Significant updates across the Model Context Protocol ecosystem — new server releases, spec changes, tooling updates, and community milestones.
The newly formed MCP Security Working Group released a formal threat model covering prompt injection via tool output, server supply-chain risks, and permission escalation. The document is now referenced by the official MCP specification as a non-normative companion.
The official Stripe agent toolkit added four new MCP tools: create_invoice, list_subscriptions, cancel_subscription, and retrieve_upcoming_invoice. These tools enable agents to manage the full billing lifecycle without requiring custom Stripe API code.
A new specification draft proposes standardised error response envelopes for MCP tool calls. Currently each server returns errors in its own format, making it difficult for clients to distinguish recoverable from fatal errors. RFC-0041 defines a typed error schema with code, message, and retryable fields.
The Supabase MCP server crossed 2,000 stars, making it the fastest-growing database server in the ecosystem. The latest release adds support for Edge Function deployment and log streaming directly from the agent context.
Claude Desktop now supports granular tool confirmation: you can configure individual servers to require confirmation before every tool call, only for write operations, or never. The setting is accessible in Preferences → MCP Servers. This replaces the previous all-or-nothing confirmation toggle.
Microsoft shipped Playwright MCP server v0.0.19 with multi-tab support. Agents can now open, switch between, and close browser tabs within a single session. The update also adds browser_tabs tool to list open tabs and browser_close_tab for targeted cleanup.
MCP 1.5 is the first minor version bump since the standard was published. Key additions: Server-Sent Events (SSE) as an alternative to stdio transport for remote server deployments, and a resource subscription model that allows clients to watch for changes to named resources without polling.
The number of MCP-prefixed packages on npm crossed 500, up from roughly 80 at the start of 2025. Quality varies significantly — this directory tracks only servers with verified source repositories and accurate tool declarations.
A coordinated disclosure documented a class of prompt injection attacks using the MCP Fetch server. Malicious web pages can embed instruction payloads in HTML comments or hidden elements that are preserved when content is converted to Markdown. Anthropic updated Claude Desktop's tool output rendering to strip certain comment patterns. Server-side mitigations are not yet standardised.
Neon's MCP server now exposes create_branch, reset_branch, and compare_branches tools, enabling full database branching workflows from the agent context. Combined with the existing run_sql tool, agents can prototype schema changes on a branch before applying them to the main database.
The community-built mcp-inspector tool shipped v0.3 with two major features: session replay (record all tool calls and replay them against a different server version) and diff mode (compare tool output between two server versions side by side). Useful for testing server upgrades without breaking agent workflows.
A spec errata update clarified that tool parameter schemas must be valid JSON Schema Draft 7 objects. Several community servers were using non-standard extensions that caused interoperability issues with strict clients. The errata also defines required behaviour when a client receives an unknown parameter type.
MCP Reference launched as a community-maintained directory of Model Context Protocol servers. The initial index covers 30 servers across 9 categories, with verified badges for official Anthropic and vendor-published servers. Install commands, tool lists, and source links are all cross-checked against live repositories.
This changelog covers significant ecosystem events. For individual server release notes, see each server's GitHub repository.