Skip to content

v2.3.1: Security patches and a slimmer install

Choose a tag to compare

@jztan jztan released this 20 Jun 03:09

Highlights

This release closes seven CVEs across three core dependencies. python-multipart moves to 0.0.32, starlette to 1.3.1, and cryptography to 49.0.0, with direct version floors added so PyPI installs (not just the lockfile) pick up the fixes. If you install from PyPI, upgrading is recommended.

Installs are now lighter. The unused fastapi[standard] dependency is removed, dropping a large transitive tree including typer, sentry-sdk, jinja2, uvloop, fastapi-cli, orjson, and ujson. The server runs directly on Starlette, FastMCP, and Uvicorn.

Packaging metadata is clearer too: a plain-language description of what the server does, and PyPI classifiers updated to Production/Stable. Runtime dependencies fastmcp (3.4.2) and uvicorn (0.49.0) are also refreshed, with OAuth discovery and introspection smoke-tested under FastMCP 3.4.2.

Changes

Changed

  • Removed unused fastapi[standard] dependency, dropping a large unused transitive tree from installs.
  • Declared starlette as a direct dependency to make the actual dependency explicit.
  • Rewrote the package description to plainly state what the server does, applied across packaging and the GitHub repository.
  • Updated PyPI trove classifiers: Development Status moved from 4 - Beta to 5 - Production/Stable, plus added Python :: 3 :: Only, Bug Tracking, System Administrators, OS Independent, and Web Environment.
  • Pointed the PyPI Changelog project URL at the develop branch instead of a stale master path.
  • Bumped fastmcp 3.3.1 to 3.4.2 and uvicorn 0.48.0 to 0.49.0 (pulling httptools 0.8.0).
  • Bumped CI and dev tooling: pytest 9.0.3 to 9.1.1, pytest-asyncio 1.3.0 to 1.4.0, actions/checkout to 6.0.3, astral-sh/setup-uv to 8.2.0, and codecov/codecov-action 6.0.1 to 7.0.0.

Security

Installation

pip install redmine-mcp-server==2.3.1

Links