chore(deps): update uv: bump the uv-version-updates group across 1 directory with 4 updates

[dependabot]

Bumps the uv-version-updates group with 4 updates in the / directory: fastmcp, checkov, ruff and pyright.

Updates fastmcp from 2.12.4 to 2.13.0.1

Release notes

Sourced from fastmcp's releases.

v2.13.0.1: Cache Me If You Can

This release includes an important bugfix for 2.13.0 that affects how the Azure OAuth provider handles scopes.

What's Changed

Enhancements 🔧

• Add "High Value" Ruff Rules by @​strawgate in jlowin/fastmcp#2255

Fixes 🐞

• Fix Azure scope validation by @​jlowin in jlowin/fastmcp#2269

Other Changes 🦾

• Add CI test job for lowest-direct dependency resolution by @​Copilot in jlowin/fastmcp#2261

New Contributors

• @​Copilot made their first contribution in jlowin/fastmcp#2261

Full Changelog: jlowin/fastmcp@v2.13.0...v2.13.0.1

v2.13.0: Cache Me If You Can

FastMCP 2.13.0 "Cache Me If You Can" represents a fundamental maturation of the framework. After months of community feedback on authentication and state management, this release delivers the infrastructure FastMCP needs to handle production workloads: persistent storage, response caching, and pragmatic OAuth improvements that reflect real-world deployment challenges.

💾 Pluggable storage backends bring persistent state to FastMCP servers. Built on py-key-value-aio, a new library from FastMCP maintainer Bill Easton (@​strawgate), the storage layer provides encrypted disk storage by default, platform-aware token management, and a simple key-value interface for application state. We're excited to bring this elegantly designed library into the FastMCP ecosystem - it's both powerful and remarkably easy to use, including wrappers to add encryption, TTLs, caching, and more to backends ranging from Elasticsearch, Redis, DynamoDB, filesystem, in-memory, and more! OAuth providers now automatically persist tokens across restarts, and developers can store arbitrary state without reaching for external databases. This foundation enables long-running sessions, cached credentials, and stateful applications built on MCP.

🔐 OAuth maturity brings months of production learnings into the framework. The new consent screen prevents confused deputy and authorization bypass attacks discovered in earlier versions while providing a clean UX with customizable branding. The OAuth proxy now issues its own tokens with automatic key derivation from client secrets, and RFC 7662 token introspection support enables enterprise auth flows. Path prefix mounting enables OAuth-protected servers to integrate into existing web applications under custom paths like /api, and MCP 1.17+ compliance with RFC 9728 ensures protocol compatibility. Combined with improved error handling and platform-aware token storage, OAuth is now production-ready and security-hardened for serious applications.

FastMCP now supports out-of-the-box authentication with:

• WorkOS and AuthKit
• GitHub
• Google
• Azure (Entra ID)
• AWS Cognito
• Auth0
• Descope
• Scalekit
• JWTs
• RFC 7662 token introspection

⚡ Response Caching Middleware dramatically improves performance for expensive operations. Cache tool and resource responses with configurable TTLs, reducing redundant API calls and speeding up repeated queries.

🔄 Server lifespans provide proper initialization and cleanup hooks that run once per server instance instead of per client session. This fixes a long-standing source of confusion in the MCP SDK and enables proper resource management for database connections, background tasks, and other server-level state. Note: this is a breaking behavioral change if you were using the lifespan parameter.

✨ Developer experience improvements include Pydantic input validation for better type safety, icon support for richer UX, RFC 6570 query parameters for resource templates, improved Context API methods (list_resources, list_prompts, get_prompt), and async file/directory resources.

This release includes contributions from 20 new contributors and represents the largest feature set in a while. Thank you to everyone who tested preview builds and filed issues - your feedback shaped these improvements!

What's Changed

New Features 🎉

• Add RFC 6570 query parameter support to resource templates by @​jlowin in jlowin/fastmcp#1971

... (truncated)

Commits

• ba47db9 Fix Azure scope validation (#2269)
• 9d4c378 Add "High Value" Ruff Rules (#2255)
• e74918a Add CI test job for lowest-direct dependency resolution (#2261)
• 716e50d chore: Update SDK documentation (#2214)
• 5896daf Stage 2.13.0 updates (#2252)
• b57a39c Remove redundant None checks from Context methods (#2251)
• 3808355 Async FileResource and DirectoryResource (#2241)
• 1e5776f Add list_resources, list_prompts, and get_prompt methods to Context (#2249)
• 2f13119 Add Documentation for FastMCP Server Testing (#2244)
• c002bc3 Small Clean-up (#2247)
• Additional commits viewable in compare view

Updates checkov from 3.2.483 to 3.2.488

Release notes

Sourced from checkov's releases.

3.2.487

Bug Fix

• general: CKV_AWS_174 should-allow-higher-then-TLSv1.2 - terraform and cloudformation - #7352

3.2.486

Feature

• general: update setuptools version 78.1.1 - #7347

3.2.485

Bug Fix

• general: fix urllib3 dependency - #7345

3.2.484

Bug Fix

• terraform_plan: Correctly handle complex types for after_unknown - #7333

Changelog

Sourced from checkov's changelog.

CHANGELOG

Unreleased

3.2.487 - 2025-10-23

Bug Fix

• general: CKV_AWS_174 should-allow-higher-then-TLSv1.2 - terraform and cloudformation - #7352

3.2.486 - 2025-10-22

Feature

• general: update setuptools version 78.1.1 - #7347

3.2.485 - 2025-10-20

Bug Fix

• general: fix urllib3 dependency - #7345

3.2.484 - 2025-10-15

Bug Fix

• terraform_plan: Correctly handle complex types for after_unknown - #7333

Commits

• 80540ce chore: update release notes
• a4cd7c1 feat(terraform_plan): add new cases for foreach in the presence of skips (#7351)
• 0a49134 chore: update release notes
• 6a950a4 Merge a9f68d8e6bd7366d906a5280af276cf601c44a14 into 7a6821559d58aa623b45b52cc...
• 9a9f451 fix(general): CKV_AWS_174 should-allow-higher-then-TLSv1.2 - terraform and cl...
• 6a5c1fe chore: update release notes
• 7a68215 feat(general): update setuptools version 78.1.1 (#7347)
• 8f032a3 feat(general): update setuptools version 78.1.1 (#7347)
• 55638fc chore: update release notes
• 416ce6b Merge 3ec62980300cf8e5b1e28f254dc5c28e1bfae4a0 into 89a4ed7df50b0464de6e387ad...
• Additional commits viewable in compare view

Updates ruff from 0.14.0 to 0.14.2

Release notes

Sourced from ruff's releases.

0.14.2

Release Notes

Released on 2025-10-23.

Preview features

• [flake8-gettext] Resolve qualified names and built-in bindings (INT001, INT002, INT003) (#19045)

Bug fixes

• Avoid reusing nested, interpolated quotes before Python 3.12 (#20930)
• Catch syntax errors in nested interpolations before Python 3.12 (#20949)
• [fastapi] Handle ellipsis defaults in FAST002 autofix (#20810)
• [flake8-simplify] Skip SIM911 when unknown arguments are present (#20697)
• [pyupgrade] Always parenthesize assignment expressions in fix for f-string (UP032) (#21003)
• [pyupgrade] Fix UP032 conversion for decimal ints with underscores (#21022)
• [fastapi] Skip autofix for keyword and __debug__ path params (FAST003) (#20960)

Rule changes

• [flake8-bugbear] Skip B905 and B912 for fewer than two iterables and no starred arguments (#20998)
• [ruff] Use DiagnosticTag for more pyflakes and pandas rules (#20801)

CLI

• Improve JSON output from ruff rule (#20168)

Documentation

• Add source to testimonial (#20971)
• Document when a rule was added (#21035)

Other changes

• [syntax-errors] Name is parameter and global (#20426)
• [syntax-errors] Alternative match patterns bind different names (#20682)

Contributors

• @​hengky-kurniawan-1
• @​ShalokShalom
• @​robsdedude
• @​LoicRiegel
• @​TaKO8Ki
• @​dylwil3
• @​11happy
• @​ntBre

Install ruff 0.14.2

... (truncated)

Changelog

Sourced from ruff's changelog.

0.14.2

Released on 2025-10-23.

Preview features

• [flake8-gettext] Resolve qualified names and built-in bindings (INT001, INT002, INT003) (#19045)

Bug fixes

• Avoid reusing nested, interpolated quotes before Python 3.12 (#20930)
• Catch syntax errors in nested interpolations before Python 3.12 (#20949)
• [fastapi] Handle ellipsis defaults in FAST002 autofix (#20810)
• [flake8-simplify] Skip SIM911 when unknown arguments are present (#20697)
• [pyupgrade] Always parenthesize assignment expressions in fix for f-string (UP032) (#21003)
• [pyupgrade] Fix UP032 conversion for decimal ints with underscores (#21022)
• [fastapi] Skip autofix for keyword and __debug__ path params (FAST003) (#20960)

Rule changes

• [flake8-bugbear] Skip B905 and B912 for fewer than two iterables and no starred arguments (#20998)
• [ruff] Use DiagnosticTag for more pyflakes and pandas rules (#20801)

CLI

• Improve JSON output from ruff rule (#20168)

Documentation

• Add source to testimonial (#20971)
• Document when a rule was added (#21035)

Other changes

• [syntax-errors] Name is parameter and global (#20426)
• [syntax-errors] Alternative match patterns bind different names (#20682)

Contributors

• @​hengky-kurniawan-1
• @​ShalokShalom
• @​robsdedude
• @​LoicRiegel
• @​TaKO8Ki
• @​dylwil3
• @​11happy
• @​ntBre

0.14.1

... (truncated)

Commits

• 83a3bc4 Bump 0.14.2 (#21051)
• 155fd60 Document when a rule was added (#21035)
• 48f1771 [ty] fix infinite recursion with generic type aliases (#20969)
• 4ca7459 [ty] Consider type_check_only when ranking completions (#20910)
• dab3d4e [ty] Improve invalid-argument-type diagnostics where a union type was provi...
• 0169551 Disable npm caching for playground (#21039)
• e92fd51 [ty] Add cycle handling to lazy_default (#20967)
• c3631c7 [ty] Add docstrings for ty_extensions functions (#21036)
• 589e8ac [ty] Infer type for implicit self parameters in method bodies (#20922)
• 76a5531 Fix rare multithreaded related hang (#21038)
• Additional commits viewable in compare view

Updates pyright from 1.1.406 to 1.1.407

Commits

• 53e8efb Pyright NPM Package update to 1.1.407 (#356)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions