@modelcontextprotocol/sdk fails in CommonJS projects due to incompatible ESM-only dependency (pkce-challenge)

[MauroPerna]

Hi! 👋

Firstly, thanks for your work on this project! 🙂

Today I used patch-package to patch @modelcontextprotocol/sdk@1.7.0 for the project I'm working on.

When importing @langchain/mcp-adapters in a CommonJS project (such as NestJS), the following error occurs at runtime:

Error [ERR_REQUIRE_ESM]: require() of ES Module pkce-challenge is not supported in CommonJS modules. Use dynamic import() instead.

The issue originates from @modelcontextprotocol/sdk, which uses a CommonJS-style require() to import pkce-challenge, an ESM-only package.

---

Steps to Reproduce

1. Use @langchain/mcp-adapters in a CommonJS-based NestJS backend
2. Run the project
3. Crash occurs when MCP client initializes

---

Suggested fix

Use dynamic import() instead of require() in auth.js to support ESM-only dependencies within CommonJS projects.

Here’s the minimal diff that solved the issue:

diff --git a/node_modules/@modelcontextprotocol/sdk/dist/cjs/client/auth.js b/node_modules/@modelcontextprotocol/sdk/dist/cjs/client/auth.js
index 636d770..933474a 100644
--- a/node_modules/@modelcontextprotocol/sdk/dist/cjs/client/auth.js
+++ b/node_modules/@modelcontextprotocol/sdk/dist/cjs/client/auth.js
@@ -10,7 +10,16 @@ exports.startAuthorization = startAuthorization;
 exports.exchangeAuthorization = exchangeAuthorization;
 exports.refreshAuthorization = refreshAuthorization;
 exports.registerClient = registerClient;
-const pkce_challenge_1 = __importDefault(require("pkce-challenge"));
+let pkce_challenge_1 = { default: null };
+
+async function loadPkceChallenge() {
+  if (!pkce_challenge_1.default) {
+    const mod = await import("pkce-challenge");
+    pkce_challenge_1.default = mod.default;
+  }
+}

 const types_js_1 = require("../types.js");
 const auth_js_1 = require("../shared/auth.js");
@@ -137,7 +146,8 @@ async function startAuthorization(serverUrl, { metadata, clientInformation, redi
         authorizationUrl = new URL("/authorize", serverUrl);
     }
     // Generate PKCE challenge
-    const challenge = await (0, pkce_challenge_1.default)();
+    await loadPkceChallenge();
+    const challenge = await pkce_challenge_1.default();
     const codeVerifier = challenge.code_verifier;
     const codeChallenge = challenge.code_challenge;
     authorizationUrl.searchParams.set("response_type", responseType);

_{This issue body was partially generated by patch-package.}

[dimavedenyapin]

This is blocking our usage of MCP as well

[QuantGeekDev]

It seems to me like you're importing from the cjs dist, instead of the esm dist. I think there is a dist/esm folder that has what you're looking for

[QuantGeekDev]

@dimavedenyapin @MauroPerna Have you tried changing the imports?

[sndraw]

I also encountered the same problem.

[dimavedenyapin]

@QuantGeekDev How to change the important to import from esm dist?
I am trying

import { Client } from "@modelcontextprotocol/sdk/dist/esm/client";

but not working

[wangshijun]

We encountered the same issue here: AIGNE-io/aigne-framework#36
And a fix has been submitted to the root cause package: crouchcd/pkce-challenge#32

[micahkatz]

Having the same issue as well

[heyitsaamir]

I went to version 1.5.0 which doesn't have the pkce-challenge package. Not the best solution, but I am temporarily unblocked.

[Laci21]

@MauroPerna, thanks for the fix, it works for me as well!

I used this little script (node patch-mcp-sdk.js) to solve the issue based on your suggested fix: https://gist.github.com/Laci21/9dd074f3a5a461ab04adb7db678534d3

[LSTM-Kirigaya]

@MauroPerna, thanks for the fix, it works for me as well!

I used this little script (node patch-mcp-sdk.js) to solve the issue based on your suggested fix: https://gist.github.com/Laci21/9dd074f3a5a461ab04adb7db678534d3

Thanks, your script works very well :D