Skip to content

chore(deps-dev): bump fastmcp from 3.4.2 to 3.4.3#42065

Merged
rusackas merged 2 commits into
masterfrom
dependabot/pip/fastmcp-3.4.3
Jul 15, 2026
Merged

chore(deps-dev): bump fastmcp from 3.4.2 to 3.4.3#42065
rusackas merged 2 commits into
masterfrom
dependabot/pip/fastmcp-3.4.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 15, 2026

Copy link
Copy Markdown
Contributor

Bumps fastmcp from 3.4.2 to 3.4.3.

Release notes

Sourced from fastmcp's releases.

v3.4.3: The Fast and the Secure-ious

FastMCP 3.4.3 closes out a month of SSRF and OAuth hardening: NAT64, 6to4, Teredo, and ISATAP transition addresses can no longer smuggle private IPv4 targets past the SSRF allow-list, Streamable HTTP now validates Host and Origin before session handling to block DNS rebinding against localhost-bound servers, and OAuth redirect validation rejects unsafe schemes and unregistered DCR redirect URIs. Alongside the security work, this release also fixes proxy session teardown races, discriminator-tag handling in JSON schema conversion, and several smaller reliability issues.

What's Changed

Enhancements ✨

Security 🔒

Fixes 🐞

Docs 📚

Dependencies 📦

Other Changes 🦾

... (truncated)

Changelog

Sourced from fastmcp's changelog.


title: "Changelog" icon: "list-check" rss: true tag: NEW

v3.4.4: Host in Translation

FastMCP 3.4.4 restores HTTP deployment compatibility after the 3.4.3 Host/Origin guard changed default behavior for existing ASGI, serverless, and reverse-proxy deployments. The guard implementation remains available for deployments that opt in with explicit trusted hosts and origins, while 3.x returns to accepting traffic that worked before the patch. This release also adds Hugging Face OAuth provider support, with docs and examples for public and private apps, PKCE, Dynamic Client Registration, and CIMD.

Enhancements ✨

Fixes 🐞

New Contributors

Full Changelog: v3.4.3...v3.4.4

v3.4.3: The Fast and the Secure-ious

FastMCP 3.4.3 closes out a month of SSRF and OAuth hardening: NAT64, 6to4, Teredo, and ISATAP transition addresses can no longer smuggle private IPv4 targets past the SSRF allow-list, Streamable HTTP now validates Host and Origin before session handling to block DNS rebinding against localhost-bound servers, and OAuth redirect validation rejects unsafe schemes and unregistered DCR redirect URIs. Alongside the security work, this release also fixes proxy session teardown races, discriminator-tag handling in JSON schema conversion, and several smaller reliability issues.

Enhancements ✨

  • Dedupe discriminator-required helper across schema converters by @​jlowin in #4362
  • Add real Monty sandbox e2e coverage for CodeMode call_tool by @​AlexlaGuardia in #4274
  • Switch prettier hook to rbubley/mirrors-prettier by @​jlowin in #4366
  • feat(remote): add --verify flag for TLS certificate verification by @​jlowin in #4369

Security 🔒

Fixes 🐞

  • fix: caching middleware TypeError on cache miss due to mismatched call_next parameter by @​gmenziesint in #4301
  • Fix: async rate limiting middleware get_client_id callbacks by @​Chotom in #4319

... (truncated)

Commits
  • 1eedd1f Docs: add v3.4.2 and v3.4.3 changelog entries (#4430)
  • 3b1afe6 chore(deps): bump joserfc from 1.6.7 to 1.6.8 in the uv group across 1 direct...
  • 874425a chore: Update SDK documentation (#4427)
  • 691766b [codex] Fix OpenAPI resource template requests (#4407)
  • 47907e0 Fix ty 0.0.55 diagnostics and prefab-ui protocol version drift (#4428)
  • c1b0396 Block IPv6 transition SSRF bypasses (#4426)
  • 522ed5b fix: correct replace_type docstring parameter descriptions (#4375)
  • 67527c1 Block unsafe OAuth redirect schemes (#4419)
  • 57a2799 Protect streamable HTTP from DNS rebinding (#4405)
  • cccb529 Fix DCR redirect URI validation (#4408)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot Bot added dependabot pip Dependabot - pip related PRs labels Jul 15, 2026
@bito-code-review

bito-code-review Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Code Review Agent Run #37f63c

Actionable Suggestions - 0
Review Details
  • Files reviewed - 2 · Commit Range: 746083b..746083b
    • pyproject.toml
    • requirements/development.txt
  • Files skipped - 0
  • Tools
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

@codecov

codecov Bot commented Jul 15, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 65.05%. Comparing base (9db8820) to head (8f43f37).

Additional details and impacted files
@@           Coverage Diff           @@
##           master   #42065   +/-   ##
=======================================
  Coverage   65.05%   65.05%           
=======================================
  Files        2747     2747           
  Lines      153843   153843           
  Branches    35268    35268           
=======================================
  Hits       100089   100089           
  Misses      51844    51844           
  Partials     1910     1910           
Flag Coverage Δ
hive 39.06% <ø> (ø)
mysql 57.89% <ø> (ø)
postgres 57.94% <ø> (ø)
presto 41.04% <ø> (ø)
python 59.32% <ø> (ø)
sqlite 57.55% <ø> (ø)
unit 100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

dependabot Bot and others added 2 commits July 14, 2026 20:07
Bumps [fastmcp](https://github.com/PrefectHQ/fastmcp) from 3.4.2 to 3.4.3.
- [Release notes](https://github.com/PrefectHQ/fastmcp/releases)
- [Changelog](https://github.com/PrefectHQ/fastmcp/blob/main/docs/changelog.mdx)
- [Commits](PrefectHQ/fastmcp@v3.4.2...v3.4.3)

---
updated-dependencies:
- dependency-name: fastmcp
  dependency-version: 3.4.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@rusackas
rusackas force-pushed the dependabot/pip/fastmcp-3.4.3 branch from 95bd5a3 to 8f43f37 Compare July 15, 2026 03:12

@rusackas rusackas left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Green CI, minor/patch version bump — approving and merging via dependabot maintenance pass.

@rusackas
rusackas merged commit b4373f6 into master Jul 15, 2026
59 checks passed
@rusackas
rusackas deleted the dependabot/pip/fastmcp-3.4.3 branch July 15, 2026 03:38
@bito-code-review

Copy link
Copy Markdown
Contributor

Bito Automatic Review Skipped – PR Already Merged

Bito scheduled an automatic review for this pull request, but the review was skipped because this PR was merged before the review could be run.
No action is needed if you didn't intend to review it. To get a review, you can type /review in a comment and save it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependabot pip Dependabot - pip related PRs size/XS

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant