v1.5.2 — dependency hygiene & security floors

v1.5.2 — dependency hygiene & security floors

A maintenance patch. No API, tool, resource, or prompt changes (still 20 tools / 3 resources / 2 prompts).

Dependencies

• Dropped aiohttp as a runtime dependency. The v1.5.1 migration to httpx.DigestAuth removed its last use in package code. It now lives only under the test extra (one regression test pins the original aiohttp.DigestAuth root cause).
• Security floors for transitive deps. mcp pulls in pyjwt (>=2.10.1) and starlette (>=0.27), whose older releases carry advisories. Added explicit floors so the resolver always lands on patched versions:
  • pyjwt>=2.13.0 — PYSEC-2026-175 / 177 / 178 / 179
  • starlette>=1.0.1 — PYSEC-2026-161
  • pip-audit reports no known vulnerabilities. Mirrored in requirements.txt / requirements-test.txt.

Tests

• Fixed test_fetch_rcp_lan_non_200_returns_none: it still mocked aiohttp.ClientSession — a stack the helper no longer uses since v1.5.1 — so it neither exercised the non-200 branch nor avoided a real network attempt to a non-documentation IP. Rewritten to mock httpx.AsyncClient, pinned to the RFC-5737 192.0.2.x range.

461 tests green.