Fix npm package installation issues #88
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mattpodwysocki
force-pushed
the
valentin_temp
branch
2 times, most recently
from
c7a6f41 to
bdd21ff
Compare
![prisma-cloud-devsecops[bot]](https://avatars.githubusercontent.com/in/135857?s=60&v=4){kind=small}
| "dependencies": { | ||
| "@mcp-ui/server": "^5.13.1", | ||
| "@modelcontextprotocol/sdk": "^1.21.1", | ||
| "@modelcontextprotocol/sdk": "^1.25.1", |
There was a problem hiding this comment.
@modelcontextprotocol/sdk / package.json
🎉 All vulnerabilities were fixed
Total vulnerabilities: 1
| Critical: 0 | High: 1 | Medium: 0 | Low: 0 |
|---|
| Vulnerability ID | Severity | CVSS | Fixed in | Status |
|---|---|---|---|---|
| CVE-2025-15284 |  HIGH |
- | - |
Fixed |
mattpodwysocki
force-pushed
the
valentin_temp
branch
from
bdd21ff to
4f2ce69
Compare
This commit resolves critical installation failures that prevented users from running the package via `npx @mapbox/mcp-server`. When users ran `npx @mapbox/mcp-server`, they encountered: ``` sh: mcp-server: command not found ``` This was caused by multiple installation script failures that prevented npm from properly setting up the binary. **Problem:** The postinstall script runs patch-package, but it was only in devDependencies. End users don't get dev dependencies, causing postinstall to fail. **Solution:** - Moved patch-package from devDependencies to dependencies - Removed duplicate patch-package entry in devDependencies (caused by rebase) - Added patches/ directory to files array in package.json - Ensures patches are included in published package **Problem:** Patch was for @modelcontextprotocol/[email protected], but the ^ version allowed 1.25.1 to be installed, causing patch failures. **Solution:** - Updated SDK dependency to ^1.25.1 - Regenerated patches for new SDK version - Removed old 1.21.1 patch file - Updated src/tools/BaseTool.ts with type annotations required by new SDK **Problem:** The prepare script checked for .git directory, but when users installed the package in THEIR git repo, it found their .git and tried to run husky (which wasn't installed), causing failures. **Solution:** Changed check from .git to .husky/setup-hooks.js: ```javascript // Before: Checks .git (exists in any git repo) "prepare": "... require('fs').accessSync('.git') ..." // After: Checks for actual setup file (only in dev environment) "prepare": "... require('fs').accessSync('.husky/setup-hooks.js') ..." ``` This ensures prepare only runs in the development environment of this package, not when installed as a dependency. **Problem:** TypeScript "Type instantiation is excessively deep" errors after rebasing onto PR #73 with SDK 1.25.1. **Solution:** Added type assertions (`as any`) to break complex type inference chains in: - src/tools/BaseTool.ts (registerTool call) - src/index.ts (setRequestHandler call) These assertions are necessary workarounds for TypeScript's limitations with deeply nested generic types in the MCP SDK. Verified the package works correctly: ```bash cd /tmp npx --yes "@mapbox/[email protected]" ``` Integration tests confirm: - ✅ All dependencies install correctly - ✅ MCP SDK patches apply successfully - ✅ mcp-server binary created and executable - ✅ Server runs without errors - ✅ All tools (SearchAndGeocode, CategorySearch, ReverseGeocode) working - ✅ Schema validation working with metadata fields (PR #86) - ✅ Non-fatal validation working (PR #73) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
mattpodwysocki
force-pushed
the
valentin_temp
branch
from
4f2ce69 to
0d04b68
Compare
mattpodwysocki
previously approved these changes
Jan 6, 2026
7 tasks
ctufts
approved these changes
Jan 6, 2026
mattpodwysocki
approved these changes
Jan 6, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes some installation issues todo with
npx. Additionally:ETA schema fix - mention the SearchAndGeocodeTool.output.schema.ts change:
Fixed eta field schema to accept both number (seconds) and object formats, matching actual API response
Dual-context postinstall - clarify the postinstall now handles both scenarios:
Postinstall script now works in both development (npm install in repo) and as a dependency (installed in user projects)
updating MCP sdk version (this required updating the patch)
Issues Fixed
When users tried to run
npx @mapbox/mcp-server, they encountered the error:This was caused by multiple installation script failures that prevented npm from properly setting up the binary.
Changes
1. Fixed
patch-packageDependency IssueProblem: The
postinstallscript runspatch-package, but it was only indevDependencies. When end users installed the package, they didn't get dev dependencies, causing the postinstall to fail.Solution:
patch-packagefromdevDependenciestodependencies(package.json)patches/directory to thefilesarray to ensure patches are included in published package2. Updated MCP SDK and Regenerated Patches
Problem: The patch was for
@modelcontextprotocol/[email protected], but the^version allowed1.25.1to be installed, causing patch application to fail.Solution:
^1.25.1(package.json)3. Fixed
prepareScript for End UsersProblem: The
preparescript checked for.gitdirectory to decide whether to run husky setup. However, when users installed the package in THEIR git repository, it found their.gitand tried to run husky (which wasn't installed), causing the script to fail.Solution: Changed the check from
.gitto.husky/setup-hooks.js(package.json):This ensures the prepare script only runs in the actual development environment of this package, not when installed as a dependency.
Testing
Verified that the package works correctly using MCP inspector:
Details
shows the correct dev version that I published for testing:
handling missing access token as expected:
Testing MCP functionality:
