Skip to content

⬆ Bump the uv group across 1 directory with 5 updates#13

Open
dependabot[bot] wants to merge 1 commit into
developmentfrom
dependabot/uv/uv-1a6c4eee8f
Open

⬆ Bump the uv group across 1 directory with 5 updates#13
dependabot[bot] wants to merge 1 commit into
developmentfrom
dependabot/uv/uv-1a6c4eee8f

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Mar 8, 2026

Bumps the uv group with 5 updates in the / directory:

Package From To
fastmcp 2.13.1 2.14.0
lxml-html-clean 0.3.1 0.4.4
pypdf 6.0.0 6.7.5
torch 2.4.0 2.8.0
unstructured 0.16.23 0.18.18

Updates fastmcp from 2.13.1 to 2.14.0

Release notes

Sourced from fastmcp's releases.

v2.14.0: Task and You Shall Receive

FastMCP 2.14 begins adopting the MCP 2025-11-25 specification, headlined by protocol-native background tasks that let long-running operations report progress without blocking clients. This release also graduates the OpenAPI parser to standard, adds first-class support for several new spec features, and removes deprecated APIs accumulated across the 2.x series.

Background Tasks (SEP-1686)

Long-running operations (like tool calls) normally block MCP clients until they complete. The new MCP background task protocol (SEP-1686) lets clients start operations, track progress, and retrieve results without blocking. For FastMCP users, taking advantage of this new functionality is as easy as adding task=True to any async decorator. Under the hood, it's powered by Docket, the enterprise task scheduler at the heart of Prefect Cloud that handles millions of concurrent tasks every day.

from fastmcp import FastMCP
from fastmcp.dependencies import Progress
mcp = FastMCP("MyServer")
@​mcp.tool(task=True)
async def train_model(dataset: str, progress: Progress = Progress()) -> str:
await progress.set_total(100)
for epoch in range(100):
# ... training work ...
await progress.increment()
return "Model trained successfully"

Clients that call this tool in task-augmented mode (for FastMCP clients, that merely means another task=True!) receive a task ID immediately, poll for progress updates, and fetch results when ready. Background tasks work out-of-the-box with an in-memory backend, and users can optionally provide a Redis URL for persistence, horizontal scaling, and single-digit millisecond task pickup latency. When using Redis, users can also add additional Docket workers to scale out their task processing.

Read the docs here!

OpenAPI Parser Promotion

The experimental OpenAPI parser graduates to standard. The new architecture delivers improved performance through single-pass schema processing and cleaner internal abstractions. Existing code works unchanged; users of the experimental module should update their imports.

MCP 2025-11-25 Spec Support

This release begins adopting the MCP 2025-11-25 specification. Beyond the core SDK updates, FastMCP adds first-class developer experiences for:

  • SEP-1686: Background tasks with progress tracking
  • SEP-1699: SSE polling and event resumability, with full AsyncKeyValue support
  • SEP-1330: Multi-select enum elicitation schemas
  • SEP-1034: Default values for elicitation schemas
  • SEP-986: Tool name validation at registration time

As the MCP SDK continues to adopt more of the specification, FastMCP will add corresponding high-level APIs.

Breaking Changes & Cleanup

This release removes deprecated APIs accumulated across the 2.x series: BearerAuthProvider, Context.get_http_request(), the dependencies parameter, legacy resource prefix formats, and several deprecated methods. The upgrade guide provides migration paths for each.

What's Changed

... (truncated)

Changelog

Sourced from fastmcp's changelog.

title: "Changelog" icon: "list-check" rss: true tag: NEW

v3.0.2: Threecovery Mode II

Two community-contributed fixes: auth headers from MCP transport no longer leak through to downstream OpenAPI APIs, and background task workers now correctly receive the originating request ID. Plus a new docs example for context-aware tool factories.

Fixes 🐞

  • fix: prevent MCP transport auth header from leaking to downstream OpenAPI APIs by @​stakeswky in #3262
  • fix: propagate origin_request_id to background task workers by @​gfortaine in #3175

Docs 📚

Full Changelog: v3.0.1...v3.0.2

v3.0.1: Three-covery Mode

First patch after 3.0 — mostly smoothing out rough edges discovered in the wild. The big ones: middleware state that wasn't surviving the trip to tool handlers now does, Tool.from_tool() accepts callables again, OpenAPI schemas with circular references no longer crash discovery, and decorator overloads now return the correct types in function mode. Also adds verify_id_token to OIDCProxy for providers (like some Azure AD configs) that issue opaque access tokens but standard JWT id_tokens.

Enhancements 🔧

Fixes 🐞

Docs 📚

  • Sync README with welcome.mdx, fix install count by @​jlowin in #3224
  • Document dict-to-Message prompt migration in upgrade guides by @​jlowin in #3225
  • Fix v2 upgrade guide: remove incorrect v1 import advice by @​jlowin in #3226

... (truncated)

Commits
  • 3d6fd46 chore: remove tests/test_examples.py (#2593)
  • 03b62d2 feat: handle error from the initialize middleware (#2531)
  • 95e58e8 fix: preserve exception propagation through transport cleanup (#2591)
  • 855e01e chore: Update SDK documentation (#2588)
  • d56f55a Add smart fallback for missing access token expiry (#2587)
  • d35b867 chore: Update SDK documentation (#2517)
  • 080ffa5 Fix nested server mount routing for 3+ levels deep (#2586)
  • 0bcd69c Remove overly restrictive MIME type validation from Resource (#2585)
  • 9b41d16 Remove deprecated mount/import argument order and separator params (#2582)
  • 95fb8b4 Fix proxy tool result meta attribute forwarding (#2526)
  • Additional commits viewable in compare view

Updates lxml-html-clean from 0.3.1 to 0.4.4

Changelog

Sourced from lxml-html-clean's changelog.

0.4.4 (2026-02-26)

Bugs fixed

  • Fixed a bug where Unicode escapes in CSS were not properly decoded before security checks. This prevents attackers from bypassing filters using escape sequences. (CVE-2026-28348)
  • Fixed a security issue where <base> tags could be used for URL hijacking attacks. The <base> tag is now automatically removed whenever the <head> tag is removed (via page_structure=True or manual configuration), as <base> must be inside <head> according to HTML specifications. (CVE-2026-28350)

0.4.3 (2025-10-02)

Maintenance

  • Tests updated to work correctly with new lxml and libxml2 releases.
  • Python 3.6 and 3.7 are no longer tested.
  • Improved documentation about CSS removal behavior.

0.4.2 (2025-04-09)

Bugs fixed

  • lxml_html_clean now correctly handles HTML input as bytes as it did before the 0.2.0 release.

0.4.1 (2024-11-15)

Bugs fixed

  • Removed superfluous debug prints.

0.4.0 (2024-11-12)

Bugs fixed

  • The Cleaner() now scans for hidden JavaScript code embedded within CSS comments. In certain contexts, such as within <svg> or <math> tags,

... (truncated)

Commits
  • fd10d79 Add more tests for different combinations of backslashes and unicode
  • 5b7e228 Restore the removal of all backslashes from styles after decoding of unicode ...
  • 88da8f9 Prepare release 0.4.4
  • 9c5612c Remove <base> tags to prevent URL hijacking attacks
  • 2ef7326 Implement unicode escape decoding
  • 7c854af Add missing Python 3.14 to classifiers
  • 80cebf7 Continue using the package link
  • 1cef82e Update safe sanitizer recommendation
  • 79f35f4 CI: Drop Python 3.8, add 3.14
  • fab1dd4 Release 0.4.3
  • Additional commits viewable in compare view

Updates pypdf from 6.0.0 to 6.7.5

Release notes

Sourced from pypdf's releases.

Version 6.7.5, 2026-03-02

What's new

Security (SEC)

Full Changelog

Version 6.7.4, 2026-02-27

What's new

Security (SEC)

Robustness (ROB)

Full Changelog

Version 6.7.3, 2026-02-24

What's new

Security (SEC)

Full Changelog

Version 6.7.2, 2026-02-22

What's new

Security (SEC)

Bug Fixes (BUG)

Full Changelog

Version 6.7.1, 2026-02-17

What's new

Security (SEC)

Bug Fixes (BUG)

... (truncated)

Changelog

Sourced from pypdf's changelog.

Version 6.7.5, 2026-03-02

Security (SEC)

  • Improve the performance of the ASCIIHexDecode filter (#3666)

Full Changelog

Version 6.7.4, 2026-02-27

Security (SEC)

  • Allow limiting output length for RunLengthDecode filter (#3664)

Robustness (ROB)

  • Deal with invalid annotations in extract_links (#3659)

Full Changelog

Version 6.7.3, 2026-02-24

Security (SEC)

  • Use zlib decompression limit when retrieving XFA data (#3658)

Full Changelog

Version 6.7.2, 2026-02-22

Security (SEC)

  • Prevent infinite loop from circular xref /Prev references (#3655)

Bug Fixes (BUG)

  • Fix wrong LUT size error (#3651)
  • Fix handling of page boxes defined on /Pages (#3650)

Full Changelog

Version 6.7.1, 2026-02-17

Security (SEC)

  • Detect cyclic references when accessing TreeObject.children (#3645)
  • Limit size of /ToUnicode entries (#3646)
  • Limit FlateDecode recovery attempts (#3644)

Bug Fixes (BUG)

  • Avoid own object replacement logic in PageObject.replace_contents (#3638)
  • Fix UnboundLocalError when update_page_form_field_values with /Sig (#3634)

Robustness (ROB)

  • Avoid divison by zero when decoding FlateDecode PNG prediction (#3641)

Full Changelog

... (truncated)

Commits

Updates torch from 2.4.0 to 2.8.0

Release notes

Sourced from torch's releases.

PyTorch 2.8.0 Release Notes

Highlights

... (truncated)

Commits
  • ba56102 Cherrypick: Add the RunLLM widget to the website (#159592)
  • c525a02 [dynamo, docs] cherry pick torch.compile programming model docs into 2.8 (#15...
  • a1cb3cc [Release Only] Remove nvshmem from list of preload libraries (#158925)
  • c76b235 Move out super large one off foreach_copy test (#158880)
  • 20a0e22 Revert "[Dynamo] Allow inlining into AO quantization modules (#152934)" (#158...
  • 9167ac8 [MPS] Switch Cholesky decomp to column wise (#158237)
  • 5534685 [MPS] Reimplement tri[ul] as Metal shaders (#158867)
  • d19e08d Cherry pick PR 158746 (#158801)
  • a6c044a [cherry-pick] Unify torch.tensor and torch.ops.aten.scalar_tensor behavior (#...
  • 620ebd0 [Dynamo] Use proper sources for constructing dataclass defaults (#158689)
  • Additional commits viewable in compare view

Updates unstructured from 0.16.23 to 0.18.18

Release notes

Sourced from unstructured's releases.

0.18.18

Fixes

  • Prevent path traversal in email MSG attachment filenames Fixed a security vulnerability (GHSA-gm8q-m8mv-jj5m) where malicious attachment filenames containing path traversal sequences could write files outside the intended directory. The fix normalizes both Unix and Windows path separators before sanitizing filenames, preventing cross-platform path traversal attacks in partition_msg functions

0.18.17

Enhancement

Features

Fixes

0.18.16

Enhancement

  • Speed up function _assign_hash_ids by 34% (codeflash)

Features

Fixes

0.18.15

What's Changed

New Contributors

Full Changelog: Unstructured-IO/unstructured@0.18.14...0.18.15

0.18.14

Enhancements

  • Speed up function sentence_count by 59% (codeflash)

  • Speed up function check_for_nltk_package by 111% (codeflash)

... (truncated)

Changelog

Sourced from unstructured's changelog.

0.18.18

Fixes

  • Prevent path traversal in email MSG attachment filenames Fixed a security vulnerability (GHSA-gm8q-m8mv-jj5m) where malicious attachment filenames containing path traversal sequences could write files outside the intended directory. The fix normalizes both Unix and Windows path separators before sanitizing filenames, preventing cross-platform path traversal attacks in partition_msg functions

0.18.17

Enhancement

Features

Fixes

0.18.16

Enhancement

  • Speed up function _assign_hash_ids by 34% (codeflash)

Features

Fixes

0.18.15

Enhancements

  • Speed up function ElementHtml._get_children_html by 234% (codeflash)
  • Speed up function group_broken_paragraphs by 30% (codeflash)

Features

Fixes

  • Bumped dependencies via pip-compile to address the crit CVE in:

0.18.14

Enhancements

  • Speed up function sentence_count by 59% (codeflash)
  • Speed up function check_for_nltk_package by 111% (codeflash)
  • Speed up function under_non_alpha_ratio by 76% (codeflash)

... (truncated)

Commits
  • b01d35b fix: sanitize MSG attachment filenames to prevent path traversal (GHS… (#4117)
  • 1c519ef Security Fixes - CVE Remediation (#4115)
  • c79cf3a updated dependancies to resolve open CVEs and cut a new version (#4108)
  • 8fd07fd feat: Add simple script to sync fork with local branch (#4102)
  • ef68384 enhancement: Speed up function _assign_hash_ids by 34% (#4101)
  • 2d44d73 Luke/sept16 CVE (#4094)
  • ab55d86 ⚡️ Speed up method ElementHtml._get_children_html by 234% (#4087)
  • 6aee131 ⚡️ Speed up function group_broken_paragraphs by 30% (#4088)
  • 1030a69 fix: update deps to resolve cve (#4093)
  • e3854d2 Setup Codeflash Github Actions to optimize all future code (#4082)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
⬆ Bump the uv group across 1 directory with 5 updates
607e547 
Bumps the uv group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [fastmcp](https://github.com/PrefectHQ/fastmcp) | `2.13.1` | `2.14.0` |
| [lxml-html-clean](https://github.com/fedora-python/lxml_html_clean) | `0.3.1` | `0.4.4` |
| [pypdf](https://github.com/py-pdf/pypdf) | `6.0.0` | `6.7.5` |
| [torch](https://github.com/pytorch/pytorch) | `2.4.0` | `2.8.0` |
| [unstructured](https://github.com/Unstructured-IO/unstructured) | `0.16.23` | `0.18.18` |



Updates `fastmcp` from 2.13.1 to 2.14.0
- [Release notes](https://github.com/PrefectHQ/fastmcp/releases)
- [Changelog](https://github.com/PrefectHQ/fastmcp/blob/main/docs/changelog.mdx)
- [Commits](PrefectHQ/fastmcp@v2.13.1...v2.14.0)

Updates `lxml-html-clean` from 0.3.1 to 0.4.4
- [Changelog](https://github.com/fedora-python/lxml_html_clean/blob/main/CHANGES.rst)
- [Commits](fedora-python/lxml_html_clean@0.3.1...0.4.4)

Updates `pypdf` from 6.0.0 to 6.7.5
- [Release notes](https://github.com/py-pdf/pypdf/releases)
- [Changelog](https://github.com/py-pdf/pypdf/blob/main/CHANGELOG.md)
- [Commits](py-pdf/pypdf@6.0.0...6.7.5)

Updates `torch` from 2.4.0 to 2.8.0
- [Release notes](https://github.com/pytorch/pytorch/releases)
- [Changelog](https://github.com/pytorch/pytorch/blob/main/RELEASE.md)
- [Commits](pytorch/pytorch@v2.4.0...v2.8.0)

Updates `unstructured` from 0.16.23 to 0.18.18
- [Release notes](https://github.com/Unstructured-IO/unstructured/releases)
- [Changelog](https://github.com/Unstructured-IO/unstructured/blob/main/CHANGELOG.md)
- [Commits](Unstructured-IO/unstructured@0.16.23...0.18.18)

---
updated-dependencies:
- dependency-name: fastmcp
  dependency-version: 2.14.0
  dependency-type: direct:production
  dependency-group: uv
- dependency-name: lxml-html-clean
  dependency-version: 0.4.4
  dependency-type: direct:production
  dependency-group: uv
- dependency-name: pypdf
  dependency-version: 6.7.5
  dependency-type: direct:production
  dependency-group: uv
- dependency-name: torch
  dependency-version: 2.8.0
  dependency-type: direct:production
  dependency-group: uv
- dependency-name: unstructured
  dependency-version: 0.18.18
  dependency-type: direct:production
  dependency-group: uv
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Mar 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants