dependabot[bot] opened a new pull request, #41259: URL: https://github.com/apache/superset/pull/41259
Bumps [fastmcp](https://github.com/PrefectHQ/fastmcp) from 3.2.4 to 3.4.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/PrefectHQ/fastmcp/releases";>fastmcp's releases</a>.</em></p> <blockquote> <h2>v3.4.2: Heads Up</h2> <p>FastMCP 3.4.2 restores JWT compatibility for providers that include private, non-critical JWS header parameters. Tokens from providers like Clerk can carry header metadata such as <code>cat</code> without being rejected before signature and claim validation, while unsupported critical headers are still rejected.</p> <!-- raw HTML omitted --> <h2>What's Changed</h2> <h3>Fixes 🐞</h3> <ul> <li>Allow private JWT headers by <a href="https://github.com/jlowin";><code>@jlowin</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/4290";>PrefectHQ/fastmcp#4290</a></li> </ul> <h3>Docs 📚</h3> <ul> <li>Docs: add v3.4.1 changelog entries by <a href="https://github.com/jlowin";><code>@jlowin</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/4289";>PrefectHQ/fastmcp#4289</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/PrefectHQ/fastmcp/compare/v3.4.1...v3.4.2";>https://github.com/PrefectHQ/fastmcp/compare/v3.4.1...v3.4.2</a></p> <h2>v3.4.1: Floor It</h2> <p>FastMCP 3.4.1 floors Starlette at <code>>=1.0.1</code> so installs can no longer resolve to a version affected by CVE-2026-48710 — previously the dependency was only constrained transitively through <code>mcp</code>, which allowed vulnerable versions. It also makes OAuthProxy log refresh-token cache misses instead of failing silently.</p> <!-- raw HTML omitted --> <h2>What's Changed</h2> <h3>Enhancements ✨</h3> <ul> <li>Log refresh-token misses in OAuthProxy instead of failing silently by <a href="https://github.com/jlowin";><code>@jlowin</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/4276";>PrefectHQ/fastmcp#4276</a></li> </ul> <h3>Security 🔒</h3> <ul> <li>Add explicit starlette>=1.0.1 floor (CVE-2026-48710) by <a href="https://github.com/jlowin";><code>@jlowin</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/4286";>PrefectHQ/fastmcp#4286</a></li> </ul> <h3>Docs 📚</h3> <ul> <li>Document --notes-start-tag in release instructions by <a href="https://github.com/jlowin";><code>@jlowin</code></a> in <a href="https://redirect.github.com/PrefectHQ/fastmcp/pull/4275";>PrefectHQ/fastmcp#4275</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/PrefectHQ/fastmcp/compare/v3.4.0...v3.4.1";>https://github.com/PrefectHQ/fastmcp/compare/v3.4.0...v3.4.1</a></p> <h2>v3.4.0: Remote Control</h2> <p>FastMCP 3.4 is about reaching servers that live somewhere else. The headline is <code>fastmcp-remote</code>, a standalone bridge that connects stdio-only MCP hosts to servers hosted over HTTP. Around it, this release hardens the proxy layer those remote connections depend on — making bridges fail loudly instead of silently, and keeping authenticated sessions alive across the long idle periods that remote clients are prone to.</p> <h2>fastmcp-remote</h2> <p>Some MCP hosts still insist on launching a local stdio command, even when the server you want is already running over HTTP. FastMCP could already proxy a remote URL through <code>fastmcp run</code>, but that pulls in the full server-runner surface. <code>fastmcp-remote</code> is the small, single-purpose version: one URL in, one local stdio proxy out.</p> <pre lang="json"><code>{ "mcpServers": { "linear": { "command": "uvx", "args": ["fastmcp-remote", "https://mcp.linear.app/mcp"] } } } </code></pre> <p>OAuth is enabled automatically for HTTPS servers, with support for explicit bearer tokens and custom headers when you need them. The implementation stays on FastMCP primitives — <code>Client</code>, OAuth, <code>create_proxy</code>, and stdio — and credits the original npm <code>mcp-remote</code> project for the command shape.</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/PrefectHQ/fastmcp/commit/3b8538e2422a1c43fdb69661c610de7985b785f2";><code>3b8538e</code></a> Allow private JWT headers (<a href="https://redirect.github.com/PrefectHQ/fastmcp/issues/4290";>#4290</a>)</li> <li><a href="https://github.com/PrefectHQ/fastmcp/commit/0445c31feffa5581b1e47cbe3ea75eaabed18f9d";><code>0445c31</code></a> chore: Update SDK documentation (<a href="https://redirect.github.com/PrefectHQ/fastmcp/issues/4223";>#4223</a>)</li> <li><a href="https://github.com/PrefectHQ/fastmcp/commit/9261793ae0858f009b6550159287a4965da9d51f";><code>9261793</code></a> Docs: add v3.4.1 changelog entries (<a href="https://redirect.github.com/PrefectHQ/fastmcp/issues/4289";>#4289</a>)</li> <li><a href="https://github.com/PrefectHQ/fastmcp/commit/e1b52d00fe579faf3b76a3364a5639aec9ad8014";><code>e1b52d0</code></a> Add explicit starlette>=1.0.1 floor (CVE-2026-48710) (<a href="https://redirect.github.com/PrefectHQ/fastmcp/issues/4286";>#4286</a>)</li> <li><a href="https://github.com/PrefectHQ/fastmcp/commit/e58f386bacefe4283a8782b821ae0305c36bb073";><code>e58f386</code></a> Log refresh-token misses in OAuthProxy instead of failing silently (<a href="https://redirect.github.com/PrefectHQ/fastmcp/issues/4276";>#4276</a>)</li> <li><a href="https://github.com/PrefectHQ/fastmcp/commit/3f09c683cc440b308c17db5a8f9c89ce4449df6c";><code>3f09c68</code></a> Document --notes-start-tag requirement in release instructions (<a href="https://redirect.github.com/PrefectHQ/fastmcp/issues/4275";>#4275</a>)</li> <li><a href="https://github.com/PrefectHQ/fastmcp/commit/e124bde34eeea66f5472e239c70cda247508da34";><code>e124bde</code></a> Fix MDX syntax error in changelog (<a href="https://redirect.github.com/PrefectHQ/fastmcp/issues/4270";>#4270</a>)</li> <li><a href="https://github.com/PrefectHQ/fastmcp/commit/dae11bbc40fd4ef3cf0a61e1f2363a1630186ba8";><code>dae11bb</code></a> Backfill changelog and updates through v3.4.0 (<a href="https://redirect.github.com/PrefectHQ/fastmcp/issues/4269";>#4269</a>)</li> <li><a href="https://github.com/PrefectHQ/fastmcp/commit/0f4f78c46491a001ba0b409ef643a6649428a951";><code>0f4f78c</code></a> Fix resource templates with query params on proxied servers (<a href="https://redirect.github.com/PrefectHQ/fastmcp/issues/4251";>#4251</a>)</li> <li><a href="https://github.com/PrefectHQ/fastmcp/commit/1a06130fcfaece1d494bf444c1561e752d94c61a";><code>1a06130</code></a> Fix GitHub MCP resource integration test (<a href="https://redirect.github.com/PrefectHQ/fastmcp/issues/4253";>#4253</a>)</li> <li>Additional commits viewable in <a href="https://github.com/PrefectHQ/fastmcp/compare/v3.2.4...v3.4.2";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
