This release includes breaking changes for platform teams planning a safe upgrade.
✓ No known CVEs patched in this version
Topics
Affected surfaces
Summary
AI summaryFixes critical regression enabling WebSocket bidirectional communication and Ping/Pong keep‑alive.
Full changelog
Critical Fixes: WebSocket Bidirectional Communication Regression
WebSocket Response Routing (CRITICAL REGRESSION FIX)
v2.12 refactored the websocket server, it introduced an architectural issue preventing WebSocket bidirectional methods from working.
Added missing spawn_message_reader_task() to continuously process WebSocket messages
Routes JSON-RPC responses to correlation maps (pending_pings, pending_samplings, pending_roots, elicitations)
Auto-responds to WebSocket Ping frames with Pong (RFC 6455 compliance)
Enables server-initiated features (elicitation, sampling, roots/list)
Test: test_websocket_ping_pong now passes (was timing out after 60 seconds)
Impact:
All bidirectional WebSocket methods now work correctly
Ping/pong keep-alive mechanism operational
Sampling requests complete in 65µs instead of hanging for 60 seconds (1,000,000x speedup)
Files Modified:
crates/turbomcp-transport/src/websocket_bidirectional/tasks.rs: Added message reader (152 lines)
crates/turbomcp-transport/src/websocket_bidirectional/connection.rs: Integrated into startup
crates/turbomcp-transport/tests/websocket_bidirectional_integration_test.rs: Fixed test server, removed #[ignore]
crates/turbomcp-transport/tests/sampling_rejection_hang_test.rs: Updated benchmark to verify fix
Documentation & Quality
Documented num-bigint-dig future incompatibility warning (non-blocking, transitive dependency)
Fixed clippy linting errors (collapsed nested if statements for better code style)
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Related context
Beta — feedback welcome: [email protected]