Skip to content

fix(deps): update non-major python dependencies#150

Merged
abubnalitic-nbl merged 1 commit into
mainfrom
renovate/non-major-python-dependencies
Jun 17, 2026
Merged

fix(deps): update non-major python dependencies#150
abubnalitic-nbl merged 1 commit into
mainfrom
renovate/non-major-python-dependencies

Conversation

@nbl-renovate

@nbl-renovate nbl-renovate Bot commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
fastmcp >=3.3.1,<4>=3.4.2,<4 age confidence
ruff (source, changelog) >=0.15.14>=0.15.16 age confidence

Release Notes

PrefectHQ/fastmcp (fastmcp)

v3.4.2: : Heads Up

Compare Source

FastMCP 3.4.2 restores JWT compatibility for providers that include private, non-critical JWS header parameters. Tokens from providers like Clerk can carry header metadata such as cat without being rejected before signature and claim validation, while unsupported critical headers are still rejected.

What's Changed

Fixes 🐞
Docs 📚

Full Changelog: PrefectHQ/fastmcp@v3.4.1...v3.4.2

v3.4.1: : Floor It

Compare Source

FastMCP 3.4.1 floors Starlette at >=1.0.1 so installs can no longer resolve to a version affected by CVE-2026-48710 — previously the dependency was only constrained transitively through mcp, which allowed vulnerable versions. It also makes OAuthProxy log refresh-token cache misses instead of failing silently.

What's Changed

Enhancements ✨
  • Log refresh-token misses in OAuthProxy instead of failing silently by @​jlowin in #​4276
Security 🔒
Docs 📚

Full Changelog: PrefectHQ/fastmcp@v3.4.0...v3.4.1

v3.4.0: : Remote Control

Compare Source

FastMCP 3.4 is about reaching servers that live somewhere else. The headline is fastmcp-remote, a standalone bridge that connects stdio-only MCP hosts to servers hosted over HTTP. Around it, this release hardens the proxy layer those remote connections depend on — making bridges fail loudly instead of silently, and keeping authenticated sessions alive across the long idle periods that remote clients are prone to.

fastmcp-remote

Some MCP hosts still insist on launching a local stdio command, even when the server you want is already running over HTTP. FastMCP could already proxy a remote URL through fastmcp run, but that pulls in the full server-runner surface. fastmcp-remote is the small, single-purpose version: one URL in, one local stdio proxy out.

{
  "mcpServers": {
    "linear": {
      "command": "uvx",
      "args": ["fastmcp-remote", "https://mcp.linear.app/mcp"]
    }
  }
}

OAuth is enabled automatically for HTTPS servers, with support for explicit bearer tokens and custom headers when you need them. The implementation stays on FastMCP primitives — Client, OAuth, create_proxy, and stdio — and credits the original npm mcp-remote project for the command shape.

Bridges That Fail Loudly

Proxies are lazy bridges: they don't touch the upstream server during construction, but they do forward real MCP requests once a client connects. As of 3.4, initialize is part of that forwarded surface — so a proxy only reports a successful handshake after the upstream server initializes too. A missing backend, a wrong URL (the server root instead of /mcp), denied upstream auth, or a non-MCP upstream now fails the downstream initialize instead of producing a "connected" proxy whose capability fetches quietly come back empty. The proxy also forwards ping upstream now.

This is an intentional behavior change from 3.3, and the reason bridge callers like fastmcp-remote surface real upstream failures instead of degrading into empty tool lists.

Auth That Survives Idle Time

Remote sessions sit idle, and short-lived upstream tokens punish that. fastmcp_access_token_expiry_seconds decouples the FastMCP-issued token's lifetime from the upstream expires_in — the FastMCP token is just a reference into proxy storage, re-validated and transparently refreshed on every request, so it can safely outlive a 5-minute upstream token without forcing a full OAuth flow after every idle period. When the upstream issues no refresh token, the lifetime is capped to match.

from fastmcp.server.auth.providers.github import GitHubProvider

auth = GitHubProvider(
    client_id="...",
    client_secret="...",
    base_url="https://your-server.com",
    fastmcp_access_token_expiry_seconds=60 * 60 * 24,  # 24h client-facing token
)

Alongside it, token_expiry_threshold_seconds treats tokens as expired N seconds early to close refresh races, and WorkOSProvider gains valid_scopes and extra_authorize_params.

Returnable Tool Errors

A tool could previously only signal an error by raising, which flattens to a text-only result and discards structured content. ToolResult now accepts is_error, mapping to CallToolResult.isError so a tool can hand back a rich error the model can see and act on. The proxy uses this to forward upstream tool errors intact instead of collapsing them.

@&#8203;mcp.tool
def lookup(id: str) -> ToolResult:
    if not found(id):
        return ToolResult(
            content="not found",
            structured_content={"code": 404, "id": id},
            is_error=True,
        )
    ...

Code Mode: Safe by Default

MontySandboxProvider() now applies a conservative baseline when constructed without limits — 30s duration, 100 MB memory — and CodeMode caps tool calls at 50 per execute block. Both remain explicitly opt-out (limits=None, max_tool_calls=None), so the safe configuration is the default instead of something you had to remember to turn on.

Under the Hood

The auth stack migrated its JWT handling to joserfc. The fastmcp dev CLI gains --host and --log-panel/--no-log-panel. Resources created from templates now preserve annotations, meta, title, and icons; resource templates with query params work on proxied servers; OTEL spans cover the sampling step and tool execution; MCP config files are read as UTF-8; and the OAuth server metadata endpoint now answers at the /.well-known/openid-configuration alias.

8 new contributors this release.

What's Changed

New Features 🎉
Breaking Changes ⚠️
Enhancements ✨
Security 🔒
Fixes 🐞
Docs 📚
Dependencies 📦
Other Changes 🦾

New Contributors

Full Changelog: PrefectHQ/fastmcp@v3.3.1...v3.4.0

astral-sh/ruff (ruff)

v0.15.16

Compare Source

Released on 2026-06-04.

Preview features
  • [flake8-async] Implement yield-in-context-manager-in-async-generator (ASYNC119) (#​24644)
  • [pylint] Narrow diagnostic range and exclude cases without exception handlers (PLW0717) (#​25440)
  • [ruff] Treat yield before break from a terminal loop as terminal (RUF075) (#​25447)
Bug fixes
  • [eradicate] Avoid flagging ruff:ignore comments as code (ERA001) (#​25537)
  • [eradicate] Fix ERA001/RUF100 conflict when noqa is on commented-out code (#​25414)
  • [pyflakes] Avoid removing the format call when it would change behavior (F523) (#​25320)
  • [pylint] Avoid syntax errors in invalid character replacements in f-strings before Python 3.12 (PLE2510, PLE2512, PLE2513, PLE2514, PLE2515) (#​25544)
  • [pyupgrade] Avoid converting format calls with more kinds of side effects (UP032) (#​25484)
Rule changes
  • [flake8-pytest-style] Avoid fixes for ambiguous argnames and argvalues combinations (PT006) (#​24776)
Performance
  • Drop excess capacity from statement suites during parsing (#​25368)
Documentation
  • [pydocstyle] Improve discoverability of rules enabled for each convention (#​24973)
  • [ruff] Restore example code for Python versions before 3.15 (RUF017) (#​25439)
  • Fix typo bin/activebin/activate in tutorial (#​25473)
Other changes
  • Shrink additional parser AST collections (#​25465)
Contributors

v0.15.15

Compare Source

Released on 2026-05-28.

Preview features
  • Fix Markdown closing fence handling (#​25310)
  • [pyflakes] Report duplicate imports in typing.TYPE_CHECKING block (F811) (#​22560)
Bug fixes
  • [pyflakes] Treat function-scope bare annotations as locals per PEP 526 (F821) (#​21540)
Performance
  • Avoid redundant TokenValue drops in the lexer (#​25300)
  • Reduce memory usage by dropping token-excess capacity and improve performance by approximating the initial tokens Vec size (#​25354)
  • Use ThinVec in AST to shrink Stmt (#​25361)
Documentation
  • Fix line-length example for --config option (#​25389)
  • [flake8-comprehensions] Document RecursionError edge case in __len__ (C416) (#​25286)
  • [mccabe] Improve example (C901) (#​25287)
  • [pyupgrade] Clarify fix safety docs (UP007, UP045) (#​25288)
  • [refurb] Document FURB192 exception change for empty sequences (#​25317)
  • [ruff] Document false negative for user-defined types (RUF013) (#​25289)
Formatter
  • Fix formatting of lambdas nested within f-strings (#​25398)
Server
  • Return code action for codeAction/resolve requests that contain no or no valid URL (#​25365)
Other changes
  • Expand semantic syntax errors for invalid walruses (#​25415)
Contributors

Configuration

📅 Schedule: (in timezone UTC)

  • Branch creation
    • "before 4am on Monday,Tuesday,Wednesday,Thursday,Friday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@nbl-renovate nbl-renovate Bot added the dependencies Pull requests that update a dependency file label Jun 1, 2026
@nbl-renovate nbl-renovate Bot added the dependencies Pull requests that update a dependency file label Jun 1, 2026
@github-actions

github-actions Bot commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

Vulnerability Scan: Passed

Image: netbox-mcp-server:scan

No vulnerabilities found.

Commit: f440232

@nbl-renovate nbl-renovate Bot changed the title chore(deps): update dependency ruff to >=0.15.15 chore(deps): update non-major python dependencies to >=0.15.15 Jun 3, 2026
@nbl-renovate nbl-renovate Bot force-pushed the renovate/non-major-python-dependencies branch from 9ee54a1 to 25318c4 Compare June 9, 2026 10:25
@nbl-renovate

nbl-renovate Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pyproject.toml
Artifact update for ruff resolved to version 0.15.17, which is a pending version that has not yet passed the Minimum Release Age threshold.
Renovate was attempting to update to 0.15.16
This is (likely) not a bug in Renovate, but due to the way your project pins dependencies, _and_ how Renovate calls your package manager to update them.
Until Renovate supports specifying an exact update to your package manager (https://github.com/renovatebot/renovate/issues/41624), it is recommended to directly pin your dependencies (with `rangeStrategy=pin` for apps, or `rangeStrategy=widen` for libraries)
See also: https://docs.renovatebot.com/dependency-pinning/

@nbl-renovate nbl-renovate Bot force-pushed the renovate/non-major-python-dependencies branch from 25318c4 to ed1e8ab Compare June 10, 2026 04:49
@nbl-renovate nbl-renovate Bot changed the title chore(deps): update non-major python dependencies to >=0.15.15 fix(deps): update non-major python dependencies Jun 10, 2026
@nbl-renovate nbl-renovate Bot force-pushed the renovate/non-major-python-dependencies branch 3 times, most recently from a7e952a to fd5943d Compare June 15, 2026 00:47
@abubnalitic-nbl abubnalitic-nbl force-pushed the renovate/non-major-python-dependencies branch from fd5943d to 1be94fa Compare June 17, 2026 13:44
@abubnalitic-nbl abubnalitic-nbl force-pushed the renovate/non-major-python-dependencies branch from 1be94fa to 895e2e3 Compare June 17, 2026 14:12
@abubnalitic-nbl abubnalitic-nbl merged commit 8b5fd4b into main Jun 17, 2026
13 checks passed
@abubnalitic-nbl abubnalitic-nbl deleted the renovate/non-major-python-dependencies branch June 17, 2026 14:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants