Conversation
✅ Docs preview readyThe preview is ready to be viewed. View the preview File Changes 0 new, 1 changed, 0 removedBuild ID: 6da2b8faec3cb8cdfc68f49d URL: https://www.apollographql.com/docs/deploy-preview/6da2b8faec3cb8cdfc68f49d
|
DaleSeo
force-pushed
the
AMS-492
branch
4 times, most recently
from
c7d464d to
1f20be4
Compare
|
✅ Changeset file added - thank you! |
| <Note> | ||
|
|
||
| Host validation is only available when using the `streamable_http` transport. Localhost addresses (`localhost`, `127.0.0.1`, `::1`, `0.0.0.0`) are always allowed when validation is enabled. | ||
| Host validation is only available when using the `streamable_http` transport. Loopback addresses (`localhost`, `127.0.0.1`, `::1`) are always allowed when validation is enabled. |
There was a problem hiding this comment.
I dropped 0.0.0.0 to match the Rust SDK implementation. It only serves as a bind sentinel, meaning it listens on every interface, not as a destination. When a real client connects to a server bound to 0.0.0.0, it resolves through a real interface and sends that in the Host header. The previous in-tree validator's check for is_loopback() || is_unspecified() mixed up the bind-side and destination-side semantics. The TypeScript and Go MCP SDKs also follows the same implementation.
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
|
I'm converting this to a draft. I noticed that |
| jsonschema = "0.42.0" | ||
| jsonwebtoken = { version = "10.3", features = ["rust_crypto"] } | ||
| jwks = { git = "https://github.com/chenhunghan/jwks", tag = "v0.5.3" } | ||
| jwks = "0.5.3" |
There was a problem hiding this comment.
JWKS v0.5.3 was published on crates.io so this git workaround is no longer needed.
1 participant
Bumps
rmcpfrom 1.2 to 1.6 to pull in the fix for GHSA-89vp-x53w-74fx (CVE-2026-42559). With 1.6, host validation is enforced inside the Streamable HTTP transport, so the custom axum middleware we used to layer on top is no longer needed.