cloudflare/mcp-server-cloudflare

[email protected] scope: docs-vectorize Breaking

This release includes 1 breaking change for platform teams planning a safe upgrade.

Published 1d MCP Developer Tools

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Affected surfaces

deps

ReleasePort's take

Light signal

editorial:auto 1d

Upgrade several dependencies and address breaking changes in the [email protected] release.

Why it matters: The upgrade of @cloudflare/workers-oauth-provider to 0.7.0 introduces a required `grantId` field in TokenExchangeCallbackOptions (severity 70), impacting integrations; other upgrades fix bugs and align API usage.

Summary

AI summary

Updates Patch Changes, a358e69, and f625075 across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Breaking	High	`TokenExchangeCallbackOptions` now requires a `grantId` field. `TokenExchangeCallbackOptions` now requires a `grantId` field. Source: llm_adapter@2026-06-02 Confidence: high	—
Dependency
Dependency	Low	Upgrade @cloudflare/workers-oauth-provider from 0.4.0 to 0.7.0. Upgrade @cloudflare/workers-oauth-provider from 0.4.0 to 0.7.0. Source: llm_adapter@2026-06-02 Confidence: high	—
Dependency	Low	Upgrade agents from 0.2.19 to 0.13.3. Upgrade agents from 0.2.19 to 0.13.3. Source: llm_adapter@2026-06-02 Confidence: high	—
Dependency	Low	Upgrade @modelcontextprotocol/sdk from 1.20.2 to 1.29.0. Upgrade @modelcontextprotocol/sdk from 1.20.2 to 1.29.0. Source: llm_adapter@2026-06-02 Confidence: high	—
Dependency	Low	Upgrade zod from 3 to 4. Upgrade zod from 3 to 4. Source: llm_adapter@2026-06-02 Confidence: high	—
Dependency	Low	Upgrade ai from 4 to 6. Upgrade ai from 4 to 6. Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix
Bugfix	Medium	Fix latent bug where nested MCP tool annotations were silently ignored. Fix latent bug where nested MCP tool annotations were silently ignored. Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix	Medium	Update zod usage: `z.record(...)` now takes explicit key schema; replace `z.string().ip()` with `z.ipv4()/z.ipv6()` validation; drop removed `objectOutputType` helper. Update zod usage: `z.record(...)` now takes explicit key schema; replace `z.string().ip()` with `z.ipv4()/z.ipv6()` validation; drop removed `objectOutputType` helper. Source: llm_adapter@2026-06-02 Confidence: low	—
Bugfix	Medium	Constrain `McpAgent` env generic to `Cloudflare.Env`. Constrain `McpAgent` env generic to `Cloudflare.Env`. Source: llm_adapter@2026-06-02 Confidence: low	—
Bugfix	Medium	Update eval tooling: `LanguageModel`, `inputSchema`, `stopWhen`/`stepCountIs`, and tool‑call `input`. Update eval tooling: `LanguageModel`, `inputSchema`, `stopWhen`/`stepCountIs`, and tool‑call `input`. Source: llm_adapter@2026-06-02 Confidence: low	—

Full changelog

Patch Changes

a358e69: Upgrade @cloudflare/workers-oauth-provider 0.4.0 → 0.7.0.

No tool or behavior changes. The only API change affecting this repo is that
TokenExchangeCallbackOptions now carries a required grantId field, which only
touched a test fixture (the provider supplies it at runtime).
f625075: Upgrade core dependencies: agents 0.2.19 → 0.13.3, @modelcontextprotocol/sdk 1.20.2 →
1.29.0, zod 3 → 4, and ai 4 → 6.

No user-facing tool or behavior changes. Internal adjustments for the new versions:
- zod 4: z.record(...) now takes an explicit key schema; z.string().ip() replaced with
  z.ipv4()/z.ipv6() validation; dropped the removed objectOutputType helper.
- agents 0.13: McpAgent env generic is constrained to Cloudflare.Env.
- MCP SDK 1.29: tool annotations hints must be flat ({ title, readOnlyHint, ... }) — fixes a
  latent bug where nested hints were silently ignored.
- ai 6: eval tooling updated (LanguageModel, inputSchema, stopWhen/stepCountIs, tool-call input).

Breaking Changes

`TokenExchangeCallbackOptions` now requires a `grantId` field

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track cloudflare/mcp-server-cloudflare

Get notified when new releases ship.

About cloudflare/mcp-server-cloudflare

Integration with Cloudflare services including Workers, KV, R2, and D1

All releases →

Related context

Related tools

Earlier breaking changes

[email protected] Adds delete-class migration for UserDetails Durable Object in graphql server.
[email protected] Removes `accounts_list` and `set_active_account` tools.
[email protected] Removes `accounts_list` and `set_active_account` tools.
[email protected] Removes `accounts_list` and `set_active_account` tools.
[email protected] Removes `accounts_list` and `set_active_account` tools.