Fix abort signal listener leak in _requestWithSchema

[lucaalbinati]

Summary

• The abort listener added to the caller's AbortSignal in _requestWithSchema was never removed, causing listeners to accumulate across requests sharing the same signal
• Named the anonymous listener, added explicit removeEventListener on all exit paths (response handler, cancel, timeout, transport send failure, task enqueue failure), and added once: true as a defensive fallback

Test plan

• Added 5 tests covering listener cleanup on all exit paths:
  • Successful response
  • Timeout
  • Multiple sequential requests on the same signal (no accumulation)
  • Abort signal triggered
  • Transport send failure
• Verified all 5 tests fail without the fix and pass with it

[changeset-bot]

⚠️ No Changeset found

Latest commit: 937f690

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@1672

@modelcontextprotocol/server

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@1672

@modelcontextprotocol/express

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/express@1672

@modelcontextprotocol/hono

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/hono@1672

@modelcontextprotocol/node

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/node@1672

commit: 9c9881d

[travisbreaks]

Clean fix for a real leak. The core issue (anonymous listener on a shared AbortSignal never removed) is correctly identified and the solution is straightforward.

What works well:

The removeEventListener placement covers all the exit paths I can trace:

• Success: response handler callback removes it (line 1276)
• Timeout: fires cancel() which removes it (line 1251)
• Abort: onAbort fires cancel() which removes it, plus { once: true } as a belt-and-suspenders fallback
• Transport send failure: .catch removes it (lines 1328, 1337)
• Connection close: _onclose() iterates all response handlers, which calls the callback that removes it

The { once: true } option is a good defensive addition. If the listener fires, the runtime won't hold a reference afterward regardless. The explicit removeEventListener inside cancel() on the abort path is technically redundant with once: true, but that's fine since removeEventListener on an already-removed listener is a no-op and the explicitness aids readability.

Tests are solid. The sequential-requests-same-signal test (the accumulation test) is the most valuable one since it directly demonstrates the leak scenario. Good that all five tests fail without the fix and pass with it.

One minor observation (not blocking): The _enqueueTaskMessage catch path and transport .send catch path both clean up the timeout and reject, but neither removes the response handler or progress handler from their respective maps. That's a pre-existing gap, not introduced here, so not a concern for this PR. Just noting it in case it's worth a follow-up.

Changeset bot is flagging the missing changeset. Might want to add one for a patch bump.