…dioClientTransport

Bumps the npm_and_yarn group with 1 update in the / directory: [formidable](https://github.com/node-formidable/formidable).


Updates `formidable` from 3.5.2 to 3.5.4
- [Release notes](https://github.com/node-formidable/formidable/releases)
- [Changelog](https://github.com/node-formidable/formidable/blob/master/CHANGELOG.md)
- [Commits](https://github.com/node-formidable/formidable/commits)

---
updated-dependencies:
- dependency-name: formidable
  dependency-version: 3.5.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <[email protected]>

Add inline comments explaining why GET and DELETE endpoints return 405 in stateless mode:
- GET: SSE notifications not supported without session management
- DELETE: Session termination not needed in stateless mode

…r in mcp tests

…e with completion or prompt completable argument registration

…etadata

…gister-completions-capabilities

fix: Ensure completions capability is registered on setCompletionRequestHandler call

Implement DNS Rebinding Protections per spec

…/ihrpr/fix-lint

fix lint

…arser-dep

fix: add missing eventsource-parser dependency

…-default-env

fix: add windows env PROGRAMFILES, avoid some exe can not be found

…types

add overloads for registerResource method in McpServer class

fix: extra headers when they are a Headers object

…chema

fix: missing "properties" property in empty schema

…/pid-StdioClientTransport

fix: Expose the MCP child process PID as an accessible property in StdioClientTransport

…ructured-content-with-type-safety

fix: add type safety for tool output schemas in ToolCallback

doc minimum node version requirment

…/http-doc

docs: add error handling when it fails to start HTTP server

Added Sampling Example to README

…elcontextprotocol#717)

* Returning undefined from `discoverOAuthMetadata` for CORS errors

This behaviour was already happening for the root URL, but the new `fetchWithCorsRetry` logic differed.

The issue was if the server returns a 404 for `/.well-known/oauth-authorization-server/xyz` that didn't have the `access-control-allow-origin`, a TypeError was being thrown. There was logic there already to handle a TypeError for a _preflight_ request (cause by custom headers), but not the fallback. I refactored so all combinations return `undefined`.

* Add test for CORS error handling that should return undefined

This test covers the scenario where both the initial request with headers
and the retry without headers fail with CORS TypeErrors. The desired
behavior is to return undefined instead of throwing.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

* fix test comment

---------

Co-authored-by: Glen Maddern <[email protected]>
Co-authored-by: Paul Carleton <[email protected]>
Co-authored-by: Claude <[email protected]>
Co-authored-by: Paul Carleton <[email protected]>

…/ihrpr/1.13.3

Bump version to 1.13.3