Skip to content

Epistates/TurboMCP

v2.3.2 Breaking

This release includes breaking changes for platform teams planning a safe upgrade.

Published 5mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

mcp mcp-client mcp-sdk mcp-server mcp-servers rust

Affected surfaces

auth

Summary

AI summary

Added CORS preflight and expose‑header support so MCP Inspector can connect from browsers.

Full changelog

[2.3.2] - 2025-12-09

Added

Comprehensive Regression Test Coverage

  • Tool Serialization Tests (turbomcp-protocol):
    • Added test_tool_serialization_roundtrip() - Validates tool JSON serialization/deserialization
    • Added test_tool_list_result_serialization() - Tests ListToolsResult with mixed execution modes
    • Added test_tool_call_request_with_task_support() - Validates CallToolRequest with task metadata
    • Added test_backward_compatibility_tools_without_execution() - Ensures pre-v2.3.1 tools work
    • Added test_mixed_tools_in_list() - Real-world scenario with mixed tool configurations
    • All tests prevent future tool serialization/visibility regressions

Fixed

MCP Inspector Compatibility (GitHub Issue #9)

  • CORS Preflight Handling (turbomcp-server/runtime/http.rs):

    • Added explicit OPTIONS handler for CORS preflight requests
    • Without this, Axum returned 405 Method Not Allowed before CorsLayer could process preflight
    • Browser-based clients (MCP Inspector) now connect successfully with ENABLE_CORS=1

  • CORS Expose Headers (turbomcp-server/runtime/http.rs):

    • Added Access-Control-Expose-Headers: mcp-session-id, mcp-protocol-version
    • Critical fix: browsers block JavaScript from reading response headers not in expose list
    • MCP Inspector can now read session ID and protocol version from responses

Code Quality

  • Fixed unused variable warnings in turbomcp-transport/src/axum/middleware/auth.rs
  • Fixed unused mut warning in turbomcp-transport/src/axum/router/builder.rs
  • Added #[allow(dead_code)] for conditionally-used extract_bearer_token function

Verified Compatibility

  • ✅ Full MCP Inspector v0.17.5 compatibility verified
  • ✅ Streamable HTTP transport: GET/POST/DELETE/OPTIONS
  • ✅ SSE streaming with proper Content-Type
  • ✅ Session management headers exposed to browser clients
  • ✅ Last-Event-ID resumption support
  • ✅ 227 turbomcp-server tests passing
  • ✅ 258 turbomcp-transport tests passing

Configuration Guards and Feature Gating

  • Removed unnecessary #[cfg(feature = "mcp-tasks")] guards on now-unconditional task fields
  • Fixed 4 test files with incorrect feature flag usage:
    • crates/turbomcp-transport/src/websocket_bidirectional/mcp_methods.rs
    • crates/turbomcp-transport/src/websocket_bidirectional/types.rs
    • crates/turbomcp-transport/tests/sampling_rejection_hang_test.rs (2 fixes)

Documentation

  • Updated HTTP server example documentation with CORS setup guidance
  • Clarified CORS messaging: "CORS disabled (secure mode)" instead of "CORS enabled (development mode)"
  • Added explicit instructions for enabling CORS with ENABLE_CORS=1 for browser-based tools

Full Changelog: https://github.com/Epistates/turbomcp/compare/v2.3.1...v2.3.2

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Epistates/TurboMCP

Get notified when new releases ship.

Sign up free

About Epistates/TurboMCP

TurboMCP SDK: Enterprise MCP SDK in Rust

All releases →

Related context

Beta — feedback welcome: [email protected]