Skip to content

AI-2165: upgrade mcp==1.22.0, fastmcp==2.13.1 and other libs #331

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
vita-stejskal merged 2 commits into from
Dec 9, 2025
Merged

AI-2165: upgrade mcp==1.22.0, fastmcp==2.13.1 and other libs #331

vita-stejskal merged 2 commits into from
Dec 9, 2025

Conversation

@vita-stejskal
Copy link
Contributor

@vita-stejskal vita-stejskal commented Dec 5, 2025

These upgrades unfortunately do not fix the security warning -- Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default. The fix is present in mcp==1.23.0 which is incompatible with fastmcp==2.13.* versions. We will have to wait for fastmcp==2.14 or newer.

Plus there is a regression (2524)[https://github.com/jlowin/fastmcp/issues/2524] in fastmcp==2.13.2 which breaks the tools that use Context ctx parameter (i.e. all our tools).

See also:

@vita-stejskal vita-stejskal self-assigned this Dec 5, 2025
@linear
Copy link

linear bot commented Dec 5, 2025

AI-2165 [MCP] Upgrade mcp and fastmcp libraries

@vita-stejskal vita-stejskal marked this pull request as ready for review December 5, 2025 16:47
@AidanAllchin
Copy link

AidanAllchin commented Dec 6, 2025

Got a PR up for the regression FYI, hope it helps

mariankrotil
mariankrotil approved these changes Dec 9, 2025
View reviewed changes
Copy link
Contributor

@mariankrotil mariankrotil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving and can we upgrade to fastmcp 2.13.3 now when the regression is fixed? It seems that the mcp 1.23.1 version is now used in the fastmcp/pyproject dependencies.

@vita-stejskal
Copy link
Contributor Author

vita-stejskal commented Dec 9, 2025

Approving and can we upgrade to fastmcp 2.13.3 now when the regression is fixed? It seems that the mcp 1.23.1 version is now used in the fastmcp/pyproject dependencies.

Yes, I'll do another PR and upgrade to the fastmcp version that contains the fix (i.e. PR#2563) once its released. The fastmcp 2.13.3 does not contain the fix. You are correct that the main branch of fastmcp project already contains the fix and uses mcp>=1.23.1, but it's still yet to be released (presumably as fastmcp 2.14.0).

@vita-stejskal vita-stejskal merged commit 988bb8a into main Dec 9, 2025
21 checks passed
@vita-stejskal vita-stejskal deleted the AI-2165-upgrade-deps branch December 9, 2025 10:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mariankrotil mariankrotil mariankrotil approved these changes

@ncapek ncapek Awaiting requested review from ncapek

Assignees

@vita-stejskal vita-stejskal

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vita-stejskal @AidanAllchin @mariankrotil