Skip to content

fix(deps): update non-major python dependencies#135

Merged
abubnalitic-nbl merged 1 commit into
mainfrom
renovate/non-major-python-dependencies
May 27, 2026
Merged

fix(deps): update non-major python dependencies#135
abubnalitic-nbl merged 1 commit into
mainfrom
renovate/non-major-python-dependencies

Conversation

@nbl-renovate

@nbl-renovate nbl-renovate Bot commented May 8, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
fastmcp >=3.2.4,<4>=3.3.1,<4 age confidence
pydantic (changelog) >=2.13.3>=2.13.4 age confidence
pydantic-settings (changelog) >=2.14.0>=2.14.1 age confidence
pytest (changelog) >=9.0.2>=9.0.3 age confidence
ruff (source, changelog) >=0.15.12>=0.15.14 age confidence

Release Notes

PrefectHQ/fastmcp (fastmcp)

v3.3.1: : Loop There It Is

Compare Source

FastMCP 3.3.1 is a hotfix for the 3.3 packaging split. Clean installs of 3.3.0 could fail on standalone component imports like from fastmcp.tools import tool because component modules reached auth and task primitives through fastmcp.server, pulling in the server/provider stack and exposing a circular import.

Component-level auth and task primitives now live in lightweight utility modules, with the old server import paths preserved as compatibility re-exports. Component imports stay lightweight, existing server-facing imports continue to work, and the release also includes small docs corrections from the 3.3 rollout.

What's Changed

Fixes 🐞

Full Changelog: PrefectHQ/fastmcp@v3.3.0...v3.3.1

v3.3.0: : Slim Reaper

Compare Source

FastMCP 3.3 ships fastmcp-slim, a new lightweight distribution that separates the client from the server stack. It also closes out a meaningful backlog of security hardening, observability improvements, and auth additions that accumulated through the 3.2 cycle.

fastmcp-slim

The full FastMCP package pulls in Starlette, Uvicorn, and the rest of the server machinery — necessary for running a server, but wasteful if you're writing a client, a script, or an agent that just needs to talk to MCP. fastmcp-slim is a dependency-light distribution that ships the client and transport layer without any of that.

The import namespace is unchanged:

from fastmcp import Client

async with Client("https://example.com/mcp") as client:
    result = await client.call_tool("my_tool", {"arg": "value"})

Install fastmcp-slim[client] anywhere you want FastMCP's client without the server footprint — CI environments, lightweight agents, library dependencies that shouldn't force Uvicorn on downstream users.

Security

The OAuth proxy received three hardening upgrades. Silent consent is now guarded against AS-in-the-middle attacks — a malicious authorization server can no longer silently approve a consent it wasn't meant to handle. Redirect URI allowlist matching now rejects dot-segment paths (/../, /./) that could otherwise bypass prefix checks. And ResponseCachingMiddleware partitions its cache by access token, closing a gap where different users could see each other's cached responses.

Auth

AzureB2CProvider adds first-class support for Azure AD B2C user flows. The OCI provider is fixed for 3.x installs. And OAuthProxy gains a public update_scopes() API for updating the proxy's required scopes after initialization — useful for servers that determine scope requirements at runtime.

Observability

OTEL instrumentation is now fully compliant with MCP semantic conventions. List operations (list_tools, list_resources, list_prompts, list_resource_templates) are instrumented, and delegate spans on proxy servers are enriched with backend attributes.

Thread Affinity

Sync tools run in a thread pool by default. If your tool holds thread-local state or is bound to a specific thread (UI frameworks, some database drivers), you can now opt out:

@&#8203;mcp.tool(run_in_thread=False)
def my_tool() -> str:
    ...

Under the Hood

Docket is now reentrant, and mounted servers enter their own lifespan — so a server with startup/shutdown logic works correctly when composed into a larger server. The FastMCP constructor accepts experimental_capabilities for passing raw capability flags. Tool errors accept a log_level parameter to control how they're logged. FormInput supports a default prefill value.

Fixes: ping loop now exits cleanly when a stream closes; sampling from background tasks works correctly; Windows startup no longer crashes on non-UTF-8 console output; blank query string values are preserved in OpenAPI routing; $defs introduced by ArgTransform are hoisted to the schema root; HTTP transports are terminated before lifespan shutdown.

13 new contributors this release.

What's Changed

New Features 🎉
Enhancements ✨
Security 🔒
Fixes 🐞
Docs 📚
Dependencies 📦
Other Changes 🦾

New Contributors

Full Changelog: PrefectHQ/fastmcp@v3.2.4...v3.3.0

pydantic/pydantic (pydantic)

v2.13.4

Compare Source

GitHub release

What's Changed
Packaging
Fixes
pydantic/pydantic-settings (pydantic-settings)

v2.14.1

Compare Source

What's Changed

Full Changelog: pydantic/pydantic-settings@v2.14.0...v2.14.1

astral-sh/ruff (ruff)

v0.15.14

Compare Source

Released on 2026-05-21.

Preview features
  • [airflow] Implement airflow-task-implicit-multiple-outputs (AIR202) (#​25152)
  • [flake8-use-pathlib] Mark PTH101 fix as unsafe when first argument is a class attribute annotated as int (#​25086)
  • [pylint] Implement too-many-try-statements (W0717) (#​23970)
  • [ruff] Add incorrect-decorator-order (RUF074) (#​23461)
  • [ruff] Add fallible-context-manager (RUF075) (#​22844)
Bug fixes
  • Fix lambda formatting in interpolated string expressions (#​25144)
  • Treat generic frozenset annotations as immutable (#​25251)
  • [flake8-type-checking] Avoid strict behavior when future-annotations are enabled (TC001, TC002, TC003) (#​25035)
  • [pylint] Avoid false positives in else clause (PLR1733) (#​25177)
Rule changes
  • [flake8-comprehensions] Skip C417 for lambdas with positional-only parameters (#​25272)
  • [flake8-simplify] Preserve f-string source verbatim in SIM101 fix (#​25061)
Performance
  • Avoid unnecessary parser lookahead for operators (#​25290)
Documentation
  • Update code example setting Neovim LSP log level (#​25284)
Other changes
Contributors

v0.15.13

Compare Source

Released on 2026-05-14.

Preview features
  • Add a rule to flag lazy imports that are eagerly evaluated (#​25016)
  • [pylint] Standardize diagnostic message (PLR0914, PLR0917) (#​24996)
Bug fixes
  • Fix F811 false positive for class methods (#​24933)
  • Fix setting selection for multi-folder workspace (#​24819)
  • [eradicate] Fix false positive for lines with leading whitespace (ERA001) (#​25122)
  • [flake8-pyi] Fix false positive for f-string debug specifier (PYI016) (#​24098)
Rule changes
  • Always include panic payload in panic diagnostic message (#​24873)
  • Restrict PYI034 for in-place operations to enclosing class (#​24511)
  • Improve error message for parameters that are declared global (#​24902)
  • Update known stdlib (#​25103)
Performance
  • [isort] Avoid constructing glob::Patterns for literal known modules (#​25123)
CLI
  • Add TOML examples to --config help text (#​25013)
  • Colorize ruff check 'All checks passed' (#​25085)
Configuration
  • Increase max allowed value of line-length setting (#​24962)
Documentation
  • Add D203 to rules that conflict with the formatter (#​25044)
  • Clarify COM819 and formatter interaction (#​25045)
  • Clarify that NotImplemented is a value, not an exception (F901) (#​25054)
  • Update number of lint rules supported (#​24942)
Other changes
  • Simplify the playground's markdown template (#​24924)
Contributors

Configuration

📅 Schedule: (in timezone UTC)

  • Branch creation
    • "before 4am on Monday,Tuesday,Wednesday,Thursday,Friday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@nbl-renovate nbl-renovate Bot added the dependencies Pull requests that update a dependency file label May 8, 2026
@nbl-renovate nbl-renovate Bot added the dependencies Pull requests that update a dependency file label May 8, 2026
@github-actions

github-actions Bot commented May 8, 2026

Copy link
Copy Markdown
Contributor

Vulnerability Scan: Passed

Image: netbox-mcp-server:scan

Source Library CVE Severity Installed Fixed Title
netbox-mcp-server:scan (alpine 3.23.4) xz-libs CVE-2026-34743 🟡 MEDIUM 5.8.2-r0 5.8.3-r0 xz: XZ Utils: Denial of Service via buffer overflow in index decoding
Python Authlib CVE-2026-44681 🟡 MEDIUM 1.6.11 1.7.1, 1.6.12 Authlib OIDC Implicit/Hybrid Authorization Vulnerable to Open Redirect
Python Pygments CVE-2026-4539 ⚪ LOW 2.19.2 2.20.0 pygments: Pygments: Denial of Service via inefficient regular expression process
Python idna CVE-2026-45409 🟡 MEDIUM 3.11 3.15 Internationalized Domain Names in Applications (IDNA): Specially crafted inputs
Python pip CVE-2026-3219 🟡 MEDIUM 26.0.1 26.1 pip: pip: Incorrect file installation due to improper archive handling
Python pip CVE-2026-6357 🟡 MEDIUM 26.0.1 26.1 pip: pip: Arbitrary code execution or information disclosure via malicious wheel

Commit: 9477c7e

@nbl-renovate nbl-renovate Bot force-pushed the renovate/non-major-python-dependencies branch from af6d876 to 940baa8 Compare May 11, 2026 00:40
@nbl-renovate nbl-renovate Bot changed the title chore(deps): update dependency pytest to >=9.0.3 fix(deps): update non-major python dependencies May 11, 2026
@nbl-renovate nbl-renovate Bot force-pushed the renovate/non-major-python-dependencies branch 3 times, most recently from c9c1bbd to 8d2652d Compare May 18, 2026 04:38
@nbl-renovate nbl-renovate Bot force-pushed the renovate/non-major-python-dependencies branch from 8d2652d to 77e666e Compare May 18, 2026 16:20
@nbl-renovate nbl-renovate Bot force-pushed the renovate/non-major-python-dependencies branch from 77e666e to 72ee887 Compare May 25, 2026 00:47
@abubnalitic-nbl abubnalitic-nbl merged commit 6d4c13b into main May 27, 2026
14 checks passed
@abubnalitic-nbl abubnalitic-nbl deleted the renovate/non-major-python-dependencies branch May 27, 2026 18:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant