Skip to content

build(deps): update fastmcp requirement from <3.0,>=2.14.2 to >=2.14.2,<4.0 in /backend#3405

Open
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/pip/backend/fastmcp-gte-2.14.2-and-lt-4.0
Open

build(deps): update fastmcp requirement from <3.0,>=2.14.2 to >=2.14.2,<4.0 in /backend#3405
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/pip/backend/fastmcp-gte-2.14.2-and-lt-4.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 10, 2026

Copy link
Copy Markdown

Updates the requirements on fastmcp to permit the latest version.

Release notes

Sourced from fastmcp's releases.

v3.4.4: Host in Translation

FastMCP 3.4.4 restores HTTP deployment compatibility after the 3.4.3 Host/Origin guard changed default behavior for existing ASGI, serverless, and reverse-proxy deployments. The guard implementation remains available for deployments that opt in with explicit trusted hosts and origins, while 3.x returns to accepting traffic that worked before the patch. This release also adds Hugging Face OAuth provider support, with docs and examples for public and private apps, PKCE, Dynamic Client Registration, and CIMD.

What's Changed

Enhancements ✨

Fixes 🐞

Docs 📚

New Contributors

Full Changelog: PrefectHQ/fastmcp@v3.4.3...v3.4.4

Changelog

Sourced from fastmcp's changelog.


title: "Changelog" icon: "list-check" rss: true tag: NEW

v3.4.4: Host in Translation

FastMCP 3.4.4 restores HTTP deployment compatibility after the 3.4.3 Host/Origin guard changed default behavior for existing ASGI, serverless, and reverse-proxy deployments. The guard implementation remains available for deployments that opt in with explicit trusted hosts and origins, while 3.x returns to accepting traffic that worked before the patch. This release also adds Hugging Face OAuth provider support, with docs and examples for public and private apps, PKCE, Dynamic Client Registration, and CIMD.

Enhancements ✨

Fixes 🐞

New Contributors

Full Changelog: v3.4.3...v3.4.4

v3.4.3: The Fast and the Secure-ious

FastMCP 3.4.3 closes out a month of SSRF and OAuth hardening: NAT64, 6to4, Teredo, and ISATAP transition addresses can no longer smuggle private IPv4 targets past the SSRF allow-list, Streamable HTTP now validates Host and Origin before session handling to block DNS rebinding against localhost-bound servers, and OAuth redirect validation rejects unsafe schemes and unregistered DCR redirect URIs. Alongside the security work, this release also fixes proxy session teardown races, discriminator-tag handling in JSON schema conversion, and several smaller reliability issues.

Enhancements ✨

  • Dedupe discriminator-required helper across schema converters by @​jlowin in #4362
  • Add real Monty sandbox e2e coverage for CodeMode call_tool by @​AlexlaGuardia in #4274
  • Switch prettier hook to rbubley/mirrors-prettier by @​jlowin in #4366
  • feat(remote): add --verify flag for TLS certificate verification by @​jlowin in #4369

Security 🔒

Fixes 🐞

  • fix: caching middleware TypeError on cache miss due to mismatched call_next parameter by @​gmenziesint in #4301
  • Fix: async rate limiting middleware get_client_id callbacks by @​Chotom in #4319

... (truncated)

Commits
  • 9138d40 Docs: add v3.4.4 changelog entries (#4473)
  • d929882 Hugging Face Auth Integration (#4385)
  • 5fe4fae Restore HTTP host guard compatibility (#4472)
  • 400db61 Relax host origin guard defaults (#4439)
  • 1eedd1f Docs: add v3.4.2 and v3.4.3 changelog entries (#4430)
  • 3b1afe6 chore(deps): bump joserfc from 1.6.7 to 1.6.8 in the uv group across 1 direct...
  • 874425a chore: Update SDK documentation (#4427)
  • 691766b [codex] Fix OpenAPI resource template requests (#4407)
  • 47907e0 Fix ty 0.0.55 diagnostics and prefab-ui protocol version drift (#4428)
  • c1b0396 Block IPv6 transition SSRF bypasses (#4426)
  • Additional commits viewable in compare view

@dependabot @github

dependabot Bot commented on behalf of github Jul 10, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

Updates the requirements on [fastmcp](https://github.com/PrefectHQ/fastmcp) to permit the latest version.
- [Release notes](https://github.com/PrefectHQ/fastmcp/releases)
- [Changelog](https://github.com/PrefectHQ/fastmcp/blob/main/docs/changelog.mdx)
- [Commits](PrefectHQ/fastmcp@v2.14.2...v3.4.4)

---
updated-dependencies:
- dependency-name: fastmcp
  dependency-version: 3.4.4
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the base branch from main to develop July 14, 2026 03:14
@dependabot dependabot Bot force-pushed the dependabot/pip/backend/fastmcp-gte-2.14.2-and-lt-4.0 branch from 62785d9 to 053aef5 Compare July 14, 2026 03:14
@dependabot dependabot Bot changed the title chore(deps): update fastmcp requirement from <3.0,>=2.14.2 to >=2.14.2,<4.0 in /backend build(deps): update fastmcp requirement from <3.0,>=2.14.2 to >=2.14.2,<4.0 in /backend Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants