express: add maxBodyBytes guard for JSON parsing

[TheodorNEngoy]

createMcpExpressApp() currently installs express.json() with its default size limit behavior.

This PR adds a maxBodyBytes option (default: 1_000_000) and passes it through to express.json({ limit: ... }), so oversized JSON payloads return 413 and don't get fully buffered.

• Adds maxBodyBytes to CreateMcpExpressAppOptions
• Enforces the limit via express.json({ limit })
• Adds a vitest + supertest coverage for 413
• Documents the option in the Express + Node adapter READMEs
• Includes a changeset for @modelcontextprotocol/express

[changeset-bot]

🦋 Changeset detected

Latest commit: 61b305b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@modelcontextprotocol/express	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@1497

@modelcontextprotocol/server

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@1497

@modelcontextprotocol/express

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/express@1497

@modelcontextprotocol/hono

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/hono@1497

@modelcontextprotocol/node

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/node@1497

commit: 61b305b

[TheodorNEngoy]

Closing as a duplicate of #1495 (same feature, more complete error-shaping + safer default). I folded the useful bits there so maintainers only need to review one PR.