Skip to content

chore(deps): bump anthropic from 0.86.0 to 0.87.0 in the uv group across 1 directory#3742

Merged
jlowin merged 1 commit intomainfrom
dependabot/uv/uv-01fcc849f0
Apr 3, 2026
Merged

chore(deps): bump anthropic from 0.86.0 to 0.87.0 in the uv group across 1 directory#3742
jlowin merged 1 commit intomainfrom
dependabot/uv/uv-01fcc849f0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 1, 2026

Bumps the uv group with 1 update in the / directory: anthropic.

Updates anthropic from 0.86.0 to 0.87.0

Release notes

Sourced from anthropic's releases.

v0.87.0

0.87.0 (2026-03-31)

Full Changelog: v0.86.0...v0.87.0

Features

  • client: add error type field to APIStatusError (#1587) (dd563c0)
  • internal: implement indices array format for query and form serialization (11a6244)

Bug Fixes

  • honor api_exclude in async transform path (#1612) (8172232), closes #1610
  • memory: return resolved path from async _validate_path (7b0add3)
  • memory: use restrictive file mode for memory files (47ba5b8)
  • sanitize endpoint path params (98f60e4)
  • transform schema: support enums (#1275) (5c088ab)

Chores

  • ci: run builds on CI even if only spec metadata changed (194c050)
  • ci: skip lint on metadata-only changes (03e2ab9)
  • internal: update gitignore (94ede14)
  • tests: bump steady to v0.19.4 (2d6d58f)
  • tests: bump steady to v0.19.5 (8fb439a)
  • tests: bump steady to v0.19.6 (76da5fd)
  • tests: bump steady to v0.19.7 (bfa40e5)
  • tests: bump steady to v0.20.1 (4fd9446)
Changelog

Sourced from anthropic's changelog.

0.87.0 (2026-03-31)

Full Changelog: v0.86.0...v0.87.0

Features

  • client: add error type field to APIStatusError (#1587) (dd563c0)
  • internal: implement indices array format for query and form serialization (11a6244)

Bug Fixes

  • honor api_exclude in async transform path (#1612) (8172232), closes #1610
  • memory: return resolved path from async _validate_path (7b0add3)
  • memory: use restrictive file mode for memory files (47ba5b8)
  • sanitize endpoint path params (98f60e4)
  • transform schema: support enums (#1275) (5c088ab)

Chores

  • ci: run builds on CI even if only spec metadata changed (194c050)
  • ci: skip lint on metadata-only changes (03e2ab9)
  • internal: update gitignore (94ede14)
  • tests: bump steady to v0.19.4 (2d6d58f)
  • tests: bump steady to v0.19.5 (8fb439a)
  • tests: bump steady to v0.19.6 (76da5fd)
  • tests: bump steady to v0.19.7 (bfa40e5)
  • tests: bump steady to v0.20.1 (4fd9446)
Commits
  • ab0c446 release: 0.87.0
  • 6599043 fix(memory): return resolved path from async _validate_path
  • 715030c fix(memory): use restrictive file mode for memory files
  • 6cdbc5f chore(tests): bump steady to v0.20.1
  • 4beda3c Add output-300k-2026-03-24 beta header
  • 3b77b82 chore(ci): run builds on CI even if only spec metadata changed
  • 764ddba feat(internal): implement indices array format for query and form serialization
  • 8a06a90 codegen metadata
  • 7f8cf3c chore(tests): bump steady to v0.19.7
  • 0eba0dd chore(ci): skip lint on metadata-only changes
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump anthropic in the uv group across 1 directory
c9c1ddb 
Bumps the uv group with 1 update in the / directory: [anthropic](https://github.com/anthropics/anthropic-sdk-python).


Updates `anthropic` from 0.86.0 to 0.87.0
- [Release notes](https://github.com/anthropics/anthropic-sdk-python/releases)
- [Changelog](https://github.com/anthropics/anthropic-sdk-python/blob/main/CHANGELOG.md)
- [Commits](anthropics/anthropic-sdk-python@v0.86.0...v0.87.0)

---
updated-dependencies:
- dependency-name: anthropic
  dependency-version: 0.87.0
  dependency-type: direct:production
  dependency-group: uv
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot Bot added dependencies Updates to project dependencies. Automatically applied to dependabot PRs. python:uv Pull requests that update python:uv code labels Apr 1, 2026
@jlowin jlowin merged commit 75583a6 into main Apr 3, 2026
9 checks passed
@jlowin jlowin deleted the dependabot/uv/uv-01fcc849f0 branch April 3, 2026 14:43
@marvin-context-protocol
Copy link
Copy Markdown
Contributor

marvin-context-protocol Bot commented Apr 3, 2026

Test Failure Analysis

Summary: The CI run triggered by merging this PR (run #23950177505) failed with 1 test failure in the Python 3.13 job. This is a pre-existing flaky test introduced in #3710 and is unrelated to the anthropic dependency bump.

Root Cause: test_rate_limiting_with_different_operations in tests/server/middleware/test_rate_limiting.py is a timing-sensitive test that is not robust against token refill. The test configures a RateLimitingMiddleware with max_requests_per_second=9.0 and burst_capacity=5, then expects the token bucket to be exhausted after exactly 5 requests (2x list_tools + 2x call_tool + 1 final call_tool). However, with a refill rate of 9 tokens/second, just ~111ms of elapsed time between requests is enough to restore a token, preventing the rate limit from triggering on the third call_tool. Under load on CI (Python 3.13, ubuntu-latest), the test passes on some runs and fails on others.

The test was introduced in commit d41bcb2 (PR #3710) alongside the large background task context refactor. The anthropic SDK bump is irrelevant to the failure — the same test passes on Python 3.10 and in other jobs.

Suggested Solution: The fix should be applied to tests/server/middleware/test_rate_limiting.py (line 381–394):

  1. Option A (preferred): Lower burst_capacity to a value that provides more margin. With burst_capacity=3 and making exactly 4 requests before the assertion (e.g., list_tools + call_tool + list_tools + call_tool = 4 > 3), the test would fail immediately without relying on timing. However, since list_tools calls happen implicitly and may or may not be cached, the total request count is non-deterministic.

  2. Option B (robust): Switch to the SlidingWindowRateLimitingMiddleware pattern used by test_sliding_window_rate_limiting (line 362–379), which uses a 1-minute window and explicit request counts — making it completely timing-independent. Or rewrite the test using global_limit=True with a very low burst_capacity=1 so any second request will always be blocked regardless of timing.

  3. Option C: Replace the max_requests_per_second=9.0 rate with a much lower value (e.g., 0.001) so the token refill is negligibly slow. This makes the test immune to timing variation since it would take ~1000s to refill even one token.

The simplest fix: change the middleware parameters to max_requests_per_second=0.001, burst_capacity=3 — this ensures the bucket refill is negligibly slow while keeping the burst limit tight enough to reliably trigger.

Detailed Analysis

Failed test: tests/server/middleware/test_rate_limiting.py::TestRateLimitingMiddlewareIntegration::test_rate_limiting_with_different_operations

Error:

E           Failed: DID NOT RAISE <class 'fastmcp.exceptions.ToolError'>

tests/server/middleware/test_rate_limiting.py:393: Failed

Request sequence observed in logs:

Handler called: list_tools
Handler called: call_tool quick_action with {'message': 'test'}
Handler called: list_tools
Handler called: call_tool heavy_computation with {}
Handler called: call_tool batch_process with {'items': ['a', 'b', 'c']}   ← should have raised

That's exactly 5 requests against a burst_capacity=5 bucket. The expectation is that all 5 tokens are consumed before batch_process is called. But with refill_rate=9.0/s, any gap ≥111ms between requests replenishes a token. On a loaded CI runner with parallel test workers (-n auto), latency between in-process async operations can easily exceed this threshold.

Why other Python versions passed: The Python 3.10 and Windows jobs happened to have slightly different scheduling behavior/timing that kept requests tight enough to drain the bucket.

Middleware code (src/fastmcp/server/middleware/rate_limiting.py lines 22–58): The TokenBucketRateLimiter correctly refills based on wall-clock elapsed time. The test relies on the assumption that sequential async calls complete in < 111ms total, which is not guaranteed.

Note: initialize is routed to on_initialize (not on_request) in the middleware dispatch, so it does not consume tokens — only the 5 explicit list_tools/call_tool requests count.

Related Files
  • tests/server/middleware/test_rate_limiting.py — the failing test, lines 381–394 (test_rate_limiting_with_different_operations)
  • src/fastmcp/server/middleware/rate_limiting.pyTokenBucketRateLimiter implementation; the consume() method's wall-clock refill logic is correct but the test's parameters are too tight
  • src/fastmcp/server/middleware/middleware.py_dispatch_handler routing (line 100–120): initialize goes to on_initialize, all other requests go to on_request (and thus through the rate limiter)

🤖 Generated with Claude Code — test failure analysis agent

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Updates to project dependencies. Automatically applied to dependabot PRs. python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jlowin