fix: handle JSON-RPC request IDs exceeding MAX_SAFE_INTEGER

[cyphercodes]

Summary

Fixes #1765

Previously, the SDK used Number() to convert request/response IDs, which causes precision loss for values exceeding Number.MAX_SAFE_INTEGER (9007199254740991). This led to server hangs when receiving requests with large IDs because the response handler lookup would fail.

Changes

• Changed Map key types from number to RequestId (string | number) in Protocol class
• Removed Number() conversions on request/response IDs in _onresponse and _onprogress
• Added undefined check for response.id in _onresponse to handle error responses without IDs
• Updated TaskManagerHost.removeProgressHandler signature to use RequestId
• Updated TaskManager.processInboundResponse and related methods to use RequestId
• Changed TaskManager._taskProgressTokens Map value type from number to RequestId

Testing

All 454 existing tests pass. The fix ensures that request IDs are preserved as-is (whether string or number) throughout the request/response lifecycle, preventing precision loss issues with large numeric IDs.

Root Cause

When a client sends a JSON-RPC request with an ID like 9007199254740992 (MAX_SAFE_INTEGER + 1), converting it to Number would result in a different value due to floating-point precision limits. This caused the response handler lookup to fail, leaving the request pending indefinitely (server hang).

[changeset-bot]

⚠️ No Changeset found

Latest commit: b944265

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@1775

@modelcontextprotocol/server

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@1775

@modelcontextprotocol/express

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/express@1775

@modelcontextprotocol/hono

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/hono@1775

@modelcontextprotocol/node

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/node@1775

commit: b944265

[felixweinberger]

Per discussion on #1765: numeric IDs above MAX_SAFE_INTEGER lose precision at JSON.parse, so this can't be fixed at the SDK layer. Clients needing large IDs should use string IDs, which the spec already supports. Closing this pending confirmation on the issue.

The Map<number> → Map<RequestId> type cleanup is reasonable on its own if you want to resubmit it as a refactor without the "fixes #1765" framing.