cloudflare/mcp-server-cloudflare

[email protected] scope: containers-mcp Breaking

This release includes 4 breaking changes for platform teams planning a safe upgrade.

Published 1d MCP Developer Tools

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Affected surfaces

deps

ReleasePort's take

Light signal

editorial:auto 1d

Upgrade several dependencies and adjust code for breaking changes introduced in containers‑mcp 0.2.14.

Why it matters: The release mandates version bumps (e.g., @cloudflare/workers-oauth-provider to 0.7.0, agents to 0.13.3) and adds required `grantId` in TokenExchangeCallbackOptions plus constrained McpAgent environment; failure causes build or runtime errors.

Summary

AI summary

Updates Patch Changes, a358e69, and f625075 across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Breaking	High	`TokenExchangeCallbackOptions` now requires a `grantId` field. `TokenExchangeCallbackOptions` now requires a `grantId` field. Source: llm_adapter@2026-06-02 Confidence: high	—
Breaking	High	`McpAgent` environment generic constrained to `Cloudflare.Env`. `McpAgent` environment generic constrained to `Cloudflare.Env`. Source: llm_adapter@2026-06-02 Confidence: high	—
Dependency
Dependency	Low	Upgrade @cloudflare/workers-oauth-provider from 0.4.0 to 0.7.0. Upgrade @cloudflare/workers-oauth-provider from 0.4.0 to 0.7.0. Source: llm_adapter@2026-06-02 Confidence: high	—
Dependency	Low	Upgrade agents from 0.2.19 to 0.13.3. Upgrade agents from 0.2.19 to 0.13.3. Source: llm_adapter@2026-06-02 Confidence: high	—
Dependency	Low	Upgrade @modelcontextprotocol/sdk from 1.20.2 to 1.29.0. Upgrade @modelcontextprotocol/sdk from 1.20.2 to 1.29.0. Source: llm_adapter@2026-06-02 Confidence: high	—
Dependency	Low	Upgrade zod from 3 to 4. Upgrade zod from 3 to 4. Source: llm_adapter@2026-06-02 Confidence: high	—
Dependency	Low	Upgrade ai from 4 to 6. Upgrade ai from 4 to 6. Source: llm_adapter@2026-06-02 Confidence: high	—
Deprecation	Medium	Drop the removed `objectOutputType` helper from zod. Drop the removed `objectOutputType` helper from zod. Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix	Medium	Fix latent bug where nested MCP annotation hints were silently ignored. Fix latent bug where nested MCP annotation hints were silently ignored. Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix	Medium	Replace `z.string().ip()` with explicit `z.ipv4()`/`z.ipv6()` validation. Replace `z.string().ip()` with explicit `z.ipv4()`/`z.ipv6()` validation. Source: llm_adapter@2026-06-02 Confidence: high	—
Refactor	Low	`z.record(...)` now takes an explicit key schema in zod 4. `z.record(...)` now takes an explicit key schema in zod 4. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—

Full changelog

Patch Changes

a358e69: Upgrade @cloudflare/workers-oauth-provider 0.4.0 → 0.7.0.

No tool or behavior changes. The only API change affecting this repo is that
TokenExchangeCallbackOptions now carries a required grantId field, which only
touched a test fixture (the provider supplies it at runtime).
f625075: Upgrade core dependencies: agents 0.2.19 → 0.13.3, @modelcontextprotocol/sdk 1.20.2 →
1.29.0, zod 3 → 4, and ai 4 → 6.

No user-facing tool or behavior changes. Internal adjustments for the new versions:
- zod 4: z.record(...) now takes an explicit key schema; z.string().ip() replaced with
  z.ipv4()/z.ipv6() validation; dropped the removed objectOutputType helper.
- agents 0.13: McpAgent env generic is constrained to Cloudflare.Env.
- MCP SDK 1.29: tool annotations hints must be flat ({ title, readOnlyHint, ... }) — fixes a
  latent bug where nested hints were silently ignored.
- ai 6: eval tooling updated (LanguageModel, inputSchema, stopWhen/stepCountIs, tool-call input).

Breaking Changes

TokenExchangeCallbackOptions now requires a `grantId` field (a358e69)
`z.record(...)` in zod 4 requires an explicit key schema and replaces `z.string().ip()` with `z.ipv4()`/`z.ipv6()`
McpAgent env generic constrained to `Cloudflare.Env` in agents 0.13.3
annotations hints must be flat objects in @modelcontextprotocol/sdk 1.29.0

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track cloudflare/mcp-server-cloudflare

Get notified when new releases ship.

About cloudflare/mcp-server-cloudflare

Integration with Cloudflare services including Workers, KV, R2, and D1

All releases →

Related context

Related tools

Earlier breaking changes

[email protected] Adds delete-class migration for UserDetails Durable Object in graphql server.
[email protected] Removes `accounts_list` and `set_active_account` tools.
[email protected] Removes `accounts_list` and `set_active_account` tools.
[email protected] Removes `accounts_list` and `set_active_account` tools.
[email protected] Removes `accounts_list` and `set_active_account` tools.