Skip to content

chore(deps): bump fastmcp from 2.12.0 to 3.3.1 in /backend#2817

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/backend/fastmcp-3.2.4
Open

chore(deps): bump fastmcp from 2.12.0 to 3.3.1 in /backend#2817
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/backend/fastmcp-3.2.4

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Apr 17, 2026
edited
Loading

Bumps fastmcp from 2.12.0 to 3.3.1.

Release notes

Sourced from fastmcp's releases.

v3.3.1: Loop There It Is

FastMCP 3.3.1 is a hotfix for the 3.3 packaging split. Clean installs of 3.3.0 could fail on standalone component imports like from fastmcp.tools import tool because component modules reached auth and task primitives through fastmcp.server, pulling in the server/provider stack and exposing a circular import.

Component-level auth and task primitives now live in lightweight utility modules, with the old server import paths preserved as compatibility re-exports. Component imports stay lightweight, existing server-facing imports continue to work, and the release also includes small docs corrections from the 3.3 rollout.

What's Changed

Fixes 🐞

Full Changelog: PrefectHQ/fastmcp@v3.3.0...v3.3.1

v3.3.0: Slim Reaper

FastMCP 3.3 ships fastmcp-slim, a new lightweight distribution that separates the client from the server stack. It also closes out a meaningful backlog of security hardening, observability improvements, and auth additions that accumulated through the 3.2 cycle.

fastmcp-slim

The full FastMCP package pulls in Starlette, Uvicorn, and the rest of the server machinery — necessary for running a server, but wasteful if you're writing a client, a script, or an agent that just needs to talk to MCP. fastmcp-slim is a dependency-light distribution that ships the client and transport layer without any of that.

The import namespace is unchanged:

from fastmcp import Client
async with Client("https://example.com/mcp") as client:
result = await client.call_tool("my_tool", {"arg": "value"})

Install fastmcp-slim[client] anywhere you want FastMCP's client without the server footprint — CI environments, lightweight agents, library dependencies that shouldn't force Uvicorn on downstream users.

Security

The OAuth proxy received three hardening upgrades. Silent consent is now guarded against AS-in-the-middle attacks — a malicious authorization server can no longer silently approve a consent it wasn't meant to handle. Redirect URI allowlist matching now rejects dot-segment paths (/../, /./) that could otherwise bypass prefix checks. And ResponseCachingMiddleware partitions its cache by access token, closing a gap where different users could see each other's cached responses.

Auth

AzureB2CProvider adds first-class support for Azure AD B2C user flows. The OCI provider is fixed for 3.x installs. And OAuthProxy gains a public update_scopes() API for updating the proxy's required scopes after initialization — useful for servers that determine scope requirements at runtime.

Observability

OTEL instrumentation is now fully compliant with MCP semantic conventions. List operations (list_tools, list_resources, list_prompts, list_resource_templates) are instrumented, and delegate spans on proxy servers are enriched with backend attributes.

Thread Affinity

Sync tools run in a thread pool by default. If your tool holds thread-local state or is bound to a specific thread (UI frameworks, some database drivers), you can now opt out:

... (truncated)

Changelog

Sourced from fastmcp's changelog.

title: "Changelog" icon: "list-check" rss: true tag: NEW

v3.1.1: 'Tis But a Patch

Pins pydantic-monty below 0.0.8 to fix a breaking change in Monty that affects code mode. Monty 0.0.8 removed the external_functions constructor parameter, causing MontySandboxProvider to fail. This patch caps the version so existing installs work correctly.

Fixes 🐞

Full Changelog: v3.1.0...v3.1.1

v3.1.0: Code to Joy

FastMCP 3.1 is the Code Mode release. The 3.0 architecture introduced providers and transforms as the extensibility layer — 3.1 puts that architecture to work, shipping the most requested capability since launch: servers that can find and execute code on behalf of agents, without requiring clients to know what tools exist.

New Features 🎉

Enhancements 🔧

... (truncated)

Commits
  • d8dcc27 Decouple component imports from server (#4150)
  • 255e3e4 fix(docs): use valid FA icon on client-only package page (#4139)
  • 73df4dc chore: Update SDK documentation (#4096)
  • ee48a0f Refine fastmcp-slim packaging (#4125)
  • bb4894d Add fastmcp-slim for client-only installs (#4122)
  • 8209093 fix(http): terminate active streamable-HTTP transports before lifespan shutdo...
  • cf59a45 Fix OCI Provider issue in 3.x version. Add OCI auth provider example … (#4116)
  • 89b99ec fix(proxy): fall back to live identifier for backend_* span attributes (#4109)
  • 310314c fix: cli option --no-banner is NOT passed to cli but server-spec in-correctly...
  • 28722f8 fix: drop exc_info for expected tool failures, remove unreachable ValidationE...
  • Additional commits viewable in compare view

@dependabot @github
Copy link
Copy Markdown
Author

dependabot Bot commented on behalf of github Apr 17, 2026

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot requested review from Dallas98 and WMC001 as code owners April 17, 2026 15:46
@dependabot dependabot Bot mentioned this pull request Apr 17, 2026
Closed
@dependabot dependabot Bot changed the base branch from main to feature/build-offline-package May 18, 2026 12:33
@dependabot dependabot Bot force-pushed the dependabot/pip/backend/fastmcp-3.2.4 branch from 0db6abc to df894df Compare May 18, 2026 12:33
@dependabot dependabot Bot changed the title Bump fastmcp from 2.12.0 to 3.2.4 in /backend chore(deps): bump fastmcp from 2.12.0 to 3.3.1 in /backend May 18, 2026
@dependabot
chore(deps): bump fastmcp from 2.12.0 to 3.3.1 in /backend
a565917 
Bumps [fastmcp](https://github.com/PrefectHQ/fastmcp) from 2.12.0 to 3.3.1.
- [Release notes](https://github.com/PrefectHQ/fastmcp/releases)
- [Changelog](https://github.com/PrefectHQ/fastmcp/blob/main/docs/changelog.mdx)
- [Commits](PrefectHQ/fastmcp@v2.12.0...v3.3.1)

---
updated-dependencies:
- dependency-name: fastmcp
  dependency-version: 3.2.4
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the base branch from feature/build-offline-package to main May 18, 2026 12:35
@dependabot dependabot Bot force-pushed the dependabot/pip/backend/fastmcp-3.2.4 branch from df894df to a565917 Compare May 18, 2026 12:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@WMC001 WMC001 Awaiting requested review from WMC001 WMC001 is a code owner

@Dallas98 Dallas98 Awaiting requested review from Dallas98 Dallas98 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants