fix(deps): update dependency fastmcp to v3

[renovate-bot]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
fastmcp	==2.13.0 → ==3.0.0

---

Release Notes

PrefectHQ/fastmcp (fastmcp)

v3.0.0: : Three at Last

Compare Source

FastMCP 3.0 is stable. Two betas, two release candidates, 21 new contributors, and more than 100,000 daily pre-release installs later — the architecture held up, the upgrade path was smooth, and we're shipping it.

The surface API is largely unchanged — @mcp.tool() still works exactly as before. What changed is everything underneath: a provider/transform architecture that makes FastMCP extensible, observable, and composable in ways v2 couldn't support. If we did our jobs right, you'll barely notice the redesign. You'll just notice that more is possible.

This is also the release where FastMCP moves from jlowin/fastmcp to PrefectHQ/fastmcp. GitHub forwards all links, PyPI is the same, imports are the same. A major version felt like the right moment to make it official.

Build servers from anything

🔌 Components no longer have to live in one file with one server. FileSystemProvider discovers tools from directories with hot-reload. OpenAPIProvider wraps REST APIs. ProxyProvider proxies remote MCP servers. SkillsProvider delivers agent skills as resources. Write your own provider for whatever source makes sense. Compose multiple providers into one server, share one across many, or chain them with transforms that rename, namespace, filter, version, and secure components as they flow to clients. ResourcesAsTools and PromptsAsTools expose non-tool components to tool-only clients.

Ship to production

🔐 Component versioning: serve @tool(version="2.0") alongside older versions from one codebase. Granular authorization on individual components with async auth checks, server-wide policies via AuthMiddleware, and scope-based access control. OAuth gets CIMD, Static Client Registration, Azure OBO via dependency injection, JWT audience validation, and confused-deputy protections. OpenTelemetry tracing with MCP semantic conventions. Response size limiting. Background tasks with distributed Redis notification and ctx.elicit() relay. Security fixes include dropping diskcache (CVE-2025-69872) and upgrading python-multipart and protobuf for additional CVEs.

Adapt per session

💾 Session state persists across requests via ctx.set_state() / ctx.get_state(). ctx.enable_components() and ctx.disable_components() let servers adapt dynamically per client — show admin tools after authentication, progressively reveal capabilities, or scope access by role.

Develop faster

⚡ --reload auto-restarts on file changes. Standalone decorators return the original function, so decorated tools stay callable in tests and non-MCP contexts. Sync functions auto-dispatch to a threadpool. Tool timeouts, MCP-compliant pagination, composable lifespans, PingMiddleware for keepalive, and concurrent tool execution when the LLM returns multiple calls in one response.

Use FastMCP as a CLI

🖥️ fastmcp list and fastmcp call query and invoke tools on any server from a terminal. fastmcp discover scans your editor configs (Claude Desktop, Cursor, Goose, Gemini CLI) and finds configured servers by name. fastmcp generate-cli writes a standalone typed CLI where every tool is a subcommand. fastmcp install registers your server with Claude Desktop, Cursor, or Goose in one command.

Build apps (3.1 preview)

📱 Spec-level support for MCP Apps is in: ui:// resource scheme, typed UI metadata via AppConfig, extension negotiation, and runtime detection. The full Apps experience lands in 3.1.

---

If you hit 3.0 because you didn't pin your dependencies and something breaks — the upgrade guides will get you sorted. We minimized breaking changes, but a major version is a major version.

pip install fastmcp -U

📖 Documentation
🚀 Upgrade from FastMCP v2
🔀 Upgrade from MCP Python SDK
📰 What's New in FastMCP 3.0

What's Changed

New Features 🎉

• Refactor resource behavior and add meta support by @​jlowin in #​2611
• Refactor prompt behavior and add meta support by @​jlowin in #​2610
• feat: Provider abstraction for dynamic MCP components by @​jlowin in #​2622
• Unify component storage in LocalProvider by @​jlowin in #​2680
• Introduce ResourceResult as canonical resource return type by @​jlowin in #​2734
• Introduce Message and PromptResult as canonical prompt types by @​jlowin in #​2738
• Add --reload flag for auto-restart on file changes by @​jlowin in #​2816
• Add FileSystemProvider for filesystem-based component discovery by @​jlowin in #​2823
• Add standalone decorators and eliminate fastmcp.fs module by @​jlowin in #​2832
• Add authorization checks to components and servers by @​jlowin in #​2855
• Decorators return functions instead of component objects by @​jlowin in #​2856
• Add transform system for modifying components in provider chains by @​jlowin in #​2836
• Add OpenTelemetry tracing support by @​chrisguidry in #​2869
• Add component versioning and VersionFilter transform by @​jlowin in #​2894
• Add version discovery and calling a certain version for components by @​jlowin in #​2897
• Refactor visibility to mark-based enabled system by @​jlowin in #​2912
• Add session-specific visibility control via Context by @​jlowin in #​2917
• Add Skills Provider for exposing agent skills as MCP resources by @​jlowin in #​2944
• Add MCP Apps Phase 1 — SDK compatibility (SEP-1865) by @​jlowin in #​3009
• Add fastmcp list and fastmcp call CLI commands by @​jlowin in #​3054
• Add fastmcp generate-cli command by @​jlowin in #​3065
• Add CIMD (Client ID Metadata Document) support for OAuth by @​jlowin in #​2871

Enhancements 🔧

• Convert mounted servers to MountedProvider by @​jlowin in #​2635
• Simplify .key as computed property by @​jlowin in #​2648
• Refactor MountedProvider into FastMCPProvider + TransformingProvider by @​jlowin in #​2653
• Enable background task support for custom component subclasses by @​jlowin in #​2657
• Use CreateTaskResult for background task creation by @​jlowin in #​2660
• Refactor provider execution: components own their execution by @​jlowin in #​2663
• Add supports_tasks() method to replace string mode checks by @​jlowin in #​2664
• Replace type: ignore[attr-defined] with isinstance assertions in tests by @​jlowin in #​2665
• Add poll_interval to TaskConfig by @​jlowin in #​2666
• Refactor task module: rename protocol.py to requests.py and reduce redundancy by @​jlowin in #​2667
• Refactor FastMCPProxy into ProxyProvider by @​jlowin in #​2669
• Move OpenAPI to providers/openapi submodule by @​jlowin in #​2672
• Use ergonomic provider initialization pattern by @​jlowin in #​2675
• Fix ty 0.0.5 type errors by @​jlowin in #​2676
• Remove execution methods from Provider base class by @​jlowin in #​2681
• Add type-prefixed keys for globally unique component identification by @​jlowin in #​2704
• Skip parallel MCP config test on Windows by @​jlowin in #​2711
• Consolidate notification system with unified API by @​jlowin in #​2710
• Skip test_multi_client on Windows by @​jlowin in #​2714
• Parallelize provider operations by @​jlowin in #​2716
• Consolidate get_* and list* methods into single API by @​jlowin in #​2719
• Consolidate execution method chains into single public API by @​jlowin in #​2728
• Add documentation check to required PR workflow by @​jlowin in #​2730
• Parallelize list_* calls in Provider.get_tasks() by @​jlowin in #​2731
• Consistent decorator-based MCP handler registration by @​jlowin in #​2732
• Make ToolResult a BaseModel for serialization support by @​jlowin in #​2736
• Align prompt handler with resource pattern by @​jlowin in #​2740
• Update classes to inherit from FastMCPBaseModel instead of BaseModel by @​jlowin in #​2739
• Convert provider tests to use direct server calls by @​jlowin in #​2748
• Add explicit task_meta parameter to FastMCP.call_tool() by @​jlowin in #​2749
• Add task_meta parameter to read_resource() for explicit task control by @​jlowin in #​2750
• Add task_meta to prompts and centralize fn_key enrichment by @​jlowin in #​2751
• Remove unused include_tags/exclude_tags settings by @​jlowin in #​2756
• Parallelize provider access when executing components by @​jlowin in #​2744
• Add tests for OAuth generator cleanup and use aclosing by @​jlowin in #​2759
• Deprecate tool_serializer parameter by @​jlowin in #​2753
• Feature/supabase custom auth route by @​EloiZalczer in #​2632
• Add regression tests for caching with mounted server prefixes by @​jlowin in #​2762
• Update CLI banner with FastMCP 3.0 notice by @​jlowin in #​2766
• Make FASTMCP_SHOW_SERVER_BANNER apply to all server startup methods by @​jlowin in #​2771
• Add MCP tool annotations to smart_home example by @​bryankthompson in #​2777
• Cherry-pick debug logging for OAuth token expiry to main by @​jlowin in #​2797
• Turn off negative CLI flags by default by @​jlowin in #​2801
• Configure ty to fail on warnings by @​jlowin in #​2804
• Dereference $ref in tool schemas for MCP client compatibility by @​jlowin in #​2814
• Add v3.0 feature tracking document by @​jlowin in #​2822
• Remove deprecated WSTransport by @​jlowin in #​2826
• Add composable lifespans by @​jlowin in #​2828
• Replace FastMCP.as_proxy() with create_proxy() function by @​jlowin in #​2829
• Add docs-broken-links command and fix docstring markdown parsing by @​jlowin in #​2830
• Add PingMiddleware for keepalive connections by @​jlowin in #​2838
• Add CLI update notifications by @​jlowin in #​2840
• Add agent skills for testing and code review by @​jlowin in #​2846
• Add loq pre-commit hook for file size enforcement by @​jlowin in #​2847
• Add transport property to Context by @​jlowin in #​2850
• Add loq file size limits and clean up type ignores by @​jlowin in #​2859
• Run sync tools/resources/prompts in threadpool automatically by @​jlowin in #​2865
• Add timeout parameter for tool foreground execution by @​jlowin in #​2872
• Adopt OpenTelemetry MCP semantic conventions by @​chrisguidry in #​2886
• Add client_secret_post authentication to IntrospectionTokenVerifier by @​shulkx in #​2884
• Add enable_rich_logging setting to disable rich formatting by @​strawgate in #​2893
• Rename _fastmcp metadata namespace to fastmcp and make non-optional by @​jlowin in #​2895
• Refactor FastMCP to inherit from Provider by @​jlowin in #​2901
• Swap public/private method naming in Provider by @​jlowin in #​2902
• Add MCP-compliant pagination support by @​jlowin in #​2903
• Support VersionSpec in enable/disable for range-based filtering by @​jlowin in #​2914
• Remove sync notification infrastructure by @​jlowin in #​2915
• Immutable transform wrapping for providers by @​jlowin in #​2913
• Unify discovery API: deduplicate at protocol layer only by @​jlowin in #​2919
• Split transports.py into modular structure by @​jlowin in #​2921
• Move session visibility logic to enabled.py by @​jlowin in #​2924
• Refactor Client class into mixins and add timeout utilities by @​jlowin in #​2933
• Refactor OAuthProxy into focused modules by @​jlowin in #​2935
• Refactor LocalProvider into mixin modules by @​jlowin in #​2936
• Refactor server.py into mixins by @​jlowin in #​2939
• Consolidate test fixtures and refactor large test files by @​jlowin in #​2941
• Refactor transform list methods to pure function pattern by @​jlowin in #​2942
• Add ResourcesAsTools transform by @​jlowin in #​2943
• Add PromptsAsTools transform by @​jlowin in #​2946
• Add client utilities for downloading skills by @​jlowin in #​2948
• Rename Enabled transform to Visibility by @​jlowin in #​2950
• Make duplicate bot less aggressive by @​jlowin in #​2981
• Remove uv lockfile monitoring from Dependabot by @​jlowin in #​2986
• Run static checks with --upgrade, remove lockfile check by @​jlowin in #​2988
• Adjust workflow triggers for Marvin by @​strawgate in #​3010
• Move tests to a reusable action and enable nightly checks by @​strawgate in #​3017
• feat: option to add upstream claims to the FastMCP proxy JWT by @​JonasKs in #​2997
• Fix ty 0.0.14 compatibility and upgrade dependencies by @​jlowin in #​3027
• fix: automatically include offline_access as a scope in the Azure provider to enable automatic token refreshing by @​JonasKs in #​3001
• feat: expand --reload to watch frontend file types by @​jlowin in #​3028
• Add fastmcp install stdio command by @​jlowin in #​3032
• Update martian-issue-triage.yml for Workflow editing guidance by @​strawgate in #​3033
• feat: Goose integration + dedicated install command by @​jlowin in #​3040
• [Doc]: fixing spelling issues in multiple files by @​didier-durand in #​2996
• Add fastmcp discover and name-based server resolution by @​jlowin in #​3055
• feat(context): Add background task support for Context (SEP-1686) by @​gfortaine in #​2905
• Add server version to banner by @​richardkmichael in #​3076
• Add @​handle_tool_errors decorator for standardized error handling by @​dgenio in #​2885
• Update Anthropic and OpenAI clients to use Omit instead of NotGiven by @​jlowin in #​3088
• Add ResponseLimitingMiddleware for tool response size control by @​dgenio in #​3072
• Infer MIME types from OpenAPI response definitions by @​jlowin in #​3101
• Remove require_auth in favor of scope-based authorization by @​jlowin in #​3103
• generate-cli: auto-generate SKILL.md agent skill by @​jlowin in #​3115
• Scope Martian triage to bug-labeled issues for jlowin by @​jlowin in #​3124
• Add Azure OBO dependencies, auth token injection, and documentation by @​jlowin in #​2918
• feat: add Static Client Registration (#​3085) by @​martimfasantos in #​3086
• Add concurrent tool execution with sequential flag by @​strawgate in #​3022
• Add validate_output option for OpenAPI tools by @​jlowin in #​3134
• Relay task elicitation through standard MCP protocol by @​chrisguidry in #​3136
• Bump py-key-value-aio to >=0.4.0,<0.5.0 by @​strawgate in #​3143
• Support async auth checks by @​jlowin in #​3152
• Make $ref dereferencing optional via FastMCP(dereference_refs=...) by @​jlowin in #​3151
• Expose local_provider property, deprecate FastMCP.remove_tool() by @​jlowin in #​3155
• Add helpers for converting FunctionTool and TransformedTool to SamplingTool by @​strawgate in #​3062
• Updates to github actions / workflows for claude by @​strawgate in #​3157
• Minimize resolved review threads in PRs by @​strawgate in #​3200
• Exclude auto-generated python-sdk docs from CodeRabbit reviews by @​jlowin in #​3206
• Update repository references for transfer to prefecthq by @​jlowin in #​3207
• Fix MDX parsing error and update card images by @​jlowin in #​3213

Fixes 🐞

• Let FastMCPError propagate from dependencies by @​chrisguidry in #​2646
• Fix task execution for tools with custom names by @​chrisguidry in #​2645
• fix: check the cause of the tool error by @​rjolaverria in #​2674
• Bump pydocket to 0.16.3 for task cancellation support by @​chrisguidry in #​2683
• Fix uvicorn 0.39+ test timeouts and FastMCPError propagation by @​jlowin in #​2699
• Fix Prefect website URL in docs footer by @​mgoldsborough in #​2701
• Fix: resolve root-level $ref in outputSchema for MCP spec compliance by @​majiayu000 in #​2720
• Fix Provider.get_tasks() to include custom component subclasses by @​jlowin in #​2729
• Fix Proxy provider to return all resource contents by @​jlowin in #​2742
• Fix prompt return type documentation by @​jlowin in #​2741
• fix: Client OAuth async_auth_flow() method causing MCP-SDK self.context.lock error. by @​lgndluke in #​2644
• Fix rate limit detection during teardown phase by @​jlowin in #​2757
• fix: set pytest-asyncio default fixture loop scope to function by @​jlowin in #​2758
• Fix OAuth Proxy resource parameter validation by @​jlowin in #​2764
• [BugFix] Fix openapi_version Check So 3.1 Is Included by @​deeleeramone in #​2768
• Fix titled enum elicitation schema to comply with MCP spec by @​jlowin in #​2773
• Fix base_url fallback when url is not set by @​bhbs in #​2776
• Lazy import DiskStore to avoid sqlite3 dependency on import by @​jlowin in #​2784
• Fix OAuth token storage TTL calculation by @​jlowin in #​2796
• Use consistent refresh_ttl for JTI mapping store by @​jlowin in #​2799
• Return 401 for invalid_grant token errors per MCP spec by @​jlowin in #​2800
• Fix client hanging on HTTP 4xx/5xx errors by @​jlowin in #​2803
• Fix unawaited coroutine warning and treat as test error by @​jlowin in #​2806
• Fix keep_alive passthrough in StdioMCPServer.to_transport() by @​jlowin in #​2791
• Dereference $ref in tool schemas for MCP client compatibility by @​jlowin in #​2808
• Prefix Redis keys with docket name for ACL isolation by @​chrisguidry in #​2811
• fix smart_home example: HueAttributes schema and deprecated prefix by @​zzstoatzz in #​2818
• Fix redirect URI validation docs to match implementation by @​jlowin in #​2824
• Fix timeout not propagating to proxy clients in multi-server MCPConfig by @​jlowin in #​2809
• Fix ContextVar propagation for ASGI-mounted servers with tasks by @​chrisguidry in #​2844
• Fix HTTP transport timeout defaulting to 5 seconds by @​jlowin in #​2849
• Fix decorator error messages to link to correct doc pages by @​jlowin in #​2858
• Fix task capabilities location (issue #​2870) by @​jlowin in #​2875
• Bump the uv group across 1 directory with 2 updates by @​dependabot[bot] in #​2890
• Fix FastAPI mounting examples in docs by @​jlowin in #​2962
• Remove outdated 'FastMCP 3.0 is coming!' CLI banner by @​jlowin in #​2974
• Pin httpx < 1.0 and simplify beta install docs by @​jlowin in #​2975
• Add enabled field to ToolTransformConfig by @​jlowin in #​2991
• fix phue2 import in smart_home example by @​zzstoatzz in #​2999
• fix: broaden combine_lifespans type to accept Mapping return types by @​aminsamir45 in #​3005
• fix: type narrowing for skills resource contents by @​strawgate in #​3023
• fix: correctly send resource when exchanging code for the upstream to… by @​JonasKs in #​3013
• MCP Apps: structured CSP/permissions types, resource meta propagation fix, QR example by @​jlowin in #​3031
• chore: upgrade python-multipart to 0.0.22 (CVE-2026-24486) by @​jlowin in #​3042
• chore: upgrade protobuf to 6.33.5 (CVE-2026-0994) by @​jlowin in #​3043
• fix: use MCP spec error code -32002 for resource not found by @​jlowin in #​3041
• Fix tool_choice reset for structured output sampling by @​strawgate in #​3014
• Fix workflow notification URL formatting in upgrade checks by @​strawgate in #​3047
• Fix Field() handling in prompts by @​strawgate in #​3050
• fix: use SkipJsonSchema to exclude callable fields from JSON schema generation by @​strawgate in #​3048
• fix: Preserve metadata in FastMCPProvider component wrappers by @​NeelayS in #​3057
• Mock network calls in CLI tests and use MemoryStore for OAuth tests by @​strawgate in #​3051
• Remove OpenAPI timeout parameter, make client optional, surface timeout errors by @​jlowin in #​3067
• fix: enforce redirect URI validation when allowed_client_redirect_uris is supplied by @​nathanwelsh8 in #​3066
• Fix --reload port conflict when using explicit port by @​jlowin in #​3070
• Fix compress_schema to preserve additionalProperties: false for MCP compatibility by @​jlowin in #​3102
• Fix CIMD redirect allowlist bypass and cache revalidation by @​jlowin in #​3098
• Exclude content-type from get_http_headers() to prevent HTTP 415 errors by @​jlowin in #​3104
• Updated deprecation URL for V3 by @​SrzStephen in #​3108
• Fix Windows test timeouts in OAuth proxy provider tests by @​strawgate in #​3123
• Fix session visibility marks leaking across sessions by @​jlowin in #​3132
• Fix unhandled exceptions in OpenAPI POST tool calls by @​jlowin in #​3133
• feat: distributed notification queue + BLPOP elicitation for background tasks by @​gfortaine in #​2906
• fix: snapshot access token for background tasks (#​3095) by @​gfortaine in #​3138
• Stop duplicating path parameter descriptions into tool prose by @​jlowin in #​3149
• fix: guard client pagination loops against misbehaving servers by @​jlowin in #​3167
• Fix stale get_* references in docs and examples by @​jlowin in #​3168
• Support non-serializable values in Context.set_state by @​jlowin in #​3171
• Fix stale request context in StatefulProxyClient handlers by @​jlowin in #​3172
• Fix include_tags/exclude_tags ignored without tools in MCPConfig by @​jlowin in #​3186
• fix: correct dark mode logo file extension in README by @​jfBiswajit in #​3193
• Return 405 for GET SSE on stateless HTTP servers by @​jlowin in #​3195
• Fix ty 0.0.17 diagnostics by @​jlowin in #​3198
• Drop diskcache dependency (CVE-2025-69872) by @​jlowin in #​3185
• Fix confused deputy attack via consent binding cookie by @​jlowin in #​3201
• Add JWT audience validation and RFC 8707 warnings to auth providers by @​jlowin in #​3204
• Cache OBO credentials on AzureProvider for token reuse by @​jlowin in #​3212
• Fix invalid uv add command in upgrade guide by @​jlowin in #​3217
• Use standard traceparent/tracestate keys per OTel MCP semconv by @​chrisguidry in #​3221

Breaking Changes 🛫

• Add VisibilityFilter for hierarchical enable/disable by @​jlowin in #​2708
• Remove automatic environment variable loading from auth providers by @​jlowin in #​2752
• Make pydocket optional and unify DI systems by @​jlowin in #​2835
• Add session-scoped state persistence by @​jlowin in #​2873
• Rename ui= to app= and consolidate ToolUI/ResourceUI into AppConfig by @​jlowin in #​3117
• Remove deprecated FastMCP() constructor kwargs by @​jlowin in #​3148
• Move fastmcp dev to fastmcp dev inspector by @​jlowin in #​3188

Docs 📚

• Undocumented McpError exceptions by @​ivanbelenky in #​2656
• docs(server): add http to transport options in run() method docstring by @​Ashif4354 in #​2707
• Add v3 breaking changes notice to README by @​jlowin in #​2712
• Add changelog entries for v2.13.1 through v2.14.1 by @​jlowin in #​2725
• Reorganize docs around provider architecture by @​jlowin in #​2723
• Fix documentation to use 'meta' instead of '_meta' for MCP spec field by @​jlowin in #​2735
• Enhance documentation on tool transformation by @​shea-parkes in #​2781
• Add FastMCP 4.0 preview to documentation by @​jlowin in #​2831
• Add release notes for v2.14.2 and v2.14.3 by @​jlowin in #​2852
• Add missing 3.0.0 version badges and document tasks extra by @​jlowin in #​2866
• Add missing v3 features to tracking docs by @​jlowin in #​2888
• Fix custom provider docs to show correct interface by @​jlowin in #​2920
• Update v3 features that were missed in PRs by @​jlowin in #​2947
• Restructure documentation for FastMCP 3.0 by @​jlowin in #​2951
• Fix broken documentation links by @​jlowin in #​2952
• Clarify installation for FastMCP 3.0 beta by @​jlowin in #​2953
• Prepare docs for v3.0 beta release by @​jlowin in #​2954
• Restructure docs: move transforms to dedicated section by @​jlowin in #​2956
• Remove unecessary pip warning by @​jlowin in #​2958
• Update example MCP version in installation docs by @​jlowin in #​2959
• Update brand images by @​jlowin in #​2960
• Restructure README and welcome page with motivated narrative by @​jlowin in #​2963
• Restructure README and docs with motivated narrative by @​jlowin in #​2964
• Favicon update and Prefect Horizon docs by @​jlowin in #​2978
• Add dependency injection documentation and DI-style dependencies by @​jlowin in #​2980
• docs: document expanded reload behavior and restructure beta sections by @​jlowin in #​3039
• Add output_schema caveat to response limiting docs by @​jlowin in #​3099
• Document token passthrough security in OAuth Proxy docs by @​jlowin in #​3100
• Add missing beta2 features to v3 release tracking by @​jlowin in #​3105
• Update docs to reference beta 2 by @​jlowin in #​3112
• docs: add pre-registered OAuth clients to v3-features by @​jlowin in #​3129
• docs: update all references from 3.0.0b2 to 3.0.0rc1 by @​jlowin in #​3173
• Document cache key identity behavior by @​jlowin in #​3194
• Reorganize docs navigation around Server/Client/Apps pillars by @​jlowin in #​3197
• Overhaul v3.0 upgrade guide by @​jlowin in #​3205
• Update docs for 3.0 GA release by @​jlowin in #​3216
• Add upgrade guides for users coming from the MCP SDK by @​jlowin in #​3215
• Update thumbnail background by @​jlowin in #​3219
• v3.0.0 release notes, changelog, and README updates by @​jlowin in #​3222

Dependencies 📦

• Bump peter-evans/create-pull-request from 7 to 8 by @​dependabot[bot] in #​2623
• Bump ty to 0.0.7+ by @​jlowin in #​2737
• Bump the uv group across 1 directory with 4 updates by @​dependabot[bot] in #​2891
• Bump ty from 0.0.12 to 0.0.13 by @​dependabot[bot] in #​2984
• Bump prek from 0.2.30 to 0.3.0 by @​dependabot[bot] in #​2982
• chore(deps): bump cryptography from 46.0.3 to 46.0.5 in /examples/testing_demo in the uv group across 1 directory by @​dependabot[bot] in #​3140
• chore(deps): bump cryptography from 46.0.4 to 46.0.5 in the uv group across 1 directory by @​dependabot[bot] in #​3147

Other Changes 🦾

• Normalize resource URLs before comparison to support RFC 8707 query parameters by @​abhijeethp in #​2967
• Bump pydocket to 0.17.2 (memory leak fix) by @​chrisguidry in #​2998
• Add AzureJWTVerifier for Managed Identity token verification by @​jlowin in #​3058
• Add release notes for v2.14.4 and v2.14.5 by @​jlowin in [#​3064](https://

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[gemini-code-assist]

Summary of Changes

Hello @renovate-bot, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request updates the fastmcp dependency to its major version 3.0.0. This is a substantial upgrade that re-architects the core framework for enhanced extensibility and introduces a wealth of new features, performance improvements, and crucial security fixes. The change ensures the project benefits from the latest capabilities and stability offered by the FastMCP ecosystem.

Highlights

• Major Version Upgrade: The fastmcp dependency has been upgraded to version 3.0.0, representing a significant architectural redesign focused on extensibility, observability, and composability.
• New Features Introduced: FastMCP v3.0 brings dynamic component discovery, component versioning, granular authorization, OpenTelemetry tracing, session state persistence, dynamic component visibility, and new CLI commands for listing, calling, discovering, generating, and installing components.
• Key Enhancements: The update includes refactored provider execution, parallelized operations, consistent decorator-based handler registration, improved OAuth, and automatic threadpooling for synchronous functions.
• Critical Fixes and Security Updates: Various bug fixes were implemented, addressing error propagation, task execution, OAuth token handling, and schema validation. Importantly, security vulnerabilities were mitigated by dropping diskcache and upgrading python-multipart and protobuf.
• Breaking Changes Noted: The new version introduces breaking changes such as the removal of automatic environment variable loading from auth providers, making pydocket optional, session-scoped state persistence, renaming ui= to app=, and moving fastmcp dev to fastmcp dev inspector.

Changelog

• run/mcp-server/pyproject.toml
  • Updated fastmcp dependency from 2.13.0 to 3.0.0.
• run/mcp-server/uv.lock
  • Updated various dependencies including authlib, mcp, py-key-value-aio, and uvicorn.
  • Added new dependencies such as aiofile, caio, jsonref, jsonschema-path, opentelemetry-api, packaging, pyjwt, pyyaml, and watchfiles.
  • Removed several dependencies including diskcache, isodate, lazy-object-proxy, markupsafe, openapi-core, openapi-schema-validator, openapi-spec-validator, parse, pathvalidate, py-key-value-shared, rfc3339-validator, six, and werkzeug.

Activity

• The pull request was automatically generated by Mend Renovate to update the fastmcp dependency.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the fastmcp dependency from version 2.13.0 to 3.0.0. This is a major version upgrade that brings significant architectural improvements, including a new provider/transform architecture, automatic threadpooling for synchronous tools, and enhanced observability with OpenTelemetry. Crucially, it includes security fixes by dropping the diskcache dependency (addressing CVE-2025-69872) and updating other sub-dependencies. The existing server and test code remain compatible with the v3 API, and the uv.lock file correctly reflects the streamlined dependency tree, which now includes uvicorn and watchfiles to support the new development features like hot-reloading.