Skip to content

chore(deps): bump the all-dependencies group across 1 directory with 2 updates#310

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/all-dependencies-6f959dd40d
Open

chore(deps): bump the all-dependencies group across 1 directory with 2 updates#310
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/all-dependencies-6f959dd40d

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 7, 2026

Copy link
Copy Markdown
Contributor

Bumps the all-dependencies group with 2 updates in the / directory: fastmcp and posthog.

Updates fastmcp from 3.4.2 to 3.4.3

Release notes

Sourced from fastmcp's releases.

v3.4.3: The Fast and the Secure-ious

FastMCP 3.4.3 closes out a month of SSRF and OAuth hardening: NAT64, 6to4, Teredo, and ISATAP transition addresses can no longer smuggle private IPv4 targets past the SSRF allow-list, Streamable HTTP now validates Host and Origin before session handling to block DNS rebinding against localhost-bound servers, and OAuth redirect validation rejects unsafe schemes and unregistered DCR redirect URIs. Alongside the security work, this release also fixes proxy session teardown races, discriminator-tag handling in JSON schema conversion, and several smaller reliability issues.

What's Changed

Enhancements ✨

Security 🔒

Fixes 🐞

Docs 📚

Dependencies 📦

Other Changes 🦾

... (truncated)

Changelog

Sourced from fastmcp's changelog.


title: "Changelog" icon: "list-check" rss: true tag: NEW

v3.4.3: The Fast and the Secure-ious

FastMCP 3.4.3 closes out a month of SSRF and OAuth hardening: NAT64, 6to4, Teredo, and ISATAP transition addresses can no longer smuggle private IPv4 targets past the SSRF allow-list, Streamable HTTP now validates Host and Origin before session handling to block DNS rebinding against localhost-bound servers, and OAuth redirect validation rejects unsafe schemes and unregistered DCR redirect URIs. Alongside the security work, this release also fixes proxy session teardown races, discriminator-tag handling in JSON schema conversion, and several smaller reliability issues.

Enhancements ✨

  • Dedupe discriminator-required helper across schema converters by @​jlowin in #4362
  • Add real Monty sandbox e2e coverage for CodeMode call_tool by @​AlexlaGuardia in #4274
  • Switch prettier hook to rbubley/mirrors-prettier by @​jlowin in #4366
  • feat(remote): add --verify flag for TLS certificate verification by @​jlowin in #4369

Security 🔒

Fixes 🐞

  • fix: caching middleware TypeError on cache miss due to mismatched call_next parameter by @​gmenziesint in #4301
  • Fix: async rate limiting middleware get_client_id callbacks by @​Chotom in #4319
  • Recognize all GitHub issue-link forms in require-issue-link workflow by @​jlowin in #4359
  • fix: preserve required discriminator tags by @​he-yufeng in #4297
  • fix(proxy): shield stateful proxy disconnect during session teardown by @​jlowin in #4363
  • fix(fs): isolate same-named package imports across providers by @​jlowin in #4361
  • fix: StatefulProxyClient.clear() no longer causes KeyError on session teardown by @​tcconnally in #4328
  • fix: guard recursive refs in json_schema_to_type by @​Epochex in #4312
  • Forward IdP auth errors to MCP client instead of showing HTML error page by @​bobbyjames839 in #4293
  • fix(resources): round-trip path values with reserved characters in URI templates by @​jlowin in #4368
  • fix: bracket IPv6 hosts in server startup log URL by @​jlowin in #4372
  • fix: bound default OIDC discovery timeout and expose it on provider wrappers by @​jlowin in #4374
  • fix: validate task tool arguments against declared types by @​jlowin in #4373
  • fix(tools): honor serialize_by_alias in tool result serialization by @​jlowin in #4391
  • Fix/cimd flow issue by @​twjackysu in #4206
  • Reject empty env var keys by @​CodingFeng101 in #4410
  • fix: correct replace_type docstring parameter descriptions by @​hiSandog in #4375
  • Fix ty 0.0.55 diagnostics and prefab-ui protocol version drift by @​jlowin in #4428
  • [codex] Fix OpenAPI resource template requests by @​jlowin in #4407

Docs 📚

  • fix: RST docstrings in fastmcp.types render raw on gofastmcp.com by @​jlowin in #4367

... (truncated)

Commits
  • 1eedd1f Docs: add v3.4.2 and v3.4.3 changelog entries (#4430)
  • 3b1afe6 chore(deps): bump joserfc from 1.6.7 to 1.6.8 in the uv group across 1 direct...
  • 874425a chore: Update SDK documentation (#4427)
  • 691766b [codex] Fix OpenAPI resource template requests (#4407)
  • 47907e0 Fix ty 0.0.55 diagnostics and prefab-ui protocol version drift (#4428)
  • c1b0396 Block IPv6 transition SSRF bypasses (#4426)
  • 522ed5b fix: correct replace_type docstring parameter descriptions (#4375)
  • 67527c1 Block unsafe OAuth redirect schemes (#4419)
  • 57a2799 Protect streamable HTTP from DNS rebinding (#4405)
  • cccb529 Fix DCR redirect URI validation (#4408)
  • Additional commits viewable in compare view

Updates posthog from 7.21.3 to 7.22.0

Release notes

Sourced from posthog's releases.

posthog-v7.22.0

Minor changes

  • d459b57 Add an opt-in capture_mode for the Capture V1 ingestion protocol (POST /i/v1/analytics/events). Set capture_mode="v1" on the client (or the POSTHOG_CAPTURE_MODE=v1 environment variable) to use Bearer auth, per-event results, and partial retry. Defaults to "v0" (the legacy /batch/ endpoint), so existing setups are unaffected.

    When using capture_mode="v1", request bodies can be compressed via capture_compression (or POSTHOG_CAPTURE_COMPRESSION): "gzip", "deflate", "zstd" (requires the optional posthog[zstd] extra), or "none" (default). The legacy gzip=True flag is honored as a fallback.

    Per-event server verdicts are surfaced through the existing on_error handler: events the backend explicitly drops, or fails to accept after retries, raise a CaptureV1Error carrying the affected event UUIDs — so a rejection is never silently lost, even when the HTTP request itself succeeded. — Thanks @​eli-r-ph for your first contribution 🎉!

Commits
  • d9f0d4f chore: Release v7.22.0 [skip ci]
  • d459b57 feat(capture): add capture_mode config scaffolding (capture v1, 1/6) (#701)
  • 6491542 chore(deps): bump the ai-providers group with 6 updates (#730)
  • 6f75afe chore(deps): bump langgraph-sdk from 0.3.12 to 0.3.15 in /examples/example-ai...
  • a5710e7 chore(deps): bump langgraph-checkpoint from 4.0.1 to 4.1.1 in /examples/examp...
  • df9f211 ci: Standardize SDK release failure telemetry (#726)
  • d21a226 Update generated references
  • See full diff in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jul 7, 2026
…2 updates

Bumps the all-dependencies group with 2 updates in the / directory: [fastmcp](https://github.com/PrefectHQ/fastmcp) and [posthog](https://github.com/posthog/posthog-python).


Updates `fastmcp` from 3.4.2 to 3.4.3
- [Release notes](https://github.com/PrefectHQ/fastmcp/releases)
- [Changelog](https://github.com/PrefectHQ/fastmcp/blob/main/docs/changelog.mdx)
- [Commits](PrefectHQ/fastmcp@v3.4.2...v3.4.3)

Updates `posthog` from 7.21.3 to 7.22.0
- [Release notes](https://github.com/posthog/posthog-python/releases)
- [Changelog](https://github.com/PostHog/posthog-python/blob/main/CHANGELOG.md)
- [Commits](PostHog/posthog-python@posthog-v7.21.3...posthog-v7.22.0)

---
updated-dependencies:
- dependency-name: fastmcp
  dependency-version: 3.4.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: posthog
  dependency-version: 7.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/uv/all-dependencies-6f959dd40d branch from c529921 to c9efb0a Compare July 8, 2026 16:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants