Skip to content

chore(deps): Bump the minor-and-patch group across 1 directory with 2 updates#617

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/mcp/flight_tool/minor-and-patch-02bb2cef31
Open

chore(deps): Bump the minor-and-patch group across 1 directory with 2 updates#617
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/mcp/flight_tool/minor-and-patch-02bb2cef31

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 19, 2026

Copy link
Copy Markdown
Contributor

Bumps the minor-and-patch group with 2 updates in the /mcp/flight_tool directory: fastmcp and protobuf.

Updates fastmcp from 3.4.0 to 3.4.2

Release notes

Sourced from fastmcp's releases.

v3.4.2: Heads Up

FastMCP 3.4.2 restores JWT compatibility for providers that include private, non-critical JWS header parameters. Tokens from providers like Clerk can carry header metadata such as cat without being rejected before signature and claim validation, while unsupported critical headers are still rejected.

What's Changed

Fixes 🐞

Docs 📚

Full Changelog: PrefectHQ/fastmcp@v3.4.1...v3.4.2

v3.4.1: Floor It

FastMCP 3.4.1 floors Starlette at >=1.0.1 so installs can no longer resolve to a version affected by CVE-2026-48710 — previously the dependency was only constrained transitively through mcp, which allowed vulnerable versions. It also makes OAuthProxy log refresh-token cache misses instead of failing silently.

What's Changed

Enhancements ✨

Security 🔒

Docs 📚

Full Changelog: PrefectHQ/fastmcp@v3.4.0...v3.4.1

Commits

Updates protobuf from 7.35.0 to 7.35.1

Release notes

Sourced from protobuf's releases.

Protocol Buffers v34.0-rc1

Announcements

Bazel

Compiler

C++

... (truncated)

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jun 19, 2026
… updates

Bumps the minor-and-patch group with 2 updates in the /mcp/flight_tool directory: [fastmcp](https://github.com/PrefectHQ/fastmcp) and [protobuf](https://github.com/protocolbuffers/protobuf).


Updates `fastmcp` from 3.4.0 to 3.4.2
- [Release notes](https://github.com/PrefectHQ/fastmcp/releases)
- [Changelog](https://github.com/PrefectHQ/fastmcp/blob/main/docs/changelog.mdx)
- [Commits](PrefectHQ/fastmcp@v3.4.0...v3.4.2)

Updates `protobuf` from 7.35.0 to 7.35.1
- [Release notes](https://github.com/protocolbuffers/protobuf/releases)
- [Commits](https://github.com/protocolbuffers/protobuf/commits)

---
updated-dependencies:
- dependency-name: fastmcp
  dependency-version: 3.4.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: protobuf
  dependency-version: 7.35.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/uv/mcp/flight_tool/minor-and-patch-02bb2cef31 branch from 65a7ebc to e065b3f Compare June 26, 2026 05:08
@clawgenti

Copy link
Copy Markdown

Security Bump Escalation

Package: minor-and-patch group ((grouped update))
Severity: high | SLA: 7 days | Overdue: 3 days
CI Status: passing

Advisory Context

Vulnerability references: CVE-2026-48710

Release notes

Sourced from fastmcp's releases.

v3.4.2: Heads Up

FastMCP 3.4.2 restores JWT compatibility for providers that include private, non-critical JWS header parameters. Tokens from providers like Clerk can carry header metadata such as cat without being rejected before signature and claim validation, while unsupported critical headers are still rejected.

What's Changed

Fixes 🐞

Docs 📚

Full Changelog: PrefectHQ/fastmcp@v3.4.1...v3.4.2

v3.4.1: Floor It

FastMCP 3.4.1 floors Starlette at >=1.0.1 so installs can no longer resolve to a version affected by CVE-2026-48710 — previously the dependency was only constrained transitively through mcp, which allowed vulnerable versions. It also makes OAuthProxy log ref...

Action Required

This PR has exceeded the 7-day SLA for high-severity patches. Please review and merge, or document a deferral reason.


Automated analysis by Kagenti Dep Bump Fixer (scan 2026-06-30-002)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

Status: New/ToDo

Development

Successfully merging this pull request may close these issues.

2 participants