dependabot[bot] opened a new pull request, #10953: URL: https://github.com/apache/gravitino/pull/10953
Bumps [fastmcp](https://github.com/PrefectHQ/fastmcp) from 2.14.5 to 3.2.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/PrefectHQ/fastmcp/releases";>fastmcp's releases</a>.</em></p> <blockquote> <h2>v3.2.4: Patch Me If You Can</h2> <p>A grab bag of fixes, hardening, and polish.</p> <p>The headline behavior change: background tasks are now scoped to the authorization context rather than the MCP session, so a task kicked off by an authenticated user survives session churn and stays tied to who started it. This is a breaking change for anyone relying on the old session-scoped semantics.</p> <p>Security got three meaningful upgrades. <code>FileUpload</code> now validates actual decoded base64 size instead of trusting the client-reported number, so an attacker can't claim "10 bytes" and deliver 10MB. The proxy client stops forwarding inbound HTTP headers to unrelated remote servers — previously a header meant for server A could leak to server B. And AuthKit now auto-binds token audience to the resource URL per RFC 8707, closing a token-reuse gap across MCP resources.</p> <p>Schema handling had a rough-edges pass. <code>json_schema_to_type</code> no longer crashes on Python keywords, boolean schemas, empty enums, or name collisions, and we added a 232K-schema crash test from APIs.guru to keep it honest. Gemini 2.5 Flash compatibility is fixed by stripping <code>title</code> fields the model rejects. Parameter descriptions are now extracted from docstrings automatically, so your tool signatures document themselves.</p> <p>Plus a Keycloak OAuth provider for enterprise auth, improvements to <code>ctx.elicit()</code> (new <code>response_title</code>/<code>response_description</code>, deprecation warning when called without <code>response_type</code>), and dozens of smaller fixes across transforms, retry middleware, resource templates, and client disconnect handling.</p> <!-- raw HTML omitted --> <h2>What's Changed</h2> <h3>Breaking Changes ⚠️</h3> <ul> <li>Scope tasks to authorization context, not session by <a href="https://github.com/chrisguidry";><code>@chrisguidry</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3800";>PrefectHQ/fastmcp#3800</a></li> </ul> <h3>Enhancements ✨</h3> <ul> <li>Bump pydocket>=0.19.0, drop fakeredis pin by <a href="https://github.com/chrisguidry";><code>@chrisguidry</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3822";>PrefectHQ/fastmcp#3822</a></li> <li>Add real-world schema crash test (232K schemas from APIs.guru) by <a href="https://github.com/strawgate";><code>@strawgate</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3826";>PrefectHQ/fastmcp#3826</a></li> <li>Enable 7 zero-violation ruff rules by <a href="https://github.com/strawgate";><code>@strawgate</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3841";>PrefectHQ/fastmcp#3841</a></li> <li>Promote 7 ty rules from ignore to warn by <a href="https://github.com/strawgate";><code>@strawgate</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3852";>PrefectHQ/fastmcp#3852</a></li> <li>Replace ___ with hash-based backend tool routing and per-tool prefab resources by <a href="https://github.com/jlowin";><code>@jlowin</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3824";>PrefectHQ/fastmcp#3824</a></li> <li>Enable 4 ruff rules (DTZ, ERA, ISC, INP) and fix 9 violations by <a href="https://github.com/strawgate";><code>@strawgate</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3842";>PrefectHQ/fastmcp#3842</a></li> <li>Extract parameter descriptions from docstrings by <a href="https://github.com/jlowin";><code>@jlowin</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3872";>PrefectHQ/fastmcp#3872</a></li> <li>ci: speed up schema crash test (CSafeLoader + xdist-safe aggregation) by <a href="https://github.com/jlowin";><code>@jlowin</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3873";>PrefectHQ/fastmcp#3873</a></li> <li>test: bump OpenAPI init perf threshold to 200ms for Windows CI by <a href="https://github.com/jlowin";><code>@jlowin</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3879";>PrefectHQ/fastmcp#3879</a></li> <li>refactor: unify object-schema conversion through _object_schema_to_type by <a href="https://github.com/jlowin";><code>@jlowin</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3884";>PrefectHQ/fastmcp#3884</a></li> <li>Add Keycloak OAuth Provider for Enterprise Authentication and local dev by <a href="https://github.com/stephaneberle9";><code>@stephaneberle9</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/1937";>PrefectHQ/fastmcp#1937</a></li> <li>Allow auth providers to override protected resource base URLs by <a href="https://github.com/aaazzam";><code>@aaazzam</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3900";>PrefectHQ/fastmcp#3900</a></li> <li>Enable PERF and T20 ruff rules by <a href="https://github.com/strawgate";><code>@strawgate</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3845";>PrefectHQ/fastmcp#3845</a></li> <li>Add response_title and response_description to ctx.elicit() by <a href="https://github.com/jlowin";><code>@jlowin</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3912";>PrefectHQ/fastmcp#3912</a></li> <li>Deprecate ctx.elicit() without response_type by <a href="https://github.com/jlowin";><code>@jlowin</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3916";>PrefectHQ/fastmcp#3916</a></li> </ul> <h3>Security 🔒</h3> <ul> <li>Validate actual base64 data size in FileUpload, not client-reported size by <a href="https://github.com/strawgate";><code>@strawgate</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3816";>PrefectHQ/fastmcp#3816</a></li> <li>Stop forwarding inbound HTTP headers to unrelated remote servers by <a href="https://github.com/jlowin";><code>@jlowin</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3837";>PrefectHQ/fastmcp#3837</a></li> <li>AuthKit: auto-bind token audience to resource URL (RFC 8707) by <a href="https://github.com/jlowin";><code>@jlowin</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3905";>PrefectHQ/fastmcp#3905</a></li> </ul> <h3>Fixes 🐞</h3> <ul> <li>Version-check is_docket_available() to avoid transitive pydocket crash by <a href="https://github.com/jlowin";><code>@jlowin</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3807";>PrefectHQ/fastmcp#3807</a></li> <li>fix: materialize generators before result conversion, handle bytes gracefully by <a href="https://github.com/strawgate";><code>@strawgate</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3830";>PrefectHQ/fastmcp#3830</a></li> <li>Fix json_schema_to_type crashes on keywords, boolean schemas, empty enums, and name collisions by <a href="https://github.com/strawgate";><code>@strawgate</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3818";>PrefectHQ/fastmcp#3818</a></li> <li>fix: replace <code>or</code> with <code>is not None</code> checks for config/override merging by <a href="https://github.com/strawgate";><code>@strawgate</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3833";>PrefectHQ/fastmcp#3833</a></li> <li>fix: TransformedTool sync fn crash and schema mutation by <a href="https://github.com/strawgate";><code>@strawgate</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3823";>PrefectHQ/fastmcp#3823</a></li> <li>fix: cross-provider duplicate detection, error visibility, mask propagation by <a href="https://github.com/strawgate";><code>@strawgate</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3827";>PrefectHQ/fastmcp#3827</a></li> <li>fix: don't pass HTTP kwargs when transport is unspecified by <a href="https://github.com/strawgate";><code>@strawgate</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3838";>PrefectHQ/fastmcp#3838</a></li> <li>fix: strip title fields from tool schemas for Gemini 2.5 Flash compatibility by <a href="https://github.com/strawgate";><code>@strawgate</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3861";>PrefectHQ/fastmcp#3861</a></li> <li>fix: retry when LLM returns text instead of calling final_response by <a href="https://github.com/strawgate";><code>@strawgate</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3850";>PrefectHQ/fastmcp#3850</a></li> <li>Raise on unhandled content types in sampling handler dispatch chains by <a href="https://github.com/strawgate";><code>@strawgate</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3857";>PrefectHQ/fastmcp#3857</a></li> <li>Fix broken code examples in docs by <a href="https://github.com/strawgate";><code>@strawgate</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3869";>PrefectHQ/fastmcp#3869</a></li> <li>fix: GoogleGenaiSamplingHandler leaks thought parts and gives unhelpful errors on empty responses by <a href="https://github.com/strawgate";><code>@strawgate</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3849";>PrefectHQ/fastmcp#3849</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/PrefectHQ/fastmcp/blob/main/docs/changelog.mdx";>fastmcp's changelog</a>.</em></p> <blockquote> <hr /> <h2>title: "Changelog" icon: "list-check" rss: true tag: NEW</h2> <!-- raw HTML omitted --> <p><strong><a href="https://github.com/PrefectHQ/fastmcp/releases/tag/v3.1.1";>v3.1.1: 'Tis But a Patch</a></strong></p> <p>Pins <code>pydantic-monty</code> below 0.0.8 to fix a breaking change in Monty that affects code mode. Monty 0.0.8 removed the <code>external_functions</code> constructor parameter, causing <code>MontySandboxProvider</code> to fail. This patch caps the version so existing installs work correctly.</p> <h3>Fixes 🐞</h3> <ul> <li>Pin pydantic-monty below 0.0.8 to fix code mode by <a href="https://github.com/jlowin";><code>@jlowin</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3497";>#3497</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/PrefectHQ/fastmcp/compare/v3.1.0...v3.1.1";>v3.1.0...v3.1.1</a></p> <!-- raw HTML omitted --> <!-- raw HTML omitted --> <p><strong><a href="https://github.com/PrefectHQ/fastmcp/releases/tag/v3.1.0";>v3.1.0: Code to Joy</a></strong></p> <p>FastMCP 3.1 is the Code Mode release. The 3.0 architecture introduced providers and transforms as the extensibility layer — 3.1 puts that architecture to work, shipping the most requested capability since launch: servers that can find and execute code on behalf of agents, without requiring clients to know what tools exist.</p> <h3>New Features 🎉</h3> <ul> <li>feat: Search transforms for tool discovery by <a href="https://github.com/jlowin";><code>@jlowin</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3154";>#3154</a></li> <li>Add experimental CodeMode transform by <a href="https://github.com/aaazzam";><code>@aaazzam</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3297";>#3297</a></li> <li>Add Prefab Apps integration for MCP tool UIs by <a href="https://github.com/jlowin";><code>@jlowin</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3316";>#3316</a></li> </ul> <h3>Enhancements 🔧</h3> <ul> <li>Lazy-load heavy imports to reduce import time by <a href="https://github.com/jlowin";><code>@jlowin</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3295";>#3295</a></li> <li>Add http_client parameter to all token verifiers for connection pooling by <a href="https://github.com/jlowin";><code>@jlowin</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3300";>#3300</a></li> <li>Add in-memory caching for token introspection results by <a href="https://github.com/jlowin";><code>@jlowin</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3298";>#3298</a></li> <li>Add SessionStart hook to install gh CLI in cloud sessions by <a href="https://github.com/jlowin";><code>@jlowin</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3308";>#3308</a></li> <li>Fix ty 0.0.19 type errors by <a href="https://github.com/jlowin";><code>@jlowin</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3310";>#3310</a></li> <li>Code Mode: Add resource limits to MontySandboxProvider by <a href="https://github.com/jlowin";><code>@jlowin</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3326";>#3326</a></li> <li>Accept transforms as FastMCP init kwarg by <a href="https://github.com/jlowin";><code>@jlowin</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3324";>#3324</a></li> <li>Split large test files to comply with loq line limit by <a href="https://github.com/jlowin";><code>@jlowin</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3328";>#3328</a></li> <li>Add -m/--module flag to <code>fastmcp run</code> and <code>dev inspector</code> by <a href="https://github.com/dgenio";><code>@dgenio</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3331";>#3331</a></li> <li>Add search_result_serializer hook and serialize_tools_for_output_markdown by <a href="https://github.com/MagnusS0";><code>@MagnusS0</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3337";>#3337</a></li> <li>Add MultiAuth for composing multiple token verification sources by <a href="https://github.com/jlowin";><code>@jlowin</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3335";>#3335</a></li> <li>Adds PropelAuth as an AuthProvider by <a href="https://github.com/andrew-propelauth";><code>@andrew-propelauth</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3358";>#3358</a></li> <li>Replace vendored DI with uncalled-for by <a href="https://github.com/chrisguidry";><code>@chrisguidry</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3301";>#3301</a></li> <li>Decompose CodeMode into composable discovery tools by <a href="https://github.com/jlowin";><code>@jlowin</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3354";>#3354</a></li> <li>feat(contrib): auto-sync MCPMixin decorators with from_function signatures by <a href="https://github.com/AnkeshThakur";><code>@AnkeshThakur</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3323";>#3323</a></li> <li>Add Google GenAI Sampling Handler by <a href="https://github.com/strawgate";><code>@strawgate</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/2977";>#2977</a></li> <li>Add ListTools, search limit, and catalog size annotation to CodeMode by <a href="https://github.com/jlowin";><code>@jlowin</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3359";>#3359</a></li> <li>Allow configuring FastMCP transport setting in the same way as other configuration by <a href="https://github.com/jvdmr";><code>@jvdmr</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/1796";>#1796</a></li> <li>Add include_unversioned option to VersionFilter by <a href="https://github.com/yangbaechu";><code>@yangbaechu</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/3349";>#3349</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/PrefectHQ/fastmcp/commit/7d7607473d7713d9937cbbbe0bfc635976c511d3";><code>7d76074</code></a> Stop pydantic 2.13 from leaking _WrappedResult docstring into tool output sch...</li> <li><a href="https://github.com/PrefectHQ/fastmcp/commit/b732a4a516e4a41f053e46dbd86e9520cf5178bf";><code>b732a4a</code></a> Overhaul apps docs (<a href="https://redirect.github.com/PrefectHQ/fastmcp/issues/3915";>#3915</a>)</li> <li><a href="https://github.com/PrefectHQ/fastmcp/commit/5c2ff1bd7b9844a3891149741de56a5e4d24621d";><code>5c2ff1b</code></a> chore: Update SDK documentation (<a href="https://redirect.github.com/PrefectHQ/fastmcp/issues/3914";>#3914</a>)</li> <li><a href="https://github.com/PrefectHQ/fastmcp/commit/f4f2ec07fbb611a25ce27e1b4f9b67f54bc2420a";><code>f4f2ec0</code></a> Deprecate ctx.elicit() without response_type (<a href="https://redirect.github.com/PrefectHQ/fastmcp/issues/3916";>#3916</a>)</li> <li><a href="https://github.com/PrefectHQ/fastmcp/commit/338b80c3ae3b8c5ac3a7e094178c9f34eb286ea8";><code>338b80c</code></a> chore(deps): bump the uv group across 2 directories with 1 update (<a href="https://redirect.github.com/PrefectHQ/fastmcp/issues/3913";>#3913</a>)</li> <li><a href="https://github.com/PrefectHQ/fastmcp/commit/110cd3adcb7a433923ed8ed4a8b23d076a313ab5";><code>110cd3a</code></a> Add response_title and response_description to ctx.elicit() (<a href="https://redirect.github.com/PrefectHQ/fastmcp/issues/3912";>#3912</a>)</li> <li><a href="https://github.com/PrefectHQ/fastmcp/commit/311784617639d7b46490d863f2e4bb24be6361c5";><code>3117846</code></a> chore: Update SDK documentation (<a href="https://redirect.github.com/PrefectHQ/fastmcp/issues/3909";>#3909</a>)</li> <li><a href="https://github.com/PrefectHQ/fastmcp/commit/031c7e03b48330345bc4d1f82a9cc78ed269b07c";><code>031c7e0</code></a> Fix RetryMiddleware not retrying tool errors (<a href="https://redirect.github.com/PrefectHQ/fastmcp/issues/3858";>#3858</a>)</li> <li><a href="https://github.com/PrefectHQ/fastmcp/commit/200d79e7d28f36b36c271621d9550aa3fb3c0aa7";><code>200d79e</code></a> Enable PERF and T20 ruff rules (<a href="https://redirect.github.com/PrefectHQ/fastmcp/issues/3845";>#3845</a>)</li> <li><a href="https://github.com/PrefectHQ/fastmcp/commit/82f310fe61dba25de34f2be3e203555ccfc4181d";><code>82f310f</code></a> AuthKit: auto-bind token audience to resource URL (RFC 8707) (<a href="https://redirect.github.com/PrefectHQ/fastmcp/issues/3905";>#3905</a>)</li> <li>Additional commits viewable in <a href="https://github.com/PrefectHQ/fastmcp/compare/v2.14.5...v3.2.4";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
