Skip to content

Bump the minor-and-patch group across 1 directory with 4 updates#70

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/uv/minor-and-patch-39df1a29a7
Closed

Bump the minor-and-patch group across 1 directory with 4 updates#70
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/uv/minor-and-patch-39df1a29a7

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Apr 9, 2026
edited
Loading

Bumps the minor-and-patch group with 4 updates in the / directory: fastmcp, langchain-core, logfire and ruff.

Updates fastmcp from 3.2.0 to 3.2.2

Release notes

Sourced from fastmcp's releases.

v3.2.2: Audience Appreciation

The Azure audience fix in 3.2.1 overcorrected: it switched token validation from client_id to identifier_uri, which fixed custom Application ID URIs but broke the default case where Azure AD v2 tokens set aud to the bare client ID GUID. Both formats are now accepted.

What's Changed

Fixes 🐞

Dependencies 📦

Full Changelog: PrefectHQ/fastmcp@v3.2.1...v3.2.2

v3.2.1: Audience Participation

Most of the fixes in this patch are about auth providers getting audience validation wrong. Cognito token verification was checking the aud JWT claim, but Cognito access tokens don't include one; they use client_id instead. Azure was hardcoding the raw client ID as the expected audience, ignoring the identifier_uri parameter even though Entra v2.0 tokens use the Application ID URI as aud. Both now validate correctly without changing the provider API. Consent cookies also had an unbounded growth problem in high-DCR-client environments, eventually blowing past reverse proxy header limits; they're now capped as an LRU.

On the OpenAPI side, nullable: true fields from 3.0 specs were leaking into tool input schemas as-is instead of being converted to JSON Schema's type: ["string", "null"]. Server variable templates in base URLs (like https://{region}.api.example.com) were also being passed through raw instead of substituted with their defaults.

Smaller fixes: form submissions from Prefab UI now correctly handle unchecked boolean checkboxes, the client no longer crashes on error responses with empty or non-text content from third-party servers, and asyncio.iscoroutinefunction no longer emits deprecation warnings on Python 3.14.

What's Changed

Breaking Changes ⚠️

Enhancements ✨

Fixes 🐞

... (truncated)

Commits
  • 6592aaa fix: accept both client_id and identifier_uri as Azure audience (#3797)
  • 9f0d8d3 chore(deps): bump the uv group across 2 directories with 1 update (#3795)
  • 556fd8f Harden client tool result error handling (#3778)
  • e064ba6 chore: Update SDK documentation (#3791)
  • a3c5cc1 chore: Update SDK documentation (#3757)
  • f5be772 fix: bump ty to >=0.0.29 and suppress new false positives (#3790)
  • f14456d docs: document forward_resource parameter on OAuthProxy (#3788)
  • 2b9d3ee fix: use identifier_uri as audience for Azure token validation (#3787)
  • e1ea133 fix: Cognito token verification checks client_id instead of aud (#3786)
  • 042db1d Fix OpenAPI 3.0 nullable fields in tool input schemas (#3768)
  • Additional commits viewable in compare view

Updates langchain-core from 1.2.26 to 1.2.28

Release notes

Sourced from langchain-core's releases.

langchain-core==1.2.28

Changes since langchain-core==1.2.27

release(core): release 1.2.28 (#36614) fix(core): add more sanitization to templates (#36612)

langchain-core==1.2.27

Changes since langchain-core==1.2.26

release(core): 1.2.27 (#36586) fix(core): handle symlinks in deprecated prompt save path (#36585) chore: add comment explaining pygments>=2.20.0 (#36570)

Credit to Jeff Ponte (@​JDP-Security) for reporting the symlink resolution issue in #36585.

Commits

Updates logfire from 4.31.0 to 4.31.1

Release notes

Sourced from logfire's releases.

v4.31.1

Changelog

Sourced from logfire's changelog.

[v4.31.1] (2026-04-09)

Commits

Updates ruff from 0.15.8 to 0.15.10

Release notes

Sourced from ruff's releases.

0.15.10

Release Notes

Released on 2026-04-09.

Preview features

  • [flake8-logging] Allow closures in except handlers (LOG004) (#24464)
  • [flake8-self] Make SLF diagnostics robust to non-self-named variables (#24281)
  • [flake8-simplify] Make the fix for collapsible-if safe in preview (SIM102) (#24371)

Bug fixes

  • Avoid emitting multi-line f-string elements before Python 3.12 (#24377)
  • Avoid syntax error from E502 fixes in f-strings and t-strings (#24410)
  • Strip form feeds from indent passed to dedent_to (#24381)
  • [pyupgrade] Fix panic caused by handling of octals (UP012) (#24390)
  • Reject multi-line f-string elements before Python 3.12 (#24355)

Rule changes

  • [ruff] Treat f-string interpolation as potential side effect (RUF019) (#24426)

Server

  • Add support for custom file extensions (#24463)

Documentation

  • Document adding fixes in CONTRIBUTING.md (#24393)
  • Fix JSON typo in settings example (#24517)

Contributors

Install ruff 0.15.10

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://releases.astral.sh/github/ruff/releases/download/0.15.10/ruff-installer.sh | sh

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.10

Released on 2026-04-09.

Preview features

  • [flake8-logging] Allow closures in except handlers (LOG004) (#24464)
  • [flake8-self] Make SLF diagnostics robust to non-self-named variables (#24281)
  • [flake8-simplify] Make the fix for collapsible-if safe in preview (SIM102) (#24371)

Bug fixes

  • Avoid emitting multi-line f-string elements before Python 3.12 (#24377)
  • Avoid syntax error from E502 fixes in f-strings and t-strings (#24410)
  • Strip form feeds from indent passed to dedent_to (#24381)
  • [pyupgrade] Fix panic caused by handling of octals (UP012) (#24390)
  • Reject multi-line f-string elements before Python 3.12 (#24355)

Rule changes

  • [ruff] Treat f-string interpolation as potential side effect (RUF019) (#24426)

Server

  • Add support for custom file extensions (#24463)

Documentation

  • Document adding fixes in CONTRIBUTING.md (#24393)
  • Fix JSON typo in settings example (#24517)

Contributors

0.15.9

Released on 2026-04-02.

Preview features

  • [pyflakes] Flag annotated variable redeclarations as F811 in preview mode (#24244)
  • [ruff] Allow dunder-named assignments in non-strict mode for RUF067 (#24089)

... (truncated)

Commits
  • 252f761 Bump 0.15.10 (#24519)
  • 37a1ec8 [ty] Fix assignability of intersections with bounded typevars (#24502)
  • f518cc9 [ty] Allow partially stringified type[…] annotations (#24518)
  • 16c4090 docs: fix JSON typo in settings example (#24517)
  • 99d97bd [ty] Tighten up a few edge cases in Concatenate type-expression parsing (#2...
  • 2714e34 [ty] Enable pull-diagnostics by default in E2E tests (#24516)
  • d8bc700 LSP: Add support for custom extensions (#24463)
  • a45f96d [ty] stop special-casing str constructor (#24514)
  • 87a0f01 [ruff] Treat f-string interpolation as potential side effect in RUF019 (#24426)
  • e9ba848 [ty] Fix excess subscript argument inference for non-generic types (#24354)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the minor-and-patch group across 1 directory with 4 updates
3d93741 
Bumps the minor-and-patch group with 4 updates in the / directory: [fastmcp](https://github.com/PrefectHQ/fastmcp), [langchain-core](https://github.com/langchain-ai/langchain), [logfire](https://github.com/pydantic/logfire) and [ruff](https://github.com/astral-sh/ruff).


Updates `fastmcp` from 3.2.0 to 3.2.2
- [Release notes](https://github.com/PrefectHQ/fastmcp/releases)
- [Changelog](https://github.com/PrefectHQ/fastmcp/blob/main/docs/changelog.mdx)
- [Commits](PrefectHQ/fastmcp@v3.2.0...v3.2.2)

Updates `langchain-core` from 1.2.26 to 1.2.28
- [Release notes](https://github.com/langchain-ai/langchain/releases)
- [Commits](langchain-ai/langchain@langchain-core==1.2.26...langchain-core==1.2.28)

Updates `logfire` from 4.31.0 to 4.31.1
- [Release notes](https://github.com/pydantic/logfire/releases)
- [Changelog](https://github.com/pydantic/logfire/blob/main/CHANGELOG.md)
- [Commits](pydantic/logfire@v4.31.0...v4.31.1)

Updates `ruff` from 0.15.8 to 0.15.10
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](astral-sh/ruff@0.15.8...0.15.10)

---
updated-dependencies:
- dependency-name: fastmcp
  dependency-version: 3.2.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: langchain-core
  dependency-version: 1.2.28
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: logfire
  dependency-version: 4.31.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: ruff
  dependency-version: 0.15.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Apr 9, 2026
@dependabot @github
Copy link
Copy Markdown
Author

dependabot Bot commented on behalf of github Apr 14, 2026

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Apr 14, 2026
@dependabot dependabot Bot deleted the dependabot/uv/minor-and-patch-39df1a29a7 branch April 14, 2026 21:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants