Skip to content

Bump the pip group across 1 directory with 5 updates#3

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/pip-45f6609a66
Open

Bump the pip group across 1 directory with 5 updates#3
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/pip-45f6609a66

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Feb 25, 2026

Bumps the pip group with 5 updates in the / directory:

Package From To
fastmcp 2.3.4 2.14.0
langchain-core 0.3.49 1.2.11
langchain-community 0.3.19 0.3.27
mcp 1.13.1 1.23.0
pypdf 6.0.0 6.7.2

Updates fastmcp from 2.3.4 to 2.14.0

Release notes

Sourced from fastmcp's releases.

v2.14.0: Task and You Shall Receive

FastMCP 2.14 begins adopting the MCP 2025-11-25 specification, headlined by protocol-native background tasks that let long-running operations report progress without blocking clients. This release also graduates the OpenAPI parser to standard, adds first-class support for several new spec features, and removes deprecated APIs accumulated across the 2.x series.

Background Tasks (SEP-1686)

Long-running operations (like tool calls) normally block MCP clients until they complete. The new MCP background task protocol (SEP-1686) lets clients start operations, track progress, and retrieve results without blocking. For FastMCP users, taking advantage of this new functionality is as easy as adding task=True to any async decorator. Under the hood, it's powered by Docket, the enterprise task scheduler at the heart of Prefect Cloud that handles millions of concurrent tasks every day.

from fastmcp import FastMCP
from fastmcp.dependencies import Progress
mcp = FastMCP("MyServer")
@​mcp.tool(task=True)
async def train_model(dataset: str, progress: Progress = Progress()) -> str:
await progress.set_total(100)
for epoch in range(100):
# ... training work ...
await progress.increment()
return "Model trained successfully"

Clients that call this tool in task-augmented mode (for FastMCP clients, that merely means another task=True!) receive a task ID immediately, poll for progress updates, and fetch results when ready. Background tasks work out-of-the-box with an in-memory backend, and users can optionally provide a Redis URL for persistence, horizontal scaling, and single-digit millisecond task pickup latency. When using Redis, users can also add additional Docket workers to scale out their task processing.

Read the docs here!

OpenAPI Parser Promotion

The experimental OpenAPI parser graduates to standard. The new architecture delivers improved performance through single-pass schema processing and cleaner internal abstractions. Existing code works unchanged; users of the experimental module should update their imports.

MCP 2025-11-25 Spec Support

This release begins adopting the MCP 2025-11-25 specification. Beyond the core SDK updates, FastMCP adds first-class developer experiences for:

  • SEP-1686: Background tasks with progress tracking
  • SEP-1699: SSE polling and event resumability, with full AsyncKeyValue support
  • SEP-1330: Multi-select enum elicitation schemas
  • SEP-1034: Default values for elicitation schemas
  • SEP-986: Tool name validation at registration time

As the MCP SDK continues to adopt more of the specification, FastMCP will add corresponding high-level APIs.

Breaking Changes & Cleanup

This release removes deprecated APIs accumulated across the 2.x series: BearerAuthProvider, Context.get_http_request(), the dependencies parameter, legacy resource prefix formats, and several deprecated methods. The upgrade guide provides migration paths for each.

What's Changed

... (truncated)

Changelog

Sourced from fastmcp's changelog.

title: "Changelog" icon: "list-check" rss: true tag: NEW

v3.0.2: Threecovery Mode II

Two community-contributed fixes: auth headers from MCP transport no longer leak through to downstream OpenAPI APIs, and background task workers now correctly receive the originating request ID. Plus a new docs example for context-aware tool factories.

Fixes 🐞

  • fix: prevent MCP transport auth header from leaking to downstream OpenAPI APIs by @​stakeswky in #3262
  • fix: propagate origin_request_id to background task workers by @​gfortaine in #3175

Docs 📚

Full Changelog: v3.0.1...v3.0.2

v3.0.1: Three-covery Mode

First patch after 3.0 — mostly smoothing out rough edges discovered in the wild. The big ones: middleware state that wasn't surviving the trip to tool handlers now does, Tool.from_tool() accepts callables again, OpenAPI schemas with circular references no longer crash discovery, and decorator overloads now return the correct types in function mode. Also adds verify_id_token to OIDCProxy for providers (like some Azure AD configs) that issue opaque access tokens but standard JWT id_tokens.

Enhancements 🔧

Fixes 🐞

Docs 📚

  • Sync README with welcome.mdx, fix install count by @​jlowin in #3224
  • Document dict-to-Message prompt migration in upgrade guides by @​jlowin in #3225
  • Fix v2 upgrade guide: remove incorrect v1 import advice by @​jlowin in #3226

... (truncated)

Commits
  • 3d6fd46 chore: remove tests/test_examples.py (#2593)
  • 03b62d2 feat: handle error from the initialize middleware (#2531)
  • 95e58e8 fix: preserve exception propagation through transport cleanup (#2591)
  • 855e01e chore: Update SDK documentation (#2588)
  • d56f55a Add smart fallback for missing access token expiry (#2587)
  • d35b867 chore: Update SDK documentation (#2517)
  • 080ffa5 Fix nested server mount routing for 3+ levels deep (#2586)
  • 0bcd69c Remove overly restrictive MIME type validation from Resource (#2585)
  • 9b41d16 Remove deprecated mount/import argument order and separator params (#2582)
  • 95fb8b4 Fix proxy tool result meta attribute forwarding (#2526)
  • Additional commits viewable in compare view

Updates langchain-core from 0.3.49 to 1.2.11

Release notes

Sourced from langchain-core's releases.

langchain-core==1.2.11

Changes since langchain-core==1.2.10

release(core): 1.2.11 (#35144) fix(openai): sanitize urls when counting tokens in images (#35143) chore(core): clean up docstring mismatch and redundant logic in langchain-core (#35064) fix(core): replace bare except with Exception in tracer (#35138)

langchain-core==1.2.10

Changes since langchain-core==1.2.9

release(core): 1.2.10 (#35136) chore(deps): bump the langchain-deps group across 3 directories with 40 updates (#35129) chore(deps): bump the langchain-deps group across 3 directories with 11 updates (#35121) feat(core): add ContextOverflowError, raise in anthropic and openai (#35099) feat(model-profiles): add text_inputs and text_outputs (#35084) feat(core): count tokens from tool schemas in count_tokens_approximately (#35098) docs(core): add missing name docstring for RunnableSerializable (#35088)

langchain-core==1.2.9

Changes since langchain-core==1.2.8

release(core): 1.2.9 (#35025) fix(core): adjust cap when scaling approximate token counts (#35017) revert: precompile hex color regex pattern at module level (#35016) chore: add make type target (#35015) revert: "chore: add typing target in Makefile" (#35013) chore: add typing target in Makefile (#35012) fix(core): apply cap when scaling approximate token counts (#35005) feat(core): allow scaling by reported usage when counting tokens approximately (#34996) test(core): increase delta_time for flaky test (#34982) chore: enrich pyproject.toml files (#34980)

langchain-core==1.2.8

Changes since langchain-core==1.2.7

release(core): 1.2.8 (#34975) docs(core): add examples for pretty_repr, pretty_print (#34968) docs(core): use proper admonition for get_buffer_string (#34967) docs: add usage examples to core classes (#34841) chore(core): fix docstring format (#34966) chore(deps): bump the uv group across 20 directories with 3 updates (#34941) docs: add example to create_message function docstring (#34851) docs(core): clarify @​tool decorator argument and return type requirements (#34860) fix(core): fix nested mustache variable extraction and update docs (#34872) fix(core): allow base model annotations for empty model (#34932) chore: upgrade urllib3 to 2.6.3 (#34940) fix(core): prevent crash in ParrotFakeChatModel when messages list is empty (#34943) fix(core): google docstring parsing with no arguments/reserved arguments (#34861) test(core): add tests for approximate token counting with multimodal messages (#34898)

... (truncated)

Commits
  • 524e1da release(core): 1.2.11 (#35144)
  • 2b4b1dc fix(openai): sanitize urls when counting tokens in images (#35143)
  • 0493b27 fix(anthropic): support effort="max" and remove beta headers (#35141)
  • a5f22e7 chore(core): clean up docstring mismatch and redundant logic in langchain-cor...
  • 97ee14c fix(core): replace bare except with Exception in tracer (#35138)
  • 990e807 release(standard-tests): release 1.1.5 (#35139)
  • 74dffca release(langchain): 1.2.10 (#35137)
  • f41e049 release(core): 1.2.10 (#35136)
  • de05838 chore(deps): bump the langchain-deps group across 3 directories with 40 updat...
  • d6e86aa chore(deps): bump the other-deps group across 3 directories with 12 updates (...
  • Additional commits viewable in compare view

Updates langchain-community from 0.3.19 to 0.3.27

Commits
  • bdf1cd3 fix(langchain): update deps
  • 77c9819 fix(text-splitters): update langchain-core version to 0.3.72
  • 7f015b6 fix(text-splitters): update lock for release
  • 71ad451 Merge branch 'master' of github.com:langchain-ai/langchain
  • 2c42893 fix(langchain): update langchain-core version to 0.3.72
  • 0e139fb release(langchain): 0.3.27 (#32227)
  • 622bb05 fix(langchain): class HTMLSemanticPreservingSplitter ignores the text inside ...
  • 56dde3a feat(langchain): v1 scaffolding (#32166)
  • bd3d649 release(core): 0.3.72 (#32214)
  • fb5da83 fix(core): Dereference Refs for pydantic schema fails in tool schema generati...
  • Additional commits viewable in compare view

Updates mcp from 1.13.1 to 1.23.0

Release notes

Sourced from mcp's releases.

v1.23.0

Summary

This release brings us up to speed with the latest MCP spec 2025-11-25. Take a look at the latest spec as well as the release blog post.

What's Changed

New Contributors

Full Changelog: modelcontextprotocol/python-sdk@v1.22.0...v1.23.0

v1.22.0

What's Changed

New Contributors

Full Changelog: modelcontextprotocol/python-sdk@v1.21.1...v1.22.0

v1.21.2

Hotfix Release

This is a hotfix release to address a critical bug in OAuth scope handling that caused failures on 401 responses.

Related:

What's Changed

... (truncated)

Commits
  • d3a1841 Merge commit from fork
  • fa851d9 feat: backwards-compatible create_message overloads for SEP-1577 (#1713)
  • f82b0c9 Support client_credentials flow with JWT and Basic auth (#1663)
  • 281fd47 Add SSE polling support (SEP-1699) (#1654)
  • 2cd178a Add on_session_created callback option (#1710)
  • c92bb2f SEP-1686: Tasks (#1645)
  • 5983a65 Skip empty SSE data to avoid parsing errors (#1670)
  • 02b7889 Implement SEP-1036: URL mode elicitation for secure out-of-band interactions ...
  • 27279bc Update doc string on custom_route (#1660)
  • f225013 feat: implement SEP-991 URL-based client ID (CIMD) support (#1652)
  • Additional commits viewable in compare view

Updates pypdf from 6.0.0 to 6.7.2

Release notes

Sourced from pypdf's releases.

Version 6.7.2, 2026-02-22

What's new

Security (SEC)

Bug Fixes (BUG)

Full Changelog

Version 6.7.1, 2026-02-17

What's new

Security (SEC)

Bug Fixes (BUG)

Robustness (ROB)

Full Changelog

Version 6.7.0, 2026-02-08

What's new

Deprecations (DEP)

New Features (ENH)

  • Add ability to add font resources for 14 Adobe Core fonts in text widget annotations (#3624) by @​PJBrs

Bug Fixes (BUG)

Robustness (ROB)

Full Changelog

Version 6.6.2, 2026-01-26

What's new

... (truncated)

Changelog

Sourced from pypdf's changelog.

Version 6.7.2, 2026-02-22

Security (SEC)

  • Prevent infinite loop from circular xref /Prev references (#3655)

Bug Fixes (BUG)

  • Fix wrong LUT size error (#3651)
  • Fix handling of page boxes defined on /Pages (#3650)

Full Changelog

Version 6.7.1, 2026-02-17

Security (SEC)

  • Detect cyclic references when accessing TreeObject.children (#3645)
  • Limit size of /ToUnicode entries (#3646)
  • Limit FlateDecode recovery attempts (#3644)

Bug Fixes (BUG)

  • Avoid own object replacement logic in PageObject.replace_contents (#3638)
  • Fix UnboundLocalError when update_page_form_field_values with /Sig (#3634)

Robustness (ROB)

  • Avoid divison by zero when decoding FlateDecode PNG prediction (#3641)

Full Changelog

Version 6.7.0, 2026-02-08

Deprecations (DEP)

  • Deprecate support for abbreviations in decode_stream_data (#3617)

New Features (ENH)

  • Add ability to add font resources for 14 Adobe Core fonts in text widget annotations (#3624)

Bug Fixes (BUG)

  • Avoid invalid load for ICCBased FlateDecode images in mode 1 (#3619)

Robustness (ROB)

  • Fix AESV2 decryption when /Length missing in encrypt dict (#3629)
  • Fix merging when annotations point to NullObject (#3613)
  • Check for self._info being None in compress_identical_objects (#3612)

Full Changelog

Version 6.6.2, 2026-01-26

Security (SEC)

  • Detect cyclic references when retrieving outlines (#3610)

... (truncated)

Commits
  • 4f1260f REL: 6.7.2
  • 6ef86cb DOC: Sync release process with current status
  • f0a462d SEC: Prevent infinite loop from circular xref /Prev references (#3655)
  • c707d3c DOC: Encourage contributors to not use our CI for debugging
  • 4670513 BUG: Fix wrong LUT size error (#3651)
  • 801353a MAINT: Spelling corrections (#3647)
  • 4d57836 BUG: Fix handling of page boxes defined on /Pages (#3650)
  • ad2a45d REL: 6.7.1
  • bd2f6d0 SEC: Detect cyclic references when accessing TreeObject.children (#3645)
  • 77d7b8d SEC: Limit size of /ToUnicode entries (#3646)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the pip group across 1 directory with 5 updates
a994455 
Bumps the pip group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [fastmcp](https://github.com/PrefectHQ/fastmcp) | `2.3.4` | `2.14.0` |
| [langchain-core](https://github.com/langchain-ai/langchain) | `0.3.49` | `1.2.11` |
| [langchain-community](https://github.com/langchain-ai/langchain) | `0.3.19` | `0.3.27` |
| [mcp](https://github.com/modelcontextprotocol/python-sdk) | `1.13.1` | `1.23.0` |
| [pypdf](https://github.com/py-pdf/pypdf) | `6.0.0` | `6.7.2` |



Updates `fastmcp` from 2.3.4 to 2.14.0
- [Release notes](https://github.com/PrefectHQ/fastmcp/releases)
- [Changelog](https://github.com/PrefectHQ/fastmcp/blob/main/docs/changelog.mdx)
- [Commits](PrefectHQ/fastmcp@v2.3.4...v2.14.0)

Updates `langchain-core` from 0.3.49 to 1.2.11
- [Release notes](https://github.com/langchain-ai/langchain/releases)
- [Commits](langchain-ai/langchain@langchain-core==0.3.49...langchain-core==1.2.11)

Updates `langchain-community` from 0.3.19 to 0.3.27
- [Release notes](https://github.com/langchain-ai/langchain/releases)
- [Commits](langchain-ai/langchain@langchain-community==0.3.19...langchain==0.3.27)

Updates `mcp` from 1.13.1 to 1.23.0
- [Release notes](https://github.com/modelcontextprotocol/python-sdk/releases)
- [Changelog](https://github.com/modelcontextprotocol/python-sdk/blob/main/RELEASE.md)
- [Commits](modelcontextprotocol/python-sdk@v1.13.1...v1.23.0)

Updates `pypdf` from 6.0.0 to 6.7.2
- [Release notes](https://github.com/py-pdf/pypdf/releases)
- [Changelog](https://github.com/py-pdf/pypdf/blob/main/CHANGELOG.md)
- [Commits](py-pdf/pypdf@6.0.0...6.7.2)

---
updated-dependencies:
- dependency-name: fastmcp
  dependency-version: 2.14.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: langchain-core
  dependency-version: 1.2.11
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: langchain-community
  dependency-version: 0.3.27
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: mcp
  dependency-version: 1.23.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: pypdf
  dependency-version: 6.7.2
  dependency-type: direct:production
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Feb 25, 2026
@dependabot dependabot bot mentioned this pull request Feb 25, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants