fix(deps): update dependency fastmcp to v2.14.0 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
fastmcp	==2.13.0 -> ==2.14.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

GHSA-rcfx-77hg-w2wv

There was a recent CVE report on MCP: https://nvd.nist.gov/vuln/detail/CVE-2025-66416.

FastMCP does not use any of the affected components of the MCP SDK directly. However, FastMCP versions prior to 2.14.0 did allow MCP SDK versions <1.23 that were vulnerable to CVE-2025-66416. Users should upgrade to FastMCP 2.14.0 or later.

---

Release Notes

jlowin/fastmcp (fastmcp)

v2.14.0: : Task and You Shall Receive

Compare Source

FastMCP 2.14 begins adopting the MCP 2025-11-25 specification, headlined by protocol-native background tasks that let long-running operations report progress without blocking clients. This release also graduates the OpenAPI parser to standard, adds first-class support for several new spec features, and removes deprecated APIs accumulated across the 2.x series.

Background Tasks (SEP-1686)

Long-running operations (like tool calls) normally block MCP clients until they complete. The new MCP background task protocol (SEP-1686) lets clients start operations, track progress, and retrieve results without blocking. For FastMCP users, taking advantage of this new functionality is as easy as adding task=True to any async decorator. Under the hood, it's powered by Docket, the enterprise task scheduler at the heart of Prefect Cloud that handles millions of concurrent tasks every day.

from fastmcp import FastMCP
from fastmcp.dependencies import Progress

mcp = FastMCP("MyServer")

@​mcp.tool(task=True)
async def train_model(dataset: str, progress: Progress = Progress()) -> str:
    await progress.set_total(100)
    for epoch in range(100):
        # ... training work ...
        await progress.increment()
    return "Model trained successfully"

Clients that call this tool in task-augmented mode (for FastMCP clients, that merely means another task=True!) receive a task ID immediately, poll for progress updates, and fetch results when ready. Background tasks work out-of-the-box with an in-memory backend, and users can optionally provide a Redis URL for persistence, horizontal scaling, and single-digit millisecond task pickup latency. When using Redis, users can also add additional Docket workers to scale out their task processing.

Read the docs here!

OpenAPI Parser Promotion

The experimental OpenAPI parser graduates to standard. The new architecture delivers improved performance through single-pass schema processing and cleaner internal abstractions. Existing code works unchanged; users of the experimental module should update their imports.

MCP 2025-11-25 Spec Support

This release begins adopting the MCP 2025-11-25 specification. Beyond the core SDK updates, FastMCP adds first-class developer experiences for:

• SEP-1686: Background tasks with progress tracking
• SEP-1699: SSE polling and event resumability, with full AsyncKeyValue support
• SEP-1330: Multi-select enum elicitation schemas
• SEP-1034: Default values for elicitation schemas
• SEP-986: Tool name validation at registration time

As the MCP SDK continues to adopt more of the specification, FastMCP will add corresponding high-level APIs.

Breaking Changes & Cleanup

This release removes deprecated APIs accumulated across the 2.x series: BearerAuthProvider, Context.get_http_request(), the dependencies parameter, legacy resource prefix formats, and several deprecated methods. The upgrade guide provides migration paths for each.

What's Changed

New Features 🎉

• Switch to new OpenAPI parser as default by @​jlowin in #​2513
• [2.14] SEP-1686 tasks by @​chrisguidry in #​2378

Enhancements 🔧

• Expose InitializeResult to middleware by @​jlowin in #​2516
• [2.14] Update for MCP SDK auth changes by @​chrisguidry in #​2507
• Validate tool names at registration time (SEP-986) by @​jlowin in #​2540
• Deflake GitHub MCP remote integration tests by @​chrisguidry in #​2543
• Add SEP-1034 default values support for elicitation by @​jlowin in #​2545
• Improve rate limit detection for integration tests by @​chrisguidry in #​2550
• Reduce Marvin Test Failure noise by @​strawgate in #​2553
• [SEP-1686] Raise ValueError when sync functions have task=True by @​jlowin in #​2554
• refactor: move task attribute to function-based variants only [SEP-1686] by @​jlowin in #​2560
• Fix type errors for ty 0.0.1-alpha.31 upgrade by @​jlowin in #​2561
• Add regression tests for functools.wraps + Context (#​2524) by @​jlowin in #​2566
• Update VersionBadge to use Mintlify native Badge component by @​jlowin in #​2571
• Add TaskConfig for SEP-1686 execution modes by @​jlowin in #​2570
• Add execution field to base Tool class by @​chrisguidry in #​2576
• SEP-1699: Add SSE polling support with EventStore by @​jlowin in #​2564
• SEP-1330 enum schema support by @​jlowin in #​2549
• Expose get_session_id callback by @​mathewjhan in #​2486
• Remove TaskConfig and client from root exports by @​jlowin in #​2580
• Remove overly restrictive MIME type validation from Resource by @​jlowin in #​2585
• feat: handle error from the initialize middleware by @​tonyxwz in #​2531
• Remove tests/test_examples.py by @​jlowin in #​2593

Fixes 🐞

• Fix RFC 8414 path-aware authorization server metadata discovery by @​jlowin in #​2533
• Make fastapi.cli a runnable package by @​paulo-raca in #​2532
• Move TokenHandler to OAuthProvider for consistent OAuth error codes by @​jlowin in #​2538
• Update FastMCP server documentation link by @​sskim91 in #​2529
• Fix: Include signature modification in create_function_without_params by @​AidanAllchin in #​2563
• add client kwargs to proxy clients and meta to proxy tool calls by @​cegersdoerfer in #​2520
• Prefix Docket function names to avoid collisions in multi-mount setups by @​chrisguidry in #​2575
• Fix OAuth client to preserve full URL path for metadata discovery by @​jlowin in #​2577
• Do not run windows tests in parallel by @​jlowin in #​2579
• Fix proxy tool result meta attribute forwarding by @​dherrman in #​2526
• Fix nested server mount routing for 3+ levels deep by @​jlowin in #​2586
• Add smart fallback for missing access token expiry by @​jlowin in #​2587
• fix: preserve exception propagation through transport cleanup by @​jlowin in #​2591

Breaking Changes 🛫

• Remove enable_docket setting; Docket is now always on by @​chrisguidry in #​2558
• Forbid task execution through proxies, add mount/proxy task tests by @​chrisguidry in #​2574
• Remove enable_tasks setting, enable task protocol by default by @​chrisguidry in #​2578
• Remove deprecated from fastmcp.settings import settings by @​jlowin in #​2581
• Remove deprecated mount/import argument order and separator params by @​jlowin in #​2582
• 2.14 deprecation removals by @​jlowin in #​2329
  Note that #​2329 includes the following PRs:
  • Remove deprecated FASTMCP_SERVER_ environment variable prefix by @​jlowin in #​2330
  • Remove deprecated Context.get_http_request method by @​jlowin in #​2332
  • Remove fastmcp.Image top-level import (deprecated 2.8.1) by @​jlowin in #​2334
  • Remove deprecated client parameter from FastMCPProxy by @​jlowin in #​2333
  • Remove deprecated run_streamable_http_async method by @​jlowin in #​2338
  • Remove deprecated sse_app method by @​jlowin in #​2337
  • Remove deprecated run_sse_async method by @​jlowin in #​2335
  • Remove deprecated streamable_http_app method by @​jlowin in #​2336
  • Remove deprecated dependencies parameter (fixes #​2177) by @​jlowin in #​2340
  • Remove output_schema=False support (deprecated 2.11.4) by @​jlowin in #​2339
  • Remove deprecated BearerAuthProvider module by @​jlowin in #​2341
  • Remove resource_prefix_format="protocol" support (deprecated 2.4.0) by @​jlowin in #​2342
  • Remove from_client classmethod (deprecated 2.8.0) by @​jlowin in #​2343
  • Remove add_resource_fn method (deprecated 2.7.0) by @​jlowin in #​2345

Docs 📚

• Add OCI integration to docs navigation by @​jlowin in #​2515
• Add supabase docs by @​jlowin in #​2030
• Add v2.14.0 upgrade guide by @​jlowin in #​2565
• docs: document stateless_http for horizontal scaling by @​alexjacobs08 in #​2547
• Rewrite background tasks documentation by @​jlowin in #​2567
• [Draft] Add documentation for read-only tool patterns by @​strawgate in #​2536

New Contributors

• @​paulo-raca made their first contribution in #​2532
• @​sskim91 made their first contribution in #​2529
• @​AidanAllchin made their first contribution in #​2563
• @​alexjacobs08 made their first contribution in #​2547
• @​mathewjhan made their first contribution in #​2486
• @​dherrman made their first contribution in #​2526
• @​tonyxwz made their first contribution in #​2531

Full Changelog: jlowin/fastmcp@v2.13.2...v2.14.0

v2.13.3: : Pin-ish Line

Compare Source

MCP SDK 1.23 introduced some changes related to the 11/25/25 MCP protocol update that break some patches/workarounds that FastMCP had implemented previously. In particular, OAuth changes in the new protocol changed some implementation details that FastMCP patched; as such 1.23 is not necessarily a breaking SDK change but it is "breaking" for certain FastMCP behaviors.

As a precaution, this release pins mcp<1.23. FastMCP 2.14 will introduce 11/25/25 support (and require mcp>=1.23).

v2.13.2: : Refreshing Changes

Compare Source

FastMCP 2.13.2 polishes the authentication stack with fixes for token refresh, scope handling, and multi-instance deployments. Discord joins the growing roster of built-in OAuth providers, Azure and Google token handling gets more reliable, and proxy classes now properly forward icons and titles. This release also adds CSP customization for consent screens and fixes an edge case where $defs could mutate during tool transforms.

Welcome to 7 new contributors who made their first FastMCP contributions in this release!

What's Changed

New Features 🎉

• Add Discord OAuth provider and corresponding tests by @​Aisha630 in #​2428

Enhancements 🔧

• Bump actions/checkout from 4 to 5 by @​dependabot[bot] in #​2433
• feat: Made Changes to DescopeProvider to Support New Well Known URLs by @​gaokevin1 in #​2392
• Scalekit provider updates by @​AkshayParihar33 in #​2413
• Add consent_csp_policy parameter for CSP customization by @​jlowin in #​2484
• Add icons support to proxy classes by @​jlowin in #​2502

Fixes 🐞

• Add refresh token support defaults to GoogleProvider by @​jlowin in #​2438
• Fix exclude_args with non-serializable types by @​jlowin in #​2440
• Fix Azure OAuth token refresh with unprefixed scopes by @​Neet-Nestor in #​2462
• fix: prevent $defs mutation in Tool.from_tool transforms by @​jtanningbed in #​2493
• Add title attribute to ProxyTool, ProxyResource, … by @​CNSeniorious000 in #​2497
• Fix OAuth proxy refresh token storage for multi-instance deployments by @​jlowin in #​2483
• Fix get_access_token() returning stale token after OAuth refresh by @​jlowin in #​2505
• Fix version badges for icons and website_url; add Discord example by @​jlowin in #​2509
• Fix Azure provider OIDC scope handling by @​jlowin in #​2506

Docs 📚

• Update http.mdx by @​Shengshenlan in #​2446
• Fix version number in VersionBadge: change 2.14.0 to 2.13.0 by @​ShaikAyesha17 in #​2491
• Add Discord OAuth integration documentation by @​jlowin in #​2508

Dependencies 📦

• Bump actions/setup-python from 5 to 6 by @​dependabot[bot] in #​2432
• Bump py-key-value-aio to 0.3.0 by @​strawgate in #​2437
• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in #​2474

Other Changes 🦾

• Add extra_authorize_params and extra_token_params to OIDCProxy by @​jlowin in #​2439

New Contributors

• @​Neet-Nestor made their first contribution in #​2462
• @​Shengshenlan made their first contribution in #​2446
• @​gaokevin1 made their first contribution in #​2392
• @​ShaikAyesha17 made their first contribution in #​2491
• @​jtanningbed made their first contribution in #​2493
• @​CNSeniorious000 made their first contribution in #​2497
• @​Aisha630 made their first contribution in #​2428

Full Changelog: jlowin/fastmcp@v2.13.1...v2.13.2

v2.13.1: : Heavy Meta

Compare Source

FastMCP 2.13.1 introduces meta parameter support for ToolResult (#​2283), letting tools return metadata alongside results to enable new use cases such as OpenAI's Apps SDK. It also supports client-sent meta (#​2206) as well as improved OAuth capabilities and custom token verifiers (including the new DebugTokenVerifier) and an OCI authentication provider. A large list of enhancements and bugfixes round out the release.

Note that #​2422 excludes MCP SDK 1.21.1 as a permitted dependency version due to a bug that fails FastMCP integration tests.

What's Changed

Enhancements 🔧

• Cleanly render auth errors from OAuth Proxy by @​jlowin in #​2268
• Add custom token verifier support to OIDCProxy by @​jlowin in #​2279
• Supporting Multiple Issuers For JWTVerifier Oauth Workflow by @​mhassaninmsft in #​2233
• Switch to logger.exception for fastmcp run/inspect by @​jakekaplan in #​2294
• Add base_authority parameter to AzureProvider for Azure Government support by @​jlowin in #​2306
• Add DebugTokenVerifier with custom sync/async validation by @​jlowin in #​2296
• Added to_data_uri method for Image class. by @​Hyperclaw79 in #​2227
• Remove test warnings by @​jlowin in #​2331
• Mark flaky Windows test for retry by @​jlowin in #​2344
• Add meta support to ToolResult by @​BrandonShar in #​2283
• switch from pre-commit to prek by @​zzstoatzz in #​2309
• Add manual initialization control to Client by @​jlowin in #​2355
• Pin Cyclopts to v4.0.0 + compliance note by @​jlowin in #​2354
• Switch marvin to prek from pre-commit by @​strawgate in #​2361
• Add meta to call tool by @​aiorga-sherpas in #​2206
• feat: add algorithm configuration to Supabase auth provider by @​cemalkilic in #​2376
• chore(typos): fix additional typos by @​pstoeckle in #​2396
• Martian triage for test failures by @​strawgate in #​2407
• OCI Provider with Docs by @​kiranthakkar in #​2389

Fixes 🐞

• Fix OAuth token storage documentation by @​jlowin in #​2272
• fix(docs): correct the key_value repo link by @​JonZeolla in #​2276
• Remove trailing slashes from MCP endpoint URLs by @​jlowin in #​2277
• Fix py-key-value-aio minimum version to 0.2.8 by @​jlowin in #​2288
• Fix Chrome CSP blocking OAuth consent form with custom protocol redirects by @​jlowin in #​2305
• Add OIDCProxy to auth module exports by @​jlowin in #​2308
• Require uvicorn>=0.35 for websockets-sansio support by @​jlowin in #​2307
• Fix query-only resource templates not matching URIs without query strings by @​joshuadavidthomas in #​2323
• Security: Update authlib to 1.6.5 (CVE-2025-61920) by @​ColeMurray in #​2347
• Security: Validate Cursor deeplink URLs and use safer Windows API by @​ColeMurray in #​2348
• fix: on_initialize is not using request params but the whole request by @​Maxi91f in #​2357
• Fix OAuth metadata endpoint URLs when base_url differs from issuer_url by @​jlowin in #​2353
• Fix Windows test timeouts from SQLite locking by @​jlowin in #​2368
• Fix: URL-encode server name in Cursor deeplinks by @​jlowin in #​2369
• Fix get_http_headers() returning empty dict in on_initialize middleware by @​jlowin in #​2370
• Allow OAuth instance to use the same httpx factory as the Transport by @​guschnwg in #​2324
• Fix consent form action for subpath mounting by @​jlowin in #​2382
• Fix Windows test timeout and restore parallel testing by @​jlowin in #​2383
• Fix duplicate keyword argument error in configure_logging by @​strawgate in #​2381
• Update CSP to allow data URI images on OAuth screens by @​lawrence-law in #​2405
• fix: upstream token cache expires when refresh expires by @​wipash in #​2410
• fix(oauth_proxy): 🐛 add extra_token_params as kwargs in refresh… by @​EdenTrainorCDL in #​2387
• fix(OpenAPIParser): Fix missing $defs for response schemas in experimental OpenAPI parser by @​ChristophNetsch in #​2398
• docs: fix run_server_async documentation by @​jlowin in #​2423
• Fix self-referencing types not being recognized as object schemas by @​jlowin in #​2424
• Simplify _is_object_schema helper by @​jlowin in #​2426

Docs 📚

• Update Azure sidebar title to include Entra ID by @​jlowin in #​2266
• Improve OAuth client token storage security documentation by @​jlowin in #​2270
• Add note about docs version by @​jlowin in #​2271
• 📝 Add docstrings to enhancement/support-jwt-multiple-issuers by @​coderabbitai[bot] in #​2282
• Add maturity warnings for py-key-value backends by @​strawgate in #​2311
• Improve ToolResult and structured output documentation by @​jlowin in #​2349
• Document client meta parameter by @​jlowin in #​2367
• docs: clarify pytest-asyncio dependency and asyncio mode configuration by @​strawgate in #​2399

Dependencies 📦

• Bump ty to ==0.0.1a25 by @​jlowin in #​2350

Other Changes 🦾

• Replace openapi-core with jsonschema-path by @​jlowin in #​2291
• Fix lowest-direct dependency tests to actually test minimum versions by @​Copilot in #​2295
• Add version badge for DebugTokenVerifier by @​jlowin in #​2390
• Handle request_context availability during MCP initialization by @​jlowin in #​2400
• Exclude MCP SDK 1.21.1 and add scope validation to InMemoryOAuthProvider by @​jlowin in #​2422

New Contributors

• @​JonZeolla made their first contribution in #​2276
• @​mhassaninmsft made their first contribution in #​2233
• @​coderabbitai[bot] made their first contribution in #​2282
• @​jakekaplan made their first contribution in #​2294
• @​joshuadavidthomas made their first contribution in #​2323
• @​Hyperclaw79 made their first contribution in #​2227
• @​ColeMurray made their first contribution in #​2347
• @​BrandonShar made their first contribution in #​2283
• @​aiorga-sherpas made their first contribution in #​2206
• @​guschnwg made their first contribution in #​2324
• @​cemalkilic made their first contribution in #​2376
• @​pstoeckle made their first contribution in #​2396
• @​lawrence-law made their first contribution in #​2405
• @​wipash made their first contribution in #​2410
• @​EdenTrainorCDL made their first contribution in #​2387
• @​ChristophNetsch made their first contribution in #​2398
• @​kiranthakkar made their first contribution in #​2389

Full Changelog: jlowin/fastmcp@v2.13.0.1...v2.13.1

v2.13.0.2: : Cache Me If You Can

Compare Source

Bugfixes

This release includes two critical dependency fixes:

• Fix py-key-value-aio minimum version (#​2288): Corrected minimum version requirement to 0.2.8 to ensure compatibility
• Replace openapi-core with jsonschema-path (#​2291): Migrated from openapi-core to jsonschema-path for improved OpenAPI validation performance and stability

v2.13.0.1: : Cache Me If You Can

Compare Source

This release includes an important bugfix for 2.13.0 that affects how the Azure OAuth provider handles scopes.

What's Changed

Enhancements 🔧

• Add "High Value" Ruff Rules by @​strawgate in #​2255

Fixes 🐞

• Fix Azure scope validation by @​jlowin in #​2269

Other Changes 🦾

• Add CI test job for lowest-direct dependency resolution by @​Copilot in #​2261

New Contributors

• @​Copilot made their first contribution in #​2261

Full Changelog: jlowin/fastmcp@v2.13.0...v2.13.0.1

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[gemini-code-assist]

Summary of Changes

Hello @renovate-bot, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request updates the fastmcp dependency to v2.14.0, primarily to incorporate crucial security fixes related to the MCP SDK and to introduce significant new features. The update enhances the framework with native support for background tasks, improves OpenAPI parsing, and aligns with the latest MCP specification, while also cleaning up deprecated APIs.

Highlights

• Dependency Update: Upgrades the fastmcp library from version 2.13.0 to 2.14.0.
• Security Fix: Addresses a security vulnerability (CVE-2025-66416) by ensuring compatibility with MCP SDK versions that are not vulnerable, as older fastmcp versions allowed vulnerable SDK versions.
• Background Tasks: Introduces a new protocol for background tasks (SEP-1686), enabling non-blocking execution and progress tracking for long-running operations.
• OpenAPI Parser Promotion: Promotes the experimental OpenAPI parser to standard, offering improved performance and cleaner abstractions.
• MCP Specification Support: Adds first-class support for several new features from the MCP 2025-11-25 specification, including SSE polling, multi-select enum elicitation, and tool name validation.
• API Cleanup: Removes numerous deprecated APIs and features accumulated across the 2.x series, streamlining the library.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the fastmcp dependency from 2.13.0 to 2.14.0. This is an important security update to address the vulnerability GHSA-rcfx-77hg-w2wv. I have reviewed the release notes for fastmcp v2.14.0 and its breaking changes. The project's usage of fastmcp in server.py and test_server.py is basic and does not seem to be affected by the breaking changes. The update is safe to merge and necessary for security.