Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-fastmcp-slim for
openSUSE:Factory checked in at 2026-06-23 17:43:23
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-fastmcp-slim (Old)
and /work/SRC/openSUSE:Factory/.python-fastmcp-slim.new.1956 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-fastmcp-slim"
Tue Jun 23 17:43:23 2026 rev:2 rq:1361362 version:3.4.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-fastmcp-slim/python-fastmcp-slim.changes
2026-06-19 17:39:30.575508216 +0200
+++
/work/SRC/openSUSE:Factory/.python-fastmcp-slim.new.1956/python-fastmcp-slim.changes
2026-06-23 17:46:04.433190788 +0200
@@ -1,0 +2,7 @@
+Tue Jun 23 10:37:18 UTC 2026 - Martin Pluskal <[email protected]>
+
+- Update to version 3.4.2
+- Add missing python-starlette dependency, declared by the
+ client and server extras
+
+-------------------------------------------------------------------
Old:
----
fastmcp_slim-3.4.0.tar.gz
New:
----
fastmcp_slim-3.4.2.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-fastmcp-slim.spec ++++++
--- /var/tmp/diff_new_pack.aihZmo/_old 2026-06-23 17:46:07.185286737 +0200
+++ /var/tmp/diff_new_pack.aihZmo/_new 2026-06-23 17:46:07.185286737 +0200
@@ -17,13 +17,14 @@
Name: python-fastmcp-slim
-Version: 3.4.0
+Version: 3.4.2
Release: 0
Summary: The fast, Pythonic way to build MCP servers and clients (slim)
License: Apache-2.0
URL: https://github.com/jlowin/fastmcp
Source:
https://files.pythonhosted.org/packages/source/f/fastmcp-slim/fastmcp_slim-%{version}.tar.gz
BuildRequires: %{python_module Authlib >= 1.6.11}
+BuildRequires: %{python_module PyYAML >= 6.0}
BuildRequires: %{python_module cyclopts >= 4.0.0}
BuildRequires: %{python_module email-validator}
BuildRequires: %{python_module exceptiongroup >= 1.2.2}
@@ -40,13 +41,13 @@
BuildRequires: %{python_module pip}
BuildRequires: %{python_module platformdirs >= 4.0.0}
BuildRequires: %{python_module py-key-value-aio >= 0.4.4}
-BuildRequires: %{python_module pydantic-settings >= 2.0.0}
BuildRequires: %{python_module pydantic >= 2.11.7}
+BuildRequires: %{python_module pydantic-settings >= 2.0.0}
BuildRequires: %{python_module pyperclip >= 1.9.0}
BuildRequires: %{python_module python-dotenv >= 1.1.0}
BuildRequires: %{python_module python-multipart >= 0.0.26}
-BuildRequires: %{python_module PyYAML >= 6.0}
BuildRequires: %{python_module rich >= 13.9.4}
+BuildRequires: %{python_module starlette >= 1.0.1}
BuildRequires: %{python_module typing_extensions >= 4.0.0}
BuildRequires: %{python_module uncalled-for >= 0.2.0}
BuildRequires: %{python_module uv-dynamic-versioning >= 0.7.0}
@@ -60,6 +61,7 @@
Requires(postun): update-alternatives
# uv-backend wheels don't expose deps to pythondistdeps, so require them by
hand
Requires: python-Authlib >= 1.6.11
+Requires: python-PyYAML >= 6.0
Requires: python-cyclopts >= 4.0.0
Requires: python-email-validator
Requires: python-exceptiongroup >= 1.2.2
@@ -79,8 +81,8 @@
Requires: python-pyperclip >= 1.9.0
Requires: python-python-dotenv >= 1.1.0
Requires: python-python-multipart >= 0.0.26
-Requires: python-PyYAML >= 6.0
Requires: python-rich >= 13.9.4
+Requires: python-starlette >= 1.0.1
Requires: python-typing_extensions >= 4.0.0
Requires: python-uncalled-for >= 0.2.0
Requires: python-uvicorn >= 0.35
++++++ fastmcp_slim-3.4.0.tar.gz -> fastmcp_slim-3.4.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fastmcp_slim-3.4.0/PKG-INFO
new/fastmcp_slim-3.4.2/PKG-INFO
--- old/fastmcp_slim-3.4.0/PKG-INFO 2020-02-02 01:00:00.000000000 +0100
+++ new/fastmcp_slim-3.4.2/PKG-INFO 2020-02-02 01:00:00.000000000 +0100
@@ -1,6 +1,6 @@
Metadata-Version: 2.4
Name: fastmcp-slim
-Version: 3.4.0
+Version: 3.4.2
Summary: The dependency-slim FastMCP package.
Project-URL: Homepage, https://gofastmcp.com
Project-URL: Repository, https://github.com/PrefectHQ/fastmcp
@@ -37,6 +37,7 @@
Requires-Dist: mcp<2.0,>=1.24.0; extra == 'client'
Requires-Dist: opentelemetry-api>=1.20.0; extra == 'client'
Requires-Dist: py-key-value-aio[filetree,keyring,memory]<0.5.0,>=0.4.4; extra
== 'client'
+Requires-Dist: starlette>=1.0.1; extra == 'client'
Provides-Extra: code-mode
Requires-Dist: pydantic-monty==0.0.17; extra == 'code-mode'
Provides-Extra: gemini
@@ -47,6 +48,7 @@
Requires-Dist: httpx<1.0,>=0.28.1; extra == 'mcp'
Requires-Dist: mcp<2.0,>=1.24.0; extra == 'mcp'
Requires-Dist: opentelemetry-api>=1.20.0; extra == 'mcp'
+Requires-Dist: starlette>=1.0.1; extra == 'mcp'
Provides-Extra: openai
Requires-Dist: openai>=1.102.0; extra == 'openai'
Provides-Extra: server
@@ -66,6 +68,7 @@
Requires-Dist: pyperclip>=1.9.0; extra == 'server'
Requires-Dist: python-multipart>=0.0.26; extra == 'server'
Requires-Dist: pyyaml<7.0,>=6.0; extra == 'server'
+Requires-Dist: starlette>=1.0.1; extra == 'server'
Requires-Dist: uncalled-for>=0.2.0; extra == 'server'
Requires-Dist: uvicorn>=0.35; extra == 'server'
Requires-Dist: watchfiles>=1.0.0; extra == 'server'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fastmcp_slim-3.4.0/fastmcp/server/auth/oauth_proxy/proxy.py
new/fastmcp_slim-3.4.2/fastmcp/server/auth/oauth_proxy/proxy.py
--- old/fastmcp_slim-3.4.0/fastmcp/server/auth/oauth_proxy/proxy.py
2020-02-02 01:00:00.000000000 +0100
+++ new/fastmcp_slim-3.4.2/fastmcp/server/auth/oauth_proxy/proxy.py
2020-02-02 01:00:00.000000000 +0100
@@ -1371,6 +1371,13 @@
token_hash = _hash_token(refresh_token)
metadata = await self._refresh_token_store.get(key=token_hash)
if not metadata:
+ logger.warning(
+ "Refresh token not found for client=%s (token_hash=%s); it was
"
+ "already rotated, expired, or revoked. Rejecting with
invalid_grant, "
+ "which forces the client to re-authenticate.",
+ client.client_id,
+ token_hash[:8],
+ )
return None
# Verify token belongs to this client (prevents cross-client token
usage)
if metadata.client_id != client.client_id:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fastmcp_slim-3.4.0/fastmcp/server/auth/providers/jwt.py
new/fastmcp_slim-3.4.2/fastmcp/server/auth/providers/jwt.py
--- old/fastmcp_slim-3.4.0/fastmcp/server/auth/providers/jwt.py 2020-02-02
01:00:00.000000000 +0100
+++ new/fastmcp_slim-3.4.2/fastmcp/server/auth/providers/jwt.py 2020-02-02
01:00:00.000000000 +0100
@@ -13,6 +13,8 @@
from cryptography.hazmat.primitives.asymmetric import rsa
from joserfc import jwk, jwt
from joserfc.errors import JoseError
+from joserfc.jws import JWSRegistry
+from joserfc.registry import JWS_HEADER_REGISTRY
from pydantic import AnyHttpUrl, SecretStr
from typing_extensions import TypedDict
@@ -24,6 +26,7 @@
logger = get_logger(__name__)
JWKKeyData: TypeAlias = dict[str, str | list[str]]
+SUPPORTED_JWS_HEADER_FIELDS = frozenset(JWS_HEADER_REGISTRY)
def _import_key_for_algorithm(key: str | bytes | JWKKeyData, algorithm: str):
@@ -45,6 +48,21 @@
raise ValueError(f"Unsupported JWK key type: {key_type!r}")
+def _has_unsupported_critical_headers(header: dict[str, Any]) -> bool:
+ crit = header.get("crit")
+ if crit is None:
+ return False
+ if not isinstance(crit, list):
+ return True
+
+ return any(
+ not isinstance(header_name, str)
+ or header_name not in header
+ or header_name not in SUPPORTED_JWS_HEADER_FIELDS
+ for header_name in crit
+ )
+
+
class JWKData(TypedDict, total=False):
"""JSON Web Key data structure."""
@@ -429,7 +447,22 @@
# Decode and verify the JWT token
key = _import_key_for_algorithm(verification_key, self.algorithm)
- claims = jwt.decode(token, key, algorithms=[self.algorithm]).claims
+ header = decode_jwt_header(token)
+ if _has_unsupported_critical_headers(header):
+ self.logger.debug(
+ "Token validation failed: unsupported critical JWT header"
+ )
+ return None
+
+ claims = jwt.decode(
+ token,
+ key,
+ algorithms=[self.algorithm],
+ registry=JWSRegistry(
+ algorithms=[self.algorithm],
+ strict_check_header=False,
+ ),
+ ).claims
# Extract client ID early for logging
client_id = (
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fastmcp_slim-3.4.0/pyproject.toml
new/fastmcp_slim-3.4.2/pyproject.toml
--- old/fastmcp_slim-3.4.0/pyproject.toml 2020-02-02 01:00:00.000000000
+0100
+++ new/fastmcp_slim-3.4.2/pyproject.toml 2020-02-02 01:00:00.000000000
+0100
@@ -80,6 +80,9 @@
"httpx>=0.28.1,<1.0",
"mcp>=1.24.0,<2.0",
"opentelemetry-api>=1.20.0",
+ # starlette floor: transitive via mcp (which only requires >=0.27).
+ # Pin past CVE-2026-48710, which was patched in 1.0.1.
+ "starlette>=1.0.1",
]
openai = ["openai>=1.102.0"]
server = [
