v2.3.1: Security patches and a slimmer install
Highlights
This release closes seven CVEs across three core dependencies. python-multipart moves to 0.0.32, starlette to 1.3.1, and cryptography to 49.0.0, with direct version floors added so PyPI installs (not just the lockfile) pick up the fixes. If you install from PyPI, upgrading is recommended.
Installs are now lighter. The unused fastapi[standard] dependency is removed, dropping a large transitive tree including typer, sentry-sdk, jinja2, uvloop, fastapi-cli, orjson, and ujson. The server runs directly on Starlette, FastMCP, and Uvicorn.
Packaging metadata is clearer too: a plain-language description of what the server does, and PyPI classifiers updated to Production/Stable. Runtime dependencies fastmcp (3.4.2) and uvicorn (0.49.0) are also refreshed, with OAuth discovery and introspection smoke-tested under FastMCP 3.4.2.
Changes
Changed
- Removed unused
fastapi[standard]dependency, dropping a large unused transitive tree from installs. - Declared
starletteas a direct dependency to make the actual dependency explicit. - Rewrote the package description to plainly state what the server does, applied across packaging and the GitHub repository.
- Updated PyPI trove classifiers:
Development Statusmoved from4 - Betato5 - Production/Stable, plus addedPython :: 3 :: Only,Bug Tracking,System Administrators,OS Independent, andWeb Environment. - Pointed the PyPI
Changelogproject URL at thedevelopbranch instead of a stalemasterpath. - Bumped
fastmcp3.3.1 to 3.4.2 anduvicorn0.48.0 to 0.49.0 (pullinghttptools0.8.0). - Bumped CI and dev tooling:
pytest9.0.3 to 9.1.1,pytest-asyncio1.3.0 to 1.4.0,actions/checkoutto 6.0.3,astral-sh/setup-uvto 8.2.0, andcodecov/codecov-action6.0.1 to 7.0.0.
Security
- Bumped
python-multipart0.0.29 to 0.0.32 to clear CVE-2026-53539 and CVE-2026-53538, and raised the direct floor to>=0.0.30. - Bumped
starlette1.0.1 to 1.3.1 to clear CVE-2026-48818, CVE-2026-48817, CVE-2026-54282, and CVE-2026-54283, with a>=1.3.1floor. - Bumped
cryptography46.0.7 to 49.0.0 to clear GHSA-537c-gmf6-5ccf, with a direct>=48.0.1floor.
Installation
pip install redmine-mcp-server==2.3.1