Skip to content

Release history

Epistates/TurboMCP releases

TurboMCP SDK: Enterprise MCP SDK in Rust

Back to tool Latest release

All releases

57 shown

Review required
v3.1.5 Bug fix
Auth RBAC

SSE empty event fix

Open
No immediate action
v3.1.4 New feature

HTTP/SSE requests + resource templates

Open
Review required
v3.1.3 Breaking risk
Auth RBAC RCE / SSRF

JSON-RPC strict version validation

Open
Review required
v3.1.2 Breaking risk
Auth RBAC Dependencies

report_progress API break

Open
Upgrade now
v3.1.1 Breaking risk
RCE / SSRF

Path escape rejection

Open
Upgrade now
v3.1.0 Breaking risk
Auth RCE / SSRF Dependencies +2 more

Expired token detection

Open
Review required
v3.0.14 Breaking risk
Breaking upgrade RCE / SSRF

InvalidUriScheme → DangerousUriScheme

Open
Config change
v3.0.13 Breaking risk
Auth

MCP 2025-11-25 streamable HTTP transport

Open
Review required
v3.0.12 New feature
Auth RBAC

Draft extensions + initialize changes

Open
No immediate action
v3.0.11 New feature

New notification API methods

Open
Review required
v3.0.10 Breaking risk
Auth Breaking upgrade

Protocol version tracking + lifecycle enforcement

Open
Review required
v3.0.8 New feature
Auth RBAC Breaking upgrade

Multi-version MCP support

Open
No immediate action
v3.0.7 Bug fix

Fixed #[description] stripping

Open
Upgrade now
v3.0.6 Breaking risk
Auth Dependencies

SSRF fix + audience RFC compliance

Open
No immediate action
v3.0.5 Bug fix

Cross‑platform compilation fix

Open
No immediate action
v3.0.4 New feature

Progress handler + pagination

Open
Review required
v3.0.3 Breaking risk
Auth RCE / SSRF

Single-version protocol + API key validation

Open
Upgrade now
v3.0.2 Bug fix
Dependencies Crypto / TLS

Unsafe removal + compile fix

Open
No immediate action
v3.0.1 New feature

In-process channel transport

Open
Review required
v3.0.0 Breaking risk
Auth RBAC RCE / SSRF +3 more

Ground-up rewrite + WASM

Open
Config change
v2.3.7 New feature
Crypto / TLS

TLS/HTTPS server support

Open
Review required
v2.3.6 Breaking risk
Auth Crypto / TLS Breaking upgrade

TLS validation opt‑in + TLS 1.3 default

Open
Config change
v2.3.5 New feature
Breaking upgrade Auth

Configurable protocol version negotiation

Open
No immediate action
v2.3.4 Breaking risk

WebSocket response routing

Open
No immediate action
v2.3.3 Bugfix

Middleware signature fix

Open
Config change
v2.3.2 Breaking risk
Auth

CORS support

Open
No immediate action
v2.3.1 New feature

URL_ELICITATION_REQUIRED + ToolExecution

Open
Review required
v2.3.0 Breaking risk
Auth RBAC RCE / SSRF

OAuth 2.1 upgrade

Open
Review required
v2.2.3 New feature
Auth RBAC

Middleware refactor + template updates

Open
No immediate action
v2.2.2 Breaking risk

HTTP session logging severity change

Open
v2.2.1 Breaking risk
⚠ Upgrade required
  • Migration: Callers must serialize the result with `serde_json::to_value(result)?` if JSON output is required.
  • CLI and proxy adapters have been updated to handle the new return type.
Breaking changes
  • Changed `call_tool()` return type from `Result` to `Result`
  • `Client::call_tool()` now returns the complete `CallToolResult` structure, previously only the first content block was returned
Full changelog

Provide full and raw access to JSON RPC tool call result

  • ** Fixed Client::call_tool() to return complete CallToolResult instead of only the first content block. Previously, the method discarded all subsequent content blocks, structured_content, and _meta fields, causing data loss.
  • Breaking Change: call_tool() return type changed from Result<serde_json::Value> to Result<CallToolResult>
  • Migration: Callers need to serialize the result if JSON is required: serde_json::to_value(result)?
  • Impact: CLI and proxy adapters updated to handle new return type
  • Files Modified: turbomcp-client/src/client/operations/tools.rs:154, turbomcp-cli/src/transport.rs, turbomcp-proxy/src/proxy/backend.rs
  • Version Script: Fixed update-versions.sh to correctly update inline dependency format ({ path = "...", version = "..." }) in turbomcp-cli/Cargo.toml. The script now uses explicit regex pattern matching for inline dependencies instead of greedy wildcards.
View release on GitHub
Upgrade now
v2.2.0 Breaking risk
Auth Crypto / TLS Breaking upgrade

RSA removal + security hardening

Open
Upgrade now
v2.1.3 Breaking risk
Breaking upgrade

WebSocket bidirectional fix

Open
No immediate action
v2.1.2 Breaking risk

Header extraction

Open
Review required
v2.1.1 Breaking risk
Auth RBAC

Universal MCP proxy + OAuth 2.1 stack

Open
Review required
v2.1.0 Breaking risk
Auth RBAC

Universal MCP proxy + OAuth 2.1 stack

Open
No immediate action
v2.0.5 Bug fix

Observability logs to stderr

Open
No immediate action
v2.0.4 Breaking risk

Transport selection + schema generation

Open
No immediate action
v2.0.3 Breaking risk

JoinHandle panic fix + concurrency limits

Open
Upgrade now
v2.0.2 Breaking risk

Resource read fix

Open
No immediate action
v2.0.1 Breaking risk

Metadata retention in list_resources

Open
Review required
v2.0.0 Breaking risk
RBAC Breaking upgrade

RBAC removal + SharedClient change

Open
Upgrade now
v1.1.2 Breaking risk
Breaking upgrade

Macro import path fixes

Open
Review required
v1.1.0 Breaking risk
Auth RBAC

DPoP + Type‑State Builders

Open
Upgrade now
v1.0.13 Breaking risk
Dependencies RCE / SSRF

Benchmarking + security hardening

Open
Review required
v1.0.12 Breaking risk
Auth RBAC

JSON-RPC 2.0 compliance fix

Open
Upgrade now
v1.0.11 Breaking risk
Breaking upgrade

MCP prompts & resources implementation

Open
Upgrade now
v1.0.10 Breaking risk

Full MCP compliance

Open
Review required
v1.0.9 Breaking risk
Auth RBAC

Full prompt metadata + argument support

Open
Review required
v1.0.8 Breaking risk
Auth RBAC

OAuth 2.1 MCP compliance

Open
No immediate action
v1.0.7 Breaking risk

`with_plugins!` macro + tool helpers

Open
No immediate action
v1.0.6 Breaking risk

Plugin system architecture

Open
Review required
v1.0.5 Breaking risk
Breaking upgrade

Deprecation of internal-deps

Open
No immediate action
v1.0.4 Breaking risk

Zero-ceremony builders

Open
No immediate action
v1.0.3 Breaking risk

Elicitation protocol, WebSocket, SSE

Open
No immediate action
v1.0.2 Breaking risk

Router config + handler names

Open

Beta — feedback welcome: [email protected]