Skip to content

Bump fastmcp from 3.4.2 to 3.4.3#59

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/uv/fastmcp-3.4.3
Closed

Bump fastmcp from 3.4.2 to 3.4.3#59
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/uv/fastmcp-3.4.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 7, 2026

Copy link
Copy Markdown
Contributor

Bumps fastmcp from 3.4.2 to 3.4.3.

Release notes

Sourced from fastmcp's releases.

v3.4.3: The Fast and the Secure-ious

FastMCP 3.4.3 closes out a month of SSRF and OAuth hardening: NAT64, 6to4, Teredo, and ISATAP transition addresses can no longer smuggle private IPv4 targets past the SSRF allow-list, Streamable HTTP now validates Host and Origin before session handling to block DNS rebinding against localhost-bound servers, and OAuth redirect validation rejects unsafe schemes and unregistered DCR redirect URIs. Alongside the security work, this release also fixes proxy session teardown races, discriminator-tag handling in JSON schema conversion, and several smaller reliability issues.

What's Changed

Enhancements ✨

Security 🔒

Fixes 🐞

Docs 📚

Dependencies 📦

Other Changes 🦾

... (truncated)

Changelog

Sourced from fastmcp's changelog.


title: "Changelog" icon: "list-check" rss: true tag: NEW

v3.4.3: The Fast and the Secure-ious

FastMCP 3.4.3 closes out a month of SSRF and OAuth hardening: NAT64, 6to4, Teredo, and ISATAP transition addresses can no longer smuggle private IPv4 targets past the SSRF allow-list, Streamable HTTP now validates Host and Origin before session handling to block DNS rebinding against localhost-bound servers, and OAuth redirect validation rejects unsafe schemes and unregistered DCR redirect URIs. Alongside the security work, this release also fixes proxy session teardown races, discriminator-tag handling in JSON schema conversion, and several smaller reliability issues.

Enhancements ✨

  • Dedupe discriminator-required helper across schema converters by @​jlowin in #4362
  • Add real Monty sandbox e2e coverage for CodeMode call_tool by @​AlexlaGuardia in #4274
  • Switch prettier hook to rbubley/mirrors-prettier by @​jlowin in #4366
  • feat(remote): add --verify flag for TLS certificate verification by @​jlowin in #4369

Security 🔒

Fixes 🐞

  • fix: caching middleware TypeError on cache miss due to mismatched call_next parameter by @​gmenziesint in #4301
  • Fix: async rate limiting middleware get_client_id callbacks by @​Chotom in #4319
  • Recognize all GitHub issue-link forms in require-issue-link workflow by @​jlowin in #4359
  • fix: preserve required discriminator tags by @​he-yufeng in #4297
  • fix(proxy): shield stateful proxy disconnect during session teardown by @​jlowin in #4363
  • fix(fs): isolate same-named package imports across providers by @​jlowin in #4361
  • fix: StatefulProxyClient.clear() no longer causes KeyError on session teardown by @​tcconnally in #4328
  • fix: guard recursive refs in json_schema_to_type by @​Epochex in #4312
  • Forward IdP auth errors to MCP client instead of showing HTML error page by @​bobbyjames839 in #4293
  • fix(resources): round-trip path values with reserved characters in URI templates by @​jlowin in #4368
  • fix: bracket IPv6 hosts in server startup log URL by @​jlowin in #4372
  • fix: bound default OIDC discovery timeout and expose it on provider wrappers by @​jlowin in #4374
  • fix: validate task tool arguments against declared types by @​jlowin in #4373
  • fix(tools): honor serialize_by_alias in tool result serialization by @​jlowin in #4391
  • Fix/cimd flow issue by @​twjackysu in #4206
  • Reject empty env var keys by @​CodingFeng101 in #4410
  • fix: correct replace_type docstring parameter descriptions by @​hiSandog in #4375
  • Fix ty 0.0.55 diagnostics and prefab-ui protocol version drift by @​jlowin in #4428
  • [codex] Fix OpenAPI resource template requests by @​jlowin in #4407

Docs 📚

  • fix: RST docstrings in fastmcp.types render raw on gofastmcp.com by @​jlowin in #4367

... (truncated)

Commits
  • 1eedd1f Docs: add v3.4.2 and v3.4.3 changelog entries (#4430)
  • 3b1afe6 chore(deps): bump joserfc from 1.6.7 to 1.6.8 in the uv group across 1 direct...
  • 874425a chore: Update SDK documentation (#4427)
  • 691766b [codex] Fix OpenAPI resource template requests (#4407)
  • 47907e0 Fix ty 0.0.55 diagnostics and prefab-ui protocol version drift (#4428)
  • c1b0396 Block IPv6 transition SSRF bypasses (#4426)
  • 522ed5b fix: correct replace_type docstring parameter descriptions (#4375)
  • 67527c1 Block unsafe OAuth redirect schemes (#4419)
  • 57a2799 Protect streamable HTTP from DNS rebinding (#4405)
  • cccb529 Fix DCR redirect URI validation (#4408)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [fastmcp](https://github.com/PrefectHQ/fastmcp) from 3.4.2 to 3.4.3.
- [Release notes](https://github.com/PrefectHQ/fastmcp/releases)
- [Changelog](https://github.com/PrefectHQ/fastmcp/blob/main/docs/changelog.mdx)
- [Commits](PrefectHQ/fastmcp@v3.4.2...v3.4.3)

---
updated-dependencies:
- dependency-name: fastmcp
  dependency-version: 3.4.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jul 7, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #61.

@dependabot dependabot Bot closed this Jul 14, 2026
@dependabot dependabot Bot deleted the dependabot/uv/fastmcp-3.4.3 branch July 14, 2026 16:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants