express: add maxBodyBytes guard for JSON parsing

[TheodorNEngoy]

createMcpExpressApp() currently installs express.json() with the implicit Express default limit.

This PR:

• Adds maxBodyBytes option (default: 100kb, same as Express default) to make the limit explicit + configurable.
• Ensures invalid JSON / oversized payloads return JSON-RPC-shaped errors (instead of Express HTML error pages).
• Adds tests + README docs.

This is a small DoS hardening + improves client ergonomics when requests fail early in body parsing.

[changeset-bot]

🦋 Changeset detected

Latest commit: be1a3b1

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@modelcontextprotocol/express	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@1495

@modelcontextprotocol/server

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@1495

@modelcontextprotocol/express

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/express@1495

@modelcontextprotocol/hono

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/hono@1495

@modelcontextprotocol/node

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/node@1495

commit: be1a3b1