Skip to content

Bump fastmcp minimum to 3.4.2 for the Starlette CVE floor#77

Merged
tony merged 3 commits into
mainfrom
deps/fastmcp-342-floor
Jun 13, 2026
Merged

Bump fastmcp minimum to 3.4.2 for the Starlette CVE floor#77
tony merged 3 commits into
mainfrom
deps/fastmcp-342-floor

Conversation

@tony

@tony tony commented Jun 13, 2026

Copy link
Copy Markdown
Member

Summary

  • Raise the fastmcp floor from >=3.4.0 to >=3.4.2, picking up fastmcp 3.4.1's explicit starlette>=1.0.1 floor so installs can no longer resolve to a Starlette affected by CVE-2026-48710 — previously this was constrained only transitively through mcp.
  • Lock now resolves fastmcp to 3.4.2 and starlette to 1.2.1.
  • Document the bump under ### Dependencies in the unreleased changelog.

Background: the floor was deliberately held at >=3.4.0 while 3.4.1/3.4.2 were inside the local uv dependency cooldown; that window has now cleared.

Verification

The runtime floor is raised:

rg 'fastmcp>=3.4.2' pyproject.toml

The lock satisfies the Starlette CVE floor:

rg -A2 '^name = "starlette"' uv.lock

Test plan

  • uv run ruff check . — lint clean
  • uv run ruff format . — formatting unchanged
  • uv run mypy . — type-check clean
  • uv run py.test --reruns 0 — full suite green
  • just build-docs — docs build, CHANGES renders and tool roles resolve

tony added 2 commits June 13, 2026 15:19
@tony
py(deps) Bump fastmcp 3.4.0 -> 3.4.2
fdb3836 
why: 3.4.1 floors starlette>=1.0.1 (CVE-2026-48710), previously only
constrained transitively through mcp; 3.4.2 carries that floor. The
3-day uv dependency cooldown that held our floor at 3.4.0 has cleared.
what:
- pyproject: fastmcp floor >=3.4.0 -> >=3.4.2
- uv.lock: fastmcp resolves to 3.4.2 (starlette to 1.2.1)
@tony
mcp(docs[CHANGES]): Note fastmcp 3.4.2 minimum
c34fcb1 
why: the fastmcp floor bump needs a Dependencies entry so the starlette
CVE-2026-48710 fix it pulls in is recorded for downstream installs.
what:
- Add a Dependencies entry for the fastmcp >=3.4.2 minimum
@codecov-commenter

codecov-commenter commented Jun 13, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.07%. Comparing base (befeb73) to head (d4168f9).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main      #77   +/-   ##
=======================================
  Coverage   85.07%   85.07%           
=======================================
  Files          42       42           
  Lines        2881     2881           
  Branches      385      385           
=======================================
  Hits         2451     2451           
  Misses        322      322           
  Partials      108      108

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@tony
mcp(docs[CHANGES]): Reference PR in fastmcp dependency note
d4168f9 
why: the Dependencies entry is this branch's only changelog line, so it
should carry the PR reference like the other unreleased entries.
what:
- Add the PR reference to the fastmcp 3.4.2 Dependencies entry
@tony tony merged commit f7d54b8 into main Jun 13, 2026
9 checks passed
@tony tony deleted the deps/fastmcp-342-floor branch June 13, 2026 20:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tony @codecov-commenter