[v2] Decouple server from express and hono - http framework-agnostic MCP server

[KKonstantinov]

v1 included express (and hono in recent version), forcing the dependency down to users. (express being >1MB along with middleware deps such as express-rate-limit etc.).

Achieving final & true implementation of #1299

This PR decouples @modelcontextprotocol/server from HTTP frameworks completely, and introduces three middleware packages: @modelcontextprotocol/node, @modelcontextprotocol/express, @modelcontextprotocol/hono.

The middleware packages are optional, and users could choose to use them or to map to the MCP SDK themselves and not using any of these plugins.

However, the @modelcontextprotocol/server is completely HTTP framework dependency-free.

Some additional changes:

• Renamed StreamableHTTPServerTransport to NodeStreamableHTTPServerTransport
• Added linting rule to avoid inline type imports (e.g. import { A, type B}). Prefer import type { B } and import { A } on separate lines.
• Removed express dependency from @modelcontextprotocol/server completely
• introduced @modelcontextprotocol/server-express and @modelcontextprotocol/server-hono - each having its own minimum dependencies
• Removed sse transport for server (deprecated)
• Removed server auth
• Replaced examples for server auth with an OAuth library (e.g. better-auth)
• Wrote up FAQ sections for removing SSE from server and removing auth from server
• Tested better-auth server auth demo examples with @modelcontextprotocol/inspector
• Updated express to 5.2.1 to get rid of CVE reported on 5.0.1 on the qs library (https://security.snyk.io/vuln/SNYK-JS-QS-14724253)
• Updated existing docs, introduced new docs for middleware packages and general middleware doc

Motivation and Context

v2

How Has This Been Tested?

Unit tests

Breaking Changes

v2

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

[changeset-bot]

⚠️ No Changeset found

Latest commit: 7efc9ae

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@1326

@modelcontextprotocol/server

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@1326

@modelcontextprotocol/express

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/express@1326

@modelcontextprotocol/hono

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/hono@1326

@modelcontextprotocol/node

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/node@1326

commit: 7efc9ae

[43081j]

how are you calculating those sizes? they look too big to be the production install size, is it the size of your local server/node_modules including devDeps?

it might be worth including the production install size since that'll be what affects most people

a quick glance at it shows me the server is roughly ~9MB in main, and 6.5MB in your branch. huge saving!

[43081j]

I noticed the node middleware declares the server as a peer, but the other two declare it as a dependency.

should the three be consistent?

also - might it be a good idea to set hono and express as peers rather than dependencies? since these middlewares are meant to be used with them

[pcarleton]

Auth pieces LGTM!

[KKonstantinov]

I noticed the node middleware declares the server as a peer, but the other two declare it as a dependency.

should the three be consistent?

also - might it be a good idea to set hono and express as peers rather than dependencies? since these middlewares are meant to be used with them

Nice catch, yes, all middlewares should have these in peers, including @modelcontextprotocol/server (which should be a peer dep and not baked into middlewares).

[pcarleton]

Sorry missed this earlier, but the PRM path needs to have the pathname after .well-known rather than before

[felixweinberger]

Nice refactor! Looked through and this LGTM except for @pcarleton's point above which would be great to address.

[KKonstantinov]

Done!

Nice refactor! Looked through and this LGTM except for @pcarleton's point above which would be great to address.

Dismissing @pcarleton's review as I believe his change request has been addressed