Skip to content

chore(deps): update fastmcp requirement from >=3.4.2 to >=3.4.3#28

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/fastmcp-gte-3.4.3
Open

chore(deps): update fastmcp requirement from >=3.4.2 to >=3.4.3#28
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/fastmcp-gte-3.4.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Updates the requirements on fastmcp to permit the latest version.

Release notes

Sourced from fastmcp's releases.

v3.4.3: The Fast and the Secure-ious

FastMCP 3.4.3 closes out a month of SSRF and OAuth hardening: NAT64, 6to4, Teredo, and ISATAP transition addresses can no longer smuggle private IPv4 targets past the SSRF allow-list, Streamable HTTP now validates Host and Origin before session handling to block DNS rebinding against localhost-bound servers, and OAuth redirect validation rejects unsafe schemes and unregistered DCR redirect URIs. Alongside the security work, this release also fixes proxy session teardown races, discriminator-tag handling in JSON schema conversion, and several smaller reliability issues.

What's Changed

Enhancements ✨

Security 🔒

Fixes 🐞

Docs 📚

Dependencies 📦

Other Changes 🦾

... (truncated)

Changelog

Sourced from fastmcp's changelog.


title: "Changelog" icon: "list-check" rss: true tag: NEW

v3.4.3: The Fast and the Secure-ious

FastMCP 3.4.3 closes out a month of SSRF and OAuth hardening: NAT64, 6to4, Teredo, and ISATAP transition addresses can no longer smuggle private IPv4 targets past the SSRF allow-list, Streamable HTTP now validates Host and Origin before session handling to block DNS rebinding against localhost-bound servers, and OAuth redirect validation rejects unsafe schemes and unregistered DCR redirect URIs. Alongside the security work, this release also fixes proxy session teardown races, discriminator-tag handling in JSON schema conversion, and several smaller reliability issues.

Enhancements ✨

  • Dedupe discriminator-required helper across schema converters by @​jlowin in #4362
  • Add real Monty sandbox e2e coverage for CodeMode call_tool by @​AlexlaGuardia in #4274
  • Switch prettier hook to rbubley/mirrors-prettier by @​jlowin in #4366
  • feat(remote): add --verify flag for TLS certificate verification by @​jlowin in #4369

Security 🔒

Fixes 🐞

  • fix: caching middleware TypeError on cache miss due to mismatched call_next parameter by @​gmenziesint in #4301
  • Fix: async rate limiting middleware get_client_id callbacks by @​Chotom in #4319
  • Recognize all GitHub issue-link forms in require-issue-link workflow by @​jlowin in #4359
  • fix: preserve required discriminator tags by @​he-yufeng in #4297
  • fix(proxy): shield stateful proxy disconnect during session teardown by @​jlowin in #4363
  • fix(fs): isolate same-named package imports across providers by @​jlowin in #4361
  • fix: StatefulProxyClient.clear() no longer causes KeyError on session teardown by @​tcconnally in #4328
  • fix: guard recursive refs in json_schema_to_type by @​Epochex in #4312
  • Forward IdP auth errors to MCP client instead of showing HTML error page by @​bobbyjames839 in #4293
  • fix(resources): round-trip path values with reserved characters in URI templates by @​jlowin in #4368
  • fix: bracket IPv6 hosts in server startup log URL by @​jlowin in #4372
  • fix: bound default OIDC discovery timeout and expose it on provider wrappers by @​jlowin in #4374
  • fix: validate task tool arguments against declared types by @​jlowin in #4373
  • fix(tools): honor serialize_by_alias in tool result serialization by @​jlowin in #4391
  • Fix/cimd flow issue by @​twjackysu in #4206
  • Reject empty env var keys by @​CodingFeng101 in #4410
  • fix: correct replace_type docstring parameter descriptions by @​hiSandog in #4375
  • Fix ty 0.0.55 diagnostics and prefab-ui protocol version drift by @​jlowin in #4428
  • [codex] Fix OpenAPI resource template requests by @​jlowin in #4407

Docs 📚

  • fix: RST docstrings in fastmcp.types render raw on gofastmcp.com by @​jlowin in #4367

... (truncated)

Commits
  • 1eedd1f Docs: add v3.4.2 and v3.4.3 changelog entries (#4430)
  • 3b1afe6 chore(deps): bump joserfc from 1.6.7 to 1.6.8 in the uv group across 1 direct...
  • 874425a chore: Update SDK documentation (#4427)
  • 691766b [codex] Fix OpenAPI resource template requests (#4407)
  • 47907e0 Fix ty 0.0.55 diagnostics and prefab-ui protocol version drift (#4428)
  • c1b0396 Block IPv6 transition SSRF bypasses (#4426)
  • 522ed5b fix: correct replace_type docstring parameter descriptions (#4375)
  • 67527c1 Block unsafe OAuth redirect schemes (#4419)
  • 57a2799 Protect streamable HTTP from DNS rebinding (#4405)
  • cccb529 Fix DCR redirect URI validation (#4408)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Updates the requirements on [fastmcp](https://github.com/PrefectHQ/fastmcp) to permit the latest version.
- [Release notes](https://github.com/PrefectHQ/fastmcp/releases)
- [Changelog](https://github.com/PrefectHQ/fastmcp/blob/main/docs/changelog.mdx)
- [Commits](PrefectHQ/fastmcp@v3.4.2...v3.4.3)

---
updated-dependencies:
- dependency-name: fastmcp
  dependency-version: 3.4.3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jul 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants