fix: dependabot package upgrades

[Ayaz-Microsoft]

Purpose

Upgrade Dependabot-recommended packages to resolve known vulnerabilities.

Does this introduce a breaking change?

• Yes
• No

Changes

Python (src/mcp_server/pyproject.toml + uv.lock)

Package	From	To
authlib	1.6.11	1.6.12

NPM

None

GitHub Actions

None

Breaking Changes Fixed

None — patch bump only.

Packages Deferred

None.

How to Test

git checkout psl-dependabot-may2026
cd src/mcp_server
uv sync

Validation

• ✅ Docker build: mcp_server, backend, App images built successfully with --no-cache
• ✅ ACR push: All 3 images pushed to acrmacaedeptestmay2026.azurecr.io
• ✅ azd up: Full deployment to japaneast succeeded (4m32s)
• ✅ mcp_server container running with new authlib==1.6.12 (1 healthy replica)
• ✅ Backend & frontend services running
• ✅ Data indexing (RFP, Retail, HR, Marketing) succeeded

Related Dependabot PRs

• build: bump authlib from 1.6.11 to 1.6.12 in /src/mcp_server #982: build: bump authlib from 1.6.11 to 1.6.12 in /src/mcp_server

Related Work Item

https://dev.azure.com/CSACTOSOL/CSA%20Solutioning/_queries/edit/43388/

Other Information

Down-merge PRs that preceded this work:

• chore: main to dev downmerge #987: main → dev-v4 down-merge (merged)
• dev-v4 → dependabotchanges down-merge (clean merge, no conflicts)

Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com

[github-actions]

Coverage Report •

File	Stmts	Miss	Cover	Missing
TOTAL	3056	389	87%

report-only-changed-files is enabled. No files were changed during this commit :)

Tests	Skipped	Failures	Errors	Time
883	5 💤	0 ❌	0 🔥	6.874s ⏱️

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Patch bump of the authlib Python dependency in the MCP server to address a Dependabot-reported vulnerability.

Changes:

• Bump authlib from 1.6.11 to 1.6.12 in src/mcp_server/pyproject.toml

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.