​node@​24.10.1 ⏵ 24.10.9100 +110081 +196100
Updatednpm/​pino-pretty@​13.1.2 ⏵ 13.1.39910010086100
Updatednpm/​pino@​10.1.0 ⏵ 10.3.099 +110010098 +2100
Updatednpm/​@​modelcontextprotocol/​sdk@​1.22.0 ⏵ 1.26.099100 +3110098 -1100

View full report

@socket-security-staging
Copy link

socket-security-staging bot commented Jan 27, 2026
edited
Loading

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

@kapravel
Refactor server creation and tool registration in index.ts
5e1278d 
- Introduced a new function `createConfiguredServer` to encapsulate the server setup logic.
- Updated the `depscore` tool registration to use a more structured input schema.
- Enhanced type definitions for package handling within the tool's request processing.
- Improved error handling and logging for API responses.

This refactor aims to improve code organization and maintainability.
@kapravel
Enhance session management in HTTP server
663f382 
- Refactored transport handling to use a session-based approach, allowing each client to have a dedicated transport and server pair.
- Updated session lifecycle management to ensure proper cleanup of server resources upon session closure.
- Improved handling of session initialization and closure events to prevent resource leaks.

These changes aim to improve the reliability and maintainability of the HTTP server's session management.
@kapravel
Update dependencies in package.json and package-lock.json
37af573 
- Upgraded @modelcontextprotocol/sdk from 1.22.0 to 1.26.0.
- Updated zod from 3.24.1 to 3.25.0 in both package.json and package-lock.json.
- Adjusted express and express-rate-limit to versions 5.2.1 and 8.2.1 respectively.
- Added new dependencies: @hono/node-server, hono, jose, json-schema-typed, and ip-address with their respective versions.
- Updated overrides for zod and zod-to-json-schema to ensure compatibility across dependencies.

These changes enhance compatibility and ensure the project uses the latest stable versions of its dependencies.
@kapravel
Enhance session management and cleanup in HTTP server
821e9fd 
- Introduced a session interface to manage transport and server pairs for each client, including tracking last activity.
- Implemented a session reaping mechanism to automatically destroy idle sessions after 30 minutes.
- Updated session handling in request processing to ensure proper resource cleanup and activity tracking.

These changes improve the reliability and efficiency of session management in the HTTP server.
@kapravel
Update package version to 0.0.17
37e0a62
@kapravel
Copy link
Collaborator

kapravel commented Feb 12, 2026

Thanks @dc-larsen for the PR! I've upgraded the dependencies and fixed the zod issue (among other things :) )

@kapravel kapravel merged commit ba183b1 into main Feb 12, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dc-larsen @kapravel

Comments