fix(deps): update non-major python dependencies#150
Merged
Conversation
Contributor
Vulnerability Scan: PassedImage: No vulnerabilities found. Commit: f440232 |
9ee54a1 to
25318c4
Compare
Contributor
Author
|
25318c4 to
ed1e8ab
Compare
a7e952a to
fd5943d
Compare
fd5943d to
1be94fa
Compare
1be94fa to
895e2e3
Compare
ltucker
approved these changes
Jun 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
>=3.3.1,<4→>=3.4.2,<4>=0.15.14→>=0.15.16Release Notes
PrefectHQ/fastmcp (fastmcp)
v3.4.2: : Heads UpCompare Source
FastMCP 3.4.2 restores JWT compatibility for providers that include private, non-critical JWS header parameters. Tokens from providers like Clerk can carry header metadata such as
catwithout being rejected before signature and claim validation, while unsupported critical headers are still rejected.What's Changed
Fixes 🐞
Docs 📚
Full Changelog: PrefectHQ/fastmcp@v3.4.1...v3.4.2
v3.4.1: : Floor ItCompare Source
FastMCP 3.4.1 floors Starlette at
>=1.0.1so installs can no longer resolve to a version affected by CVE-2026-48710 — previously the dependency was only constrained transitively throughmcp, which allowed vulnerable versions. It also makes OAuthProxy log refresh-token cache misses instead of failing silently.What's Changed
Enhancements ✨
Security 🔒
Docs 📚
Full Changelog: PrefectHQ/fastmcp@v3.4.0...v3.4.1
v3.4.0: : Remote ControlCompare Source
FastMCP 3.4 is about reaching servers that live somewhere else. The headline is
fastmcp-remote, a standalone bridge that connects stdio-only MCP hosts to servers hosted over HTTP. Around it, this release hardens the proxy layer those remote connections depend on — making bridges fail loudly instead of silently, and keeping authenticated sessions alive across the long idle periods that remote clients are prone to.fastmcp-remote
Some MCP hosts still insist on launching a local stdio command, even when the server you want is already running over HTTP. FastMCP could already proxy a remote URL through
fastmcp run, but that pulls in the full server-runner surface.fastmcp-remoteis the small, single-purpose version: one URL in, one local stdio proxy out.{ "mcpServers": { "linear": { "command": "uvx", "args": ["fastmcp-remote", "https://mcp.linear.app/mcp"] } } }OAuth is enabled automatically for HTTPS servers, with support for explicit bearer tokens and custom headers when you need them. The implementation stays on FastMCP primitives —
Client, OAuth,create_proxy, and stdio — and credits the original npmmcp-remoteproject for the command shape.Bridges That Fail Loudly
Proxies are lazy bridges: they don't touch the upstream server during construction, but they do forward real MCP requests once a client connects. As of 3.4,
initializeis part of that forwarded surface — so a proxy only reports a successful handshake after the upstream server initializes too. A missing backend, a wrong URL (the server root instead of/mcp), denied upstream auth, or a non-MCP upstream now fails the downstreaminitializeinstead of producing a "connected" proxy whose capability fetches quietly come back empty. The proxy also forwardspingupstream now.This is an intentional behavior change from 3.3, and the reason bridge callers like
fastmcp-remotesurface real upstream failures instead of degrading into empty tool lists.Auth That Survives Idle Time
Remote sessions sit idle, and short-lived upstream tokens punish that.
fastmcp_access_token_expiry_secondsdecouples the FastMCP-issued token's lifetime from the upstreamexpires_in— the FastMCP token is just a reference into proxy storage, re-validated and transparently refreshed on every request, so it can safely outlive a 5-minute upstream token without forcing a full OAuth flow after every idle period. When the upstream issues no refresh token, the lifetime is capped to match.Alongside it,
token_expiry_threshold_secondstreats tokens as expired N seconds early to close refresh races, andWorkOSProvidergainsvalid_scopesandextra_authorize_params.Returnable Tool Errors
A tool could previously only signal an error by raising, which flattens to a text-only result and discards structured content.
ToolResultnow acceptsis_error, mapping toCallToolResult.isErrorso a tool can hand back a rich error the model can see and act on. The proxy uses this to forward upstream tool errors intact instead of collapsing them.Code Mode: Safe by Default
MontySandboxProvider()now applies a conservative baseline when constructed without limits — 30s duration, 100 MB memory — andCodeModecaps tool calls at 50 perexecuteblock. Both remain explicitly opt-out (limits=None,max_tool_calls=None), so the safe configuration is the default instead of something you had to remember to turn on.Under the Hood
The auth stack migrated its JWT handling to
joserfc. Thefastmcpdev CLI gains--hostand--log-panel/--no-log-panel. Resources created from templates now preserve annotations, meta, title, and icons; resource templates with query params work on proxied servers; OTEL spans cover the sampling step and tool execution; MCP config files are read as UTF-8; and the OAuth server metadata endpoint now answers at the/.well-known/openid-configurationalias.8 new contributors this release.
What's Changed
New Features 🎉
Breaking Changes⚠️
Enhancements ✨
Security 🔒
Fixes 🐞
Docs 📚
Dependencies 📦
Other Changes 🦾
New Contributors
Full Changelog: PrefectHQ/fastmcp@v3.3.1...v3.4.0
astral-sh/ruff (ruff)
v0.15.16Compare Source
Released on 2026-06-04.
Preview features
flake8-async] Implementyield-in-context-manager-in-async-generator(ASYNC119) (#24644)pylint] Narrow diagnostic range and exclude cases without exception handlers (PLW0717) (#25440)ruff] Treatyieldbeforebreakfrom a terminal loop as terminal (RUF075) (#25447)Bug fixes
eradicate] Avoid flaggingruff:ignorecomments as code (ERA001) (#25537)eradicate] FixERA001/RUF100conflict whennoqais on commented-out code (#25414)pyflakes] Avoid removing theformatcall when it would change behavior (F523) (#25320)pylint] Avoid syntax errors in invalid character replacements in f-strings before Python 3.12 (PLE2510,PLE2512,PLE2513,PLE2514,PLE2515) (#25544)pyupgrade] Avoid convertingformatcalls with more kinds of side effects (UP032) (#25484)Rule changes
flake8-pytest-style] Avoid fixes for ambiguousargnamesandargvaluescombinations (PT006) (#24776)Performance
Documentation
pydocstyle] Improve discoverability of rules enabled for each convention (#24973)ruff] Restore example code for Python versions before 3.15 (RUF017) (#25439)bin/active→bin/activatein tutorial (#25473)Other changes
Contributors
v0.15.15Compare Source
Released on 2026-05-28.
Preview features
pyflakes] Report duplicate imports intyping.TYPE_CHECKINGblock (F811) (#22560)Bug fixes
pyflakes] Treat function-scope bare annotations as locals per PEP 526 (F821) (#21540)Performance
TokenValuedrops in the lexer (#25300)Vecsize (#25354)ThinVecin AST to shrinkStmt(#25361)Documentation
line-lengthexample for--configoption (#25389)flake8-comprehensions] DocumentRecursionErroredge case in__len__(C416) (#25286)mccabe] Improve example (C901) (#25287)pyupgrade] Clarify fix safety docs (UP007,UP045) (#25288)refurb] DocumentFURB192exception change for empty sequences (#25317)ruff] Document false negative for user-defined types (RUF013) (#25289)Formatter
Server
codeAction/resolverequests that contain no or no valid URL (#25365)Other changes
Contributors
Configuration
📅 Schedule: (in timezone UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Mend Renovate.