fix(memory,sequentialthinking,filesystem): declare zod as an explicit dependency#4377
Open
aqilaziz wants to merge 2 commits into
Open
fix(memory,sequentialthinking,filesystem): declare zod as an explicit dependency#4377aqilaziz wants to merge 2 commits into
aqilaziz wants to merge 2 commits into
Conversation
Both server-memory and server-sequential-thinking import `zod` at runtime but never declared it in their package.json. The published npm packages therefore fail at startup with ERR_MODULE_NOT_FOUND for `zod` when zod is not otherwise hoisted into node_modules. Add `zod: ^3.25 || ^4.0` (matching @modelcontextprotocol/sdk peer range) to both packages and update package-lock.json accordingly. Fixes modelcontextprotocol#4330
server-filesystem also imports zod at module load (index.ts) without declaring it. Under pnpm's strict non-flat node_modules a package can only import its own declared dependencies, so `pnpm dlx @modelcontextprotocol/server-filesystem` crashes with the same ERR_MODULE_NOT_FOUND for zod. Declare it with the same range as the other packages and update the lockfile.
aqilaziz
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
@modelcontextprotocol/server-memory,@modelcontextprotocol/server-sequential-thinking, and@modelcontextprotocol/server-filesystemall importzodat module load (import { z } from "zod") but never declared it in theirpackage.jsondependencies.Under pnpm's strict, non-flat
node_moduleslayout a package can only import the dependencies it declares itself (not transitive ones). So even though@modelcontextprotocol/sdkpulls zod in, these servers crash on startup when run standalone:Reproduces with
pnpm dlx @modelcontextprotocol/server-memory/server-sequential-thinking/server-filesystem(issue #4330 reported the first two;server-filesystemhas the identical undeclared-zod import and is fixed here too).Fix
Declare
zodexplicitly in all three packages using the same range@modelcontextprotocol/sdkitself uses (^3.25 || ^4.0). This keeps zod deduped to the single instance the SDK already resolves (3.25.x in the current lockfile), avoiding a dual-zod-instance hazard when passing schemas to the SDK.package-lock.jsonis updated to match.server-everythingin this repo already declares zod this way, so the combination is known-good.Testing
zodwhile none declared it.^3.25 || ^4.0) and the existing hoisted resolution (zod 3.25.76).Fixes #4330