Skip to content

build(deps): bump the mcp-minor-patch group across 1 directory with 2 updates#94

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/mcp_server/mcp-minor-patch-6b3bc06a56
Open

build(deps): bump the mcp-minor-patch group across 1 directory with 2 updates#94
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/mcp_server/mcp-minor-patch-6b3bc06a56

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Bumps the mcp-minor-patch group with 2 updates in the /mcp_server directory: fastmcp and pytest.

Updates fastmcp from 3.4.2 to 3.4.3

Release notes

Sourced from fastmcp's releases.

v3.4.3: The Fast and the Secure-ious

FastMCP 3.4.3 closes out a month of SSRF and OAuth hardening: NAT64, 6to4, Teredo, and ISATAP transition addresses can no longer smuggle private IPv4 targets past the SSRF allow-list, Streamable HTTP now validates Host and Origin before session handling to block DNS rebinding against localhost-bound servers, and OAuth redirect validation rejects unsafe schemes and unregistered DCR redirect URIs. Alongside the security work, this release also fixes proxy session teardown races, discriminator-tag handling in JSON schema conversion, and several smaller reliability issues.

What's Changed

Enhancements ✨

Security 🔒

Fixes 🐞

Docs 📚

Dependencies 📦

Other Changes 🦾

... (truncated)

Changelog

Sourced from fastmcp's changelog.


title: "Changelog" icon: "list-check" rss: true tag: NEW

v3.4.3: The Fast and the Secure-ious

FastMCP 3.4.3 closes out a month of SSRF and OAuth hardening: NAT64, 6to4, Teredo, and ISATAP transition addresses can no longer smuggle private IPv4 targets past the SSRF allow-list, Streamable HTTP now validates Host and Origin before session handling to block DNS rebinding against localhost-bound servers, and OAuth redirect validation rejects unsafe schemes and unregistered DCR redirect URIs. Alongside the security work, this release also fixes proxy session teardown races, discriminator-tag handling in JSON schema conversion, and several smaller reliability issues.

Enhancements ✨

  • Dedupe discriminator-required helper across schema converters by @​jlowin in #4362
  • Add real Monty sandbox e2e coverage for CodeMode call_tool by @​AlexlaGuardia in #4274
  • Switch prettier hook to rbubley/mirrors-prettier by @​jlowin in #4366
  • feat(remote): add --verify flag for TLS certificate verification by @​jlowin in #4369

Security 🔒

Fixes 🐞

  • fix: caching middleware TypeError on cache miss due to mismatched call_next parameter by @​gmenziesint in #4301
  • Fix: async rate limiting middleware get_client_id callbacks by @​Chotom in #4319
  • Recognize all GitHub issue-link forms in require-issue-link workflow by @​jlowin in #4359
  • fix: preserve required discriminator tags by @​he-yufeng in #4297
  • fix(proxy): shield stateful proxy disconnect during session teardown by @​jlowin in #4363
  • fix(fs): isolate same-named package imports across providers by @​jlowin in #4361
  • fix: StatefulProxyClient.clear() no longer causes KeyError on session teardown by @​tcconnally in #4328
  • fix: guard recursive refs in json_schema_to_type by @​Epochex in #4312
  • Forward IdP auth errors to MCP client instead of showing HTML error page by @​bobbyjames839 in #4293
  • fix(resources): round-trip path values with reserved characters in URI templates by @​jlowin in #4368
  • fix: bracket IPv6 hosts in server startup log URL by @​jlowin in #4372
  • fix: bound default OIDC discovery timeout and expose it on provider wrappers by @​jlowin in #4374
  • fix: validate task tool arguments against declared types by @​jlowin in #4373
  • fix(tools): honor serialize_by_alias in tool result serialization by @​jlowin in #4391
  • Fix/cimd flow issue by @​twjackysu in #4206
  • Reject empty env var keys by @​CodingFeng101 in #4410
  • fix: correct replace_type docstring parameter descriptions by @​hiSandog in #4375
  • Fix ty 0.0.55 diagnostics and prefab-ui protocol version drift by @​jlowin in #4428
  • [codex] Fix OpenAPI resource template requests by @​jlowin in #4407

Docs 📚

  • fix: RST docstrings in fastmcp.types render raw on gofastmcp.com by @​jlowin in #4367

... (truncated)

Commits
  • 1eedd1f Docs: add v3.4.2 and v3.4.3 changelog entries (#4430)
  • 3b1afe6 chore(deps): bump joserfc from 1.6.7 to 1.6.8 in the uv group across 1 direct...
  • 874425a chore: Update SDK documentation (#4427)
  • 691766b [codex] Fix OpenAPI resource template requests (#4407)
  • 47907e0 Fix ty 0.0.55 diagnostics and prefab-ui protocol version drift (#4428)
  • c1b0396 Block IPv6 transition SSRF bypasses (#4426)
  • 522ed5b fix: correct replace_type docstring parameter descriptions (#4375)
  • 67527c1 Block unsafe OAuth redirect schemes (#4419)
  • 57a2799 Protect streamable HTTP from DNS rebinding (#4405)
  • cccb529 Fix DCR redirect URI validation (#4408)
  • Additional commits viewable in compare view

Updates pytest from 9.1.0 to 9.1.1

Release notes

Sourced from pytest's releases.

9.1.1

pytest 9.1.1 (2026-06-19)

Bug fixes

  • #14220: Fixed a logic bug in pytest.RaisesGroup which would might cause it to display incorrect "It matches FooError() which was paired with BarError" messages.
  • #14591: Fixed a regression in pytest 9.1.0 which caused overriding a parametrized fixture with an indirect @​pytest.mark.parametrize to fail with "duplicate parametrization of '<fixture name>'".
  • #14606: Fixed list-item typing errors from mypy in @pytest.mark.parametrize <pytest.mark.parametrize ref> argvalues parameter.
  • #14608: Fixed a regression in pytest 9.1.0 where conftest.py files located in <invocation dir>/test* were no longer loaded as initial conftests when invoked without arguments. This could cause certain hooks (like pytest_addoption) in these files to not fire.
Commits
  • cf470ec Prepare release version 9.1.1
  • e0c8ce6 Merge pull request #14625 from pytest-dev/patchback/backports/9.1.x/a07c31a97...
  • 1b82d16 Merge pull request #14624 from pytest-dev/patchback/backports/9.1.x/b375b79ec...
  • 501c4bc Merge pull request #14596 from bluetech/doc-classmethod
  • b61f588 Merge pull request #14622 from chrisburr/fix-14608-initial-conftest-test-subdir
  • 9a567e0 [automated] Update plugin list (#14617) (#14618)
  • ef8b299 Merge pull request #14620 from pytest-dev/patchback/backports/9.1.x/680f9f3ed...
  • 66abd07 Merge pull request #14220 from bysiber/fix-stale-iexp-raisesgroup
  • 79fbf93 Merge pull request #14612 from pytest-dev/patchback/backports/9.1.x/974ed48b6...
  • 0d312eb Merge pull request #14611 from bluetech/parametrize-argvalues-typing
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

… updates

Bumps the mcp-minor-patch group with 2 updates in the /mcp_server directory: [fastmcp](https://github.com/PrefectHQ/fastmcp) and [pytest](https://github.com/pytest-dev/pytest).


Updates `fastmcp` from 3.4.2 to 3.4.3
- [Release notes](https://github.com/PrefectHQ/fastmcp/releases)
- [Changelog](https://github.com/PrefectHQ/fastmcp/blob/main/docs/changelog.mdx)
- [Commits](PrefectHQ/fastmcp@v3.4.2...v3.4.3)

Updates `pytest` from 9.1.0 to 9.1.1
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](pytest-dev/pytest@9.1.0...9.1.1)

---
updated-dependencies:
- dependency-name: fastmcp
  dependency-version: 3.4.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: mcp-minor-patch
- dependency-name: pytest
  dependency-version: 9.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: mcp-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: dependencies, mcp-server, python. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants