Bump the uv group across 3 directories with 5 updates #3224

dependabot · 2026-01-17T18:03:33Z

Bumps the uv group with 5 updates in the /src/fetch directory:

Package	From	To
mcp	`1.2.0`	`1.23.0`
requests	`2.32.3`	`2.32.4`
h11	`0.14.0`	`0.16.0`
starlette	`0.41.2`	`0.49.1`
urllib3	`2.2.3`	`2.6.3`

Bumps the uv group with 3 updates in the /src/git directory: mcp, h11 and starlette.
Bumps the uv group with 2 updates in the /src/time directory: h11 and starlette.

Updates mcp from 1.2.0 to 1.23.0

Release notes

Sourced from mcp's releases.

v1.23.0

Summary

This release brings us up to speed with the latest MCP spec 2025-11-25. Take a look at the latest spec as well as the release blog post.

What's Changed

Add tests for JSON Schema 2020-12 field preservation (SEP-1613) by @felixweinberger in modelcontextprotocol/python-sdk#1649

Add client_secret_basic authentication support by @jonshea in modelcontextprotocol/python-sdk#1334

Implement SEP-1577 - Sampling With Tools by @ochafik in modelcontextprotocol/python-sdk#1594

SEP-1330: Elicitation Enum Schema Improvements and Standards Compliance by @chughtapan in modelcontextprotocol/python-sdk#1246

[auth][conformance] add conformance auth client by @pcarleton in modelcontextprotocol/python-sdk#1640

Implement SEP-986: Tool name validation by @felixweinberger in modelcontextprotocol/python-sdk#1655

fix: url for spec by @felixweinberger in modelcontextprotocol/python-sdk#1659

feat: implement SEP-991 URL-based client ID (CIMD) support by @pcarleton in modelcontextprotocol/python-sdk#1652

Update doc string on custom_route by @pcarleton in modelcontextprotocol/python-sdk#1660

Implement SEP-1036: URL mode elicitation for secure out-of-band interactions by @cbcoutinho in modelcontextprotocol/python-sdk#1580

Skip empty SSE data to avoid parsing errors by @felixweinberger in modelcontextprotocol/python-sdk#1670

SEP-1686: Tasks by @maxisbey in modelcontextprotocol/python-sdk#1645

Add on_session_created callback option by @crondinini-ant in modelcontextprotocol/python-sdk#1710

Add SSE polling support (SEP-1699) by @felixweinberger in modelcontextprotocol/python-sdk#1654

Support client_credentials flow with JWT and Basic auth by @pcarleton in modelcontextprotocol/python-sdk#1663

feat: backwards-compatible create_message overloads for SEP-1577 by @felixweinberger in modelcontextprotocol/python-sdk#1713

Auto-enable DNS rebinding protection for localhost servers by @pcarleton (d3a184119e4479ea6a63590bc41f01dc06e3fa99)

New Contributors

@ochafik made their first contribution in modelcontextprotocol/python-sdk#1594

Full Changelog: modelcontextprotocol/python-sdk@v1.22.0...v1.23.0

v1.22.0

What's Changed

feat: Pass through and expose additional parameters in ClientSessionGroup.call_tool and .connect_to_server by @inaku-Gyan in modelcontextprotocol/python-sdk#1576

chore: Lazy import jsonschema library by @wuliang229 in modelcontextprotocol/python-sdk#1596

docs: Update examples to use stateless HTTP with JSON responses by @domdomegg in modelcontextprotocol/python-sdk#1499

New Contributors

@wuliang229 made their first contribution in modelcontextprotocol/python-sdk#1596

Full Changelog: modelcontextprotocol/python-sdk@v1.21.1...v1.22.0

v1.21.2

Hotfix Release

This is a hotfix release to address a critical bug in OAuth scope handling that caused failures on 401 responses.

Related:

modelcontextprotocol/python-sdk#1630

modelcontextprotocol/python-sdk#1632

What's Changed

... (truncated)

Commits

d3a1841 Merge commit from fork
fa851d9 feat: backwards-compatible create_message overloads for SEP-1577 (#1713)
f82b0c9 Support client_credentials flow with JWT and Basic auth (#1663)
281fd47 Add SSE polling support (SEP-1699) (#1654)
2cd178a Add on_session_created callback option (#1710)
c92bb2f SEP-1686: Tasks (#1645)
5983a65 Skip empty SSE data to avoid parsing errors (#1670)
02b7889 Implement SEP-1036: URL mode elicitation for secure out-of-band interactions ...
27279bc Update doc string on custom_route (#1660)
f225013 feat: implement SEP-991 URL-based client ID (CIMD) support (#1652)
Additional commits viewable in compare view

Updates requests from 2.32.3 to 2.32.4

Release notes

Sourced from requests's releases.

v2.32.4

2.32.4 (2025-06-10)

Security

CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file. (#6965)

Improvements

Numerous documentation improvements

Deprecations

Added support for pypy 3.11 for Linux and macOS. (#6926)

Dropped support for pypy 3.9 following its end of support. (#6926)

Changelog

Sourced from requests's changelog.

2.32.4 (2025-06-10)

Security

CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file.

Improvements

Numerous documentation improvements

Deprecations

Added support for pypy 3.11 for Linux and macOS.

Dropped support for pypy 3.9 following its end of support.

Commits

021dc72 Polish up release tooling for last manual release
821770e Bump version and add release notes for v2.32.4
59f8aa2 Add netrc file search information to authentication documentation (#6876)
5b4b64c Add more tests to prevent regression of CVE 2024 47081
7bc4587 Add new test to check netrc auth leak (#6962)
96ba401 Only use hostname to do netrc lookup instead of netloc
7341690 Merge pull request #6951 from tswast/patch-1
6716d7c remove links
a7e1c74 Update docs/conf.py
c799b81 docs: fix dead links to kenreitz.org
Additional commits viewable in compare view

Updates h11 from 0.14.0 to 0.16.0

Commits

1c5b075 this time for surer
d9c3699 this time for sure...
d91b9dd blacken
5a4683c Soothe mypy
9c9567f Bump version to 0.16.0
114803a Merge commit from fork
9462006 Bump version to 0.15.0
70a96be Merge pull request #181 from Julien00859/Julien00859/get_int_max_str_digits
60782ad Reject Content-Length longer 1 billion TB
dff7cc3 Validate Chunked-Encoding chunk footer
Additional commits viewable in compare view

Updates starlette from 0.41.2 to 0.49.1

Release notes

Sourced from starlette's releases.

Version 0.49.1

This release fixes a security vulnerability in the parsing logic of the Range header in FileResponse.

You can view the full security advisory: GHSA-7f5h-v6xp-fcq8

Fixed

Optimize the HTTP ranges parsing logic 4ea6e22b489ec388d6004cfbca52dd5b147127c5

Full Changelog: Kludex/starlette@0.49.0...0.49.1

Version 0.49.0

Added

Add encoding parameter to Config class #2996.

Support multiple cookie headers in Request.cookies #3029.

Use Literal type for WebSocketEndpoint encoding values #3027.

Changed

Do not pollute exception context in Middleware when using BaseHTTPMiddleware #2976.

New Contributors

@TheWesDias made their first contribution in Kludex/starlette#3017

@gmos2104 made their first contribution in Kludex/starlette#3027

@secrett2633 made their first contribution in Kludex/starlette#2996

@adam-sikora made their first contribution in Kludex/starlette#2976

Full Changelog: Kludex/starlette@0.48.0...0.49.0

Version 0.48.0

Added

Add official Python 3.14 support #3013.

Changed

Implement RFC9110 http status names #2939.

New Contributors

@yakimka made their first contribution in Kludex/starlette#2943

@mbeijen made their first contribution in Kludex/starlette#2939

Full Changelog: Kludex/starlette@0.47.3...0.48.0

... (truncated)

Changelog

Sourced from starlette's changelog.

0.49.1 (October 28, 2025)

This release fixes a security vulnerability in the parsing logic of the Range header in FileResponse.

You can view the full security advisory: GHSA-7f5h-v6xp-fcq8

Fixed

Optimize the HTTP ranges parsing logic 4ea6e22b489ec388d6004cfbca52dd5b147127c5

0.49.0 (October 28, 2025)

Added

Add encoding parameter to Config class #2996.

Support multiple cookie headers in Request.cookies #3029.

Use Literal type for WebSocketEndpoint encoding values #3027.

Changed

Do not pollute exception context in Middleware when using BaseHTTPMiddleware #2976.

0.48.0 (September 13, 2025)

Added

Add official Python 3.14 support #3013.

Changed

Implement RFC9110 http status names #2939.

0.47.3 (August 24, 2025)

Fixed

Use asyncio.iscoroutinefunction for Python 3.12 and older #2984.

0.47.2 (July 20, 2025)

Fixed

Make UploadFile check for future rollover #2962.

0.47.1 (June 21, 2025)

Fixed

Use Self in TestClient.__enter__ #2951.

Allow async exception handlers to type-check #2949.

... (truncated)

Commits

7e4b742 Version 0.49.1 (#3047)
4ea6e22 Merge commit from fork
7d88ea6 Version 0.49.0 (#3046)
26d66bb Do not pollute exception context in Middleware (#2976)
a59397d Set encodings when reading config files (#2996)
3b7f0cb test: add test for unknown status (#3035)
b09ce1a docs: fix legibility issues on sponsorship page (#3039)
0f0edcf Revert "Add Marcelo Trylesinski to the license (#3025)" (#3044)
3912d63 docs: add social icons (#3038)
4915a93 Add discord to README/docs (#3034)
Additional commits viewable in compare view

Updates urllib3 from 2.2.3 to 2.6.3

Release notes

Sourced from urllib3's releases.

2.6.3

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

Fixed a security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (CVE-2026-21441 reported by @D47A, 8.9 High, GHSA-38jv-5279-wg99)

Started treating Retry-After times greater than 6 hours as 6 hours by default. (urllib3/urllib3#3743)

Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten. (urllib3/urllib3#3752)

2.6.2

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (urllib3/urllib3#3734)

2.6.1

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. (#3731)

2.6.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security

Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (CVE-2025-66471 reported by @Cycloctane, 8.9 High, GHSA-2xpw-w6gg-jr37)

Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (CVE-2025-66418 reported by @illia-v, 8.9 High, GHSA-gm62-xv2j-4w53)

[!IMPORTANT]

If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using urllib3[brotli] to install a compatible Brotli package automatically.

... (truncated)

Changelog

Sourced from urllib3's changelog.

2.6.3 (2026-01-07)

Fixed a high-severity security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99>__)

Started treating Retry-After times greater than 6 hours as 6 hours by default. ([#3743](https://github.com/urllib3/urllib3/issues/3743) <https://github.com/urllib3/urllib3/issues/3743>__)

Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten. ([#3752](https://github.com/urllib3/urllib3/issues/3752) <https://github.com/urllib3/urllib3/issues/3752>__)

2.6.2 (2025-12-11)

Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. ([#3734](https://github.com/urllib3/urllib3/issues/3734) <https://github.com/urllib3/urllib3/issues/3734>__)

2.6.1 (2025-12-08)

Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. ([#3731](https://github.com/urllib3/urllib3/issues/3731) <https://github.com/urllib3/urllib3/issues/3731>__)

2.6.0 (2025-12-05)

Security

Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>__)

Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>__)

.. caution::

If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using

... (truncated)

Commits

0248277 Release 2.6.3
8864ac4 Merge commit from fork
70cecb2 Fix Scorecard issues related to vulnerable dev dependencies (#3755)
41f249a Move "v2.0 Migration Guide" to the end of the table of contents (#3747)
fd4dffd Patch VerifiedHTTPSConnection for Emscripten (#3752)
13f0bfd Handle massive values in Retry-After when calculating time to sleep for (#3743)
8c480bf Bump actions/upload-artifact from 5.0.0 to 6.0.0 (#3748)
4b40616 Bump actions/cache from 4.3.0 to 5.0.1 (#3750)
82b8479 Bump actions/download-artifact from 6.0.0 to 7.0.0 (#3749)
34284cb Mention experimental features in the security policy (#3746)
Additional commits viewable in compare view

Updates mcp from 1.2.0 to 1.23.0

Release notes

Sourced from mcp's releases.

v1.23.0

Summary

This release brings us up to speed with the latest MCP spec 2025-11-25. Take a look at the latest spec as well as the release blog post.

What's Changed

Add tests for JSON Schema 2020-12 field preservation (SEP-1613) by @felixweinberger in modelcontextprotocol/python-sdk#1649

Add client_secret_basic authentication support by @jonshea in modelcontextprotocol/python-sdk#1334

Implement SEP-1577 - Sampling With Tools by @ochafik in modelcontextprotocol/python-sdk#1594

SEP-1330: Elicitation Enum Schema Improvements and Standards Compliance by @chughtapan in modelcontextprotocol/python-sdk#1246

[auth][conformance] add conformance auth client by @pcarleton in modelcontextprotocol/python-sdk#1640

Implement SEP-986: Tool name validation by @felixweinberger in modelcontextprotocol/python-sdk#1655

fix: url for spec by @felixweinberger in modelcontextprotocol/python-sdk#1659

feat: implement SEP-991 URL-based client ID (CIMD) support by @pcarleton in modelcontextprotocol/python-sdk#1652

Update doc string on custom_route by @pcarleton in modelcontextprotocol/python-sdk#1660

Implement SEP-1036: URL mode elicitation for secure out-of-band interactions by @cbcoutinho in modelcontextprotocol/python-sdk#1580

Skip empty SSE data to avoid parsing errors by @felixweinberger in modelcontextprotocol/python-sdk#1670

SEP-1686: Tasks by @maxisbey in modelcontextprotocol/python-sdk#1645

Add on_session_created callback option by @crondinini-ant in modelcontextprotocol/python-sdk#1710

Add SSE polling support (SEP-1699) by @felixweinberger in modelcontextprotocol/python-sdk#1654

Support client_credentials flow with JWT and Basic auth by @pcarleton in modelcontextprotocol/python-sdk#1663

feat: backwards-compatible create_message overloads for SEP-1577 by @felixweinberger in modelcontextprotocol/python-sdk#1713

Auto-enable DNS rebinding protection for localhost servers by @pcarleton (d3a184119e4479ea6a63590bc41f01dc06e3fa99)

New Contributors

@ochafik made their first contribution in modelcontextprotocol/python-sdk#1594

Full Changelog: modelcontextprotocol/python-sdk@v1.22.0...v1.23.0

v1.22.0

What's Changed

feat: Pass through and expose additional parameters in ClientSessionGroup.call_tool and .connect_to_server by @inaku-Gyan in modelcontextprotocol/python-sdk#1576

chore: Lazy import jsonschema library by @wuliang229 in modelcontextprotocol/python-sdk#1596

docs: Update examples to use stateless HTTP with JSON responses by @domdomegg in modelcontextprotocol/python-sdk#1499

New Contributors

@wuliang229 made their first contribution in modelcontextprotocol/python-sdk#1596

Full Changelog: modelcontextprotocol/python-sdk@v1.21.1...v1.22.0

v1.21.2

Hotfix Release

This is a hotfix release to address a critical bug in OAuth scope handling that caused failures on 401 responses.

Related:

modelcontextprotocol/python-sdk#1630

modelcontextprotocol/python-sdk#1632

What's Changed

... (truncated)

Commits

d3a1841 Merge commit from fork
fa851d9 feat: backwards-compatible create_message overloads for SEP-1577 (#1713)
f82b0c9 Support client_credentials flow with JWT and Basic auth (#1663)
281fd47 Add SSE polling support (SEP-1699) (#1654)
2cd178a Add on_session_created callback option (#1710)
c92bb2f SEP-1686: Tasks (#1645)
5983a65 Skip empty SSE data to avoid parsing errors (#1670)
02b7889 Implement SEP-1036: URL mode elicitation for secure out-of-band interactions ...
27279bc Update doc string on custom_route (#1660)
f225013 feat: implement SEP-991 URL-based client ID (CIMD) support (#1652)
Additional commits viewable in compare view

Updates h11 from 0.14.0 to 0.16.0

Commits

1c5b075 this time for surer
d9c3699 this time for sure...
d91b9dd blacken
5a4683c Soothe mypy
9c9567f Bump version to 0.16.0
114803a Merge commit from fork
9462006 Bump version to 0.15.0
70a96be Merge pull request #181 from Julien00859/Julien00859/get_int_max_str_digits
60782ad Reject Content-Length longer 1 billion TB
dff7cc3 Validate Chunked-Encoding chunk footer
Additional commits viewable in compare view

Updates starlette from 0.41.2 to 0.49.1

Release notes

Sourced from starlette's releases.

Version 0.49.1

This release fixes a security vulnerability in the parsing logic of the Range header in FileResponse.

You can view the full security advisory: GHSA-7f5h-v6xp-fcq8

Fixed

Optimize the HTTP ranges parsing logic 4ea6e22b489ec388d6004cfbca52dd5b147127c5

Full Changelog: Kludex/starlette@0.49.0...0.49.1

Version 0.49.0

Added

Add encoding parameter to Config class #2996.

Support multiple cookie headers in Request.cookies #3029.

Use Literal type for WebSocketEndpoint encoding values #3027.

Changed

Do not pollute exception context in Middleware when using BaseHTTPMiddleware #2976.

New Contributors

@TheWesDias made their first contribution in Kludex/starlette#3017

@gmos2104 made their first contribution in Kludex/starlette#3027

@secrett2633 made their first contribution in Kludex/starlette#2996

@adam-sikora made their first contribution in Kludex/starlette#2976

Full Changelog: Kludex/starlette@0.48.0...0.49.0

Version 0.48.0

Added

Add official Python 3.14 support #3013.

Changed

Implement RFC9110 http status names #2939.

New Contributors

@yakimka made their first contribution in Kludex/starlette#2943

@mbeijen made their first contribution in Kludex/starlette#2939

Full Changelog: Kludex/starlette@0.47.3...0.48.0

... (truncated)

Changelog

Sourced from starlette's changelog.

0.49.1 (October 28, 2025)

This release fixes a security vulnerability in the parsing logic of the Range header in FileResponse.

You can view the full security advisory: GHSA-7f5h-v6xp-fcq8

Fixed

Optimize the HTTP ranges parsing logic 4ea6e22b489ec388d6004cfbca52dd5b147127c5

0.49.0 (October 28, 2025)

Added

Add encoding parameter to Config class #2996.

Support multiple cookie headers in Request.cookies #3029.

Use Literal type for WebSocketEndpoint encoding values #3027.

Changed

Do not pollute exception context in Middleware when using BaseHTTPMiddleware #2976.

0.48.0 (September 13, 2025)

Added

Add official Python 3.14 support #3013.

Changed

Implement RFC9110 http status names #2939.

0.47.3 (August 24, 2025)

Fixed

Use asyncio.iscoroutinefunction for Python 3.12 and older #2984.

0.47.2 (July 20, 2025)

Fixed

Make UploadFile check for future rollover #2962.

0.47.1 (June 21, 2025)

Fixed

Use Self in TestClient.__enter__ #2951.

Allow async exception handlers to type-check #2949.

... (truncated)

Commits

7e4b742 Version 0.49.1 (#3047)
4ea6e22 Merge commit from fork
7d88ea6 Version 0.49.0 (#3046)
26d66bb Do not pollute exception context in Middleware (#2976)
a59397d Set encodings when reading config files (#2996)
3b7f0cb test: add test for unknown status (#3035)
b09ce1a docs: fix legibility issues on sponsorship page (#3039)
0f0edcf Revert "Add Marcelo Trylesinski to the license (#3025)" (#3044)
3912d63 docs: add social icons (#3038)
4915a93 Add discord to README/docs (#3034)
Additional commits viewable in compare view

Updates mcp from 1.2.0 to 1.23.0

Release notes

Sourced from mcp's releases.

v1.23.0

Summary

This release brings us up to speed with the latest MCP spec 2025-11-25. Take a look at the latest spec as well as the release blog post.

What's Changed

Add tests for JSON Schema 2020-12 field preservation (SEP-1613) by @felixweinberger in modelcontextprotocol/python-sdk#1649

Add client_secret_basic authentication support by @jonshea in modelcontextprotocol/python-sdk#1334

Implement SEP-1577 - Sampling With Tools by @ochafik in modelcontextprotocol/python-sdk#1594

SEP-1330: Elicitation Enum Schema Improvements and Standards Compliance by @chughtapan in modelcontextprotocol/python-sdk#1246

[auth][conformance] add conformance auth client by @pcarleton in modelcontextprotocol/python-sdk#1640

Implement SEP-986: Tool name validation by @felixweinberger in modelcontextprotocol/python-sdk#1655

fix: url for spec by @felixweinberger in modelcontextprotocol/python-sdk#1659

feat: implement SEP-991 URL-based client ID (CIMD) support by @pcarleton in modelcontextprotocol/python-sdk#1652

Update doc string on custom_route by @pcarleton in modelcontextprotocol/python-sdk#1660

Implement SEP-1036: URL mode elicitation for secure out-of-band interactions by @cbcoutinho in modelcontextprotocol/python-sdk#1580

Skip empty SSE data to avoid parsing errors by @felixweinberger in modelcontextprotocol/python-sdk#1670

SEP-1686: Tasks by @maxisbey in modelcontextprotocol/python-sdk#1645

Add on_session_created callback option by @crondinini-ant in modelcontextprotocol/python-sdk#1710

Add SSE polling support (SEP-1699) by @felixweinberger in modelcontextprotocol/python-sdk#1654

Support client_credentials flow with JWT and Basic auth by @pcarleton in modelcontextprotocol/python-sdk#1663

feat: backwards-compatible create_message overloads for SEP-1577 by @felixweinberger in modelcontextprotocol/python-sdk#1713

Auto-enable DNS rebinding protection for localhost servers by @pcarleton (d3a184119e4479ea6a63590bc41f01dc06e3fa99)

New Contributors

@ochafik made their first contribution in modelcontextprotocol/python-sdk#1594

Full Changelog: modelcontextprotocol/python-sdk@v1.22.0...v1.23.0

v1.22.0

What's Changed

feat: Pass through and expose additional parameters in ClientSessionGroup.call_tool and .connect_to_server by @inaku-Gyan in modelcontextprotocol/python-sdk#1576

chore: Lazy import jsonschema library by @wuliang229 in modelcontextprotocol/python-sdk#1596

docs: Update examples to use stateless HTTP with JSON responses by @domdomegg in modelcontextprotocol/python-sdk#1499

New Contributors

@wuliang229 made their first contribution in modelcontextprotocol/python-sdk#1596

Full Changelog: modelcontextprotocol/python-sdk@v1.21.1...v1.22.0

v1.21.2

Hotfix Release

This is a hotfix release to address a critical bug in OAuth scope handling that caused failures on 401 responses.

Related:

modelcontextprotocol/python-sdk#1630

modelcontextprotocol/python-sdk#1632

What's Changed

... (truncated)

Commits

d3a1841 Merge commit from fork
fa851d9 feat: backwards-compatible create_message overloads for SEP-1577 (#1713)
f82b0c... Description has been truncated

Bumps the uv group with 5 updates in the /src/fetch directory: | Package | From | To | | --- | --- | --- | | [mcp](https://github.com/modelcontextprotocol/python-sdk) | `1.2.0` | `1.23.0` | | [requests](https://github.com/psf/requests) | `2.32.3` | `2.32.4` | | [h11](https://github.com/python-hyper/h11) | `0.14.0` | `0.16.0` | | [starlette](https://github.com/Kludex/starlette) | `0.41.2` | `0.49.1` | | [urllib3](https://github.com/urllib3/urllib3) | `2.2.3` | `2.6.3` | Bumps the uv group with 3 updates in the /src/git directory: [mcp](https://github.com/modelcontextprotocol/python-sdk), [h11](https://github.com/python-hyper/h11) and [starlette](https://github.com/Kludex/starlette). Bumps the uv group with 2 updates in the /src/time directory: [h11](https://github.com/python-hyper/h11) and [starlette](https://github.com/Kludex/starlette). Updates `mcp` from 1.2.0 to 1.23.0 - [Release notes](https://github.com/modelcontextprotocol/python-sdk/releases) - [Changelog](https://github.com/modelcontextprotocol/python-sdk/blob/main/RELEASE.md) - [Commits](modelcontextprotocol/python-sdk@v1.2.0...v1.23.0) Updates `requests` from 2.32.3 to 2.32.4 - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](psf/requests@v2.32.3...v2.32.4) Updates `h11` from 0.14.0 to 0.16.0 - [Commits](python-hyper/h11@v0.14.0...v0.16.0) Updates `starlette` from 0.41.2 to 0.49.1 - [Release notes](https://github.com/Kludex/starlette/releases) - [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md) - [Commits](Kludex/starlette@0.41.2...0.49.1) Updates `urllib3` from 2.2.3 to 2.6.3 - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@2.2.3...2.6.3) Updates `mcp` from 1.2.0 to 1.23.0 - [Release notes](https://github.com/modelcontextprotocol/python-sdk/releases) - [Changelog](https://github.com/modelcontextprotocol/python-sdk/blob/main/RELEASE.md) - [Commits](modelcontextprotocol/python-sdk@v1.2.0...v1.23.0) Updates `h11` from 0.14.0 to 0.16.0 - [Commits](python-hyper/h11@v0.14.0...v0.16.0) Updates `starlette` from 0.41.2 to 0.49.1 - [Release notes](https://github.com/Kludex/starlette/releases) - [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md) - [Commits](Kludex/starlette@0.41.2...0.49.1) Updates `mcp` from 1.2.0 to 1.23.0 - [Release notes](https://github.com/modelcontextprotocol/python-sdk/releases) - [Changelog](https://github.com/modelcontextprotocol/python-sdk/blob/main/RELEASE.md) - [Commits](modelcontextprotocol/python-sdk@v1.2.0...v1.23.0) Updates `h11` from 0.14.0 to 0.16.0 - [Commits](python-hyper/h11@v0.14.0...v0.16.0) Updates `starlette` from 0.41.2 to 0.49.1 - [Release notes](https://github.com/Kludex/starlette/releases) - [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md) - [Commits](Kludex/starlette@0.41.2...0.49.1) Updates `mcp` from 1.1.0 to 1.23.0 - [Release notes](https://github.com/modelcontextprotocol/python-sdk/releases) - [Changelog](https://github.com/modelcontextprotocol/python-sdk/blob/main/RELEASE.md) - [Commits](modelcontextprotocol/python-sdk@v1.2.0...v1.23.0) Updates `h11` from 0.14.0 to 0.16.0 - [Commits](python-hyper/h11@v0.14.0...v0.16.0) Updates `starlette` from 0.41.3 to 0.49.1 - [Release notes](https://github.com/Kludex/starlette/releases) - [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md) - [Commits](Kludex/starlette@0.41.2...0.49.1) Updates `mcp` from 1.1.0 to 1.23.0 - [Release notes](https://github.com/modelcontextprotocol/python-sdk/releases) - [Changelog](https://github.com/modelcontextprotocol/python-sdk/blob/main/RELEASE.md) - [Commits](modelcontextprotocol/python-sdk@v1.2.0...v1.23.0) Updates `h11` from 0.14.0 to 0.16.0 - [Commits](python-hyper/h11@v0.14.0...v0.16.0) Updates `starlette` from 0.41.3 to 0.49.1 - [Release notes](https://github.com/Kludex/starlette/releases) - [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md) - [Commits](Kludex/starlette@0.41.2...0.49.1) Updates `mcp` from 1.1.0 to 1.23.0 - [Release notes](https://github.com/modelcontextprotocol/python-sdk/releases) - [Changelog](https://github.com/modelcontextprotocol/python-sdk/blob/main/RELEASE.md) - [Commits](modelcontextprotocol/python-sdk@v1.2.0...v1.23.0) Updates `h11` from 0.14.0 to 0.16.0 - [Commits](python-hyper/h11@v0.14.0...v0.16.0) Updates `starlette` from 0.41.3 to 0.49.1 - [Release notes](https://github.com/Kludex/starlette/releases) - [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md) - [Commits](Kludex/starlette@0.41.2...0.49.1) Updates `h11` from 0.14.0 to 0.16.0 - [Commits](python-hyper/h11@v0.14.0...v0.16.0) Updates `starlette` from 0.41.3 to 0.49.1 - [Release notes](https://github.com/Kludex/starlette/releases) - [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md) - [Commits](Kludex/starlette@0.41.2...0.49.1) Updates `h11` from 0.14.0 to 0.16.0 - [Commits](python-hyper/h11@v0.14.0...v0.16.0) Updates `starlette` from 0.41.3 to 0.49.1 - [Release notes](https://github.com/Kludex/starlette/releases) - [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md) - [Commits](Kludex/starlette@0.41.2...0.49.1) Updates `h11` from 0.14.0 to 0.16.0 - [Commits](python-hyper/h11@v0.14.0...v0.16.0) Updates `starlette` from 0.41.3 to 0.49.1 - [Release notes](https://github.com/Kludex/starlette/releases) - [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md) - [Commits](Kludex/starlette@0.41.2...0.49.1) --- updated-dependencies: - dependency-name: mcp dependency-version: 1.23.0 dependency-type: direct:production dependency-group: uv - dependency-name: requests dependency-version: 2.32.4 dependency-type: direct:production dependency-group: uv - dependency-name: h11 dependency-version: 0.16.0 dependency-type: indirect dependency-group: uv - dependency-name: starlette dependency-version: 0.49.1 dependency-type: indirect dependency-group: uv - dependency-name: urllib3 dependency-version: 2.6.3 dependency-type: indirect dependency-group: uv - dependency-name: mcp dependency-version: 1.23.0 dependency-type: direct:production dependency-group: uv - dependency-name: h11 dependency-version: 0.16.0 dependency-type: indirect dependency-group: uv - dependency-name: starlette dependency-version: 0.49.1 dependency-type: indirect dependency-group: uv - dependency-name: mcp dependency-version: 1.23.0 dependency-type: direct:production dependency-group: uv - dependency-name: h11 dependency-version: 0.16.0 dependency-type: indirect dependency-group: uv - dependency-name: starlette dependency-version: 0.49.1 dependency-type: indirect dependency-group: uv - dependency-name: mcp dependency-version: 1.23.0 dependency-type: direct:production dependency-group: uv - dependency-name: h11 dependency-version: 0.16.0 dependency-type: indirect dependency-group: uv - dependency-name: starlette dependency-version: 0.49.1 dependency-type: indirect dependency-group: uv - dependency-name: mcp dependency-version: 1.23.0 dependency-type: direct:production dependency-group: uv - dependency-name: h11 dependency-version: 0.16.0 dependency-type: indirect dependency-group: uv - dependency-name: starlette dependency-version: 0.49.1 dependency-type: indirect dependency-group: uv - dependency-name: mcp dependency-version: 1.23.0 dependency-type: direct:production dependency-group: uv - dependency-name: h11 dependency-version: 0.16.0 dependency-type: indirect dependency-group: uv - dependency-name: starlette dependency-version: 0.49.1 dependency-type: indirect dependency-group: uv - dependency-name: h11 dependency-version: 0.16.0 dependency-type: indirect dependency-group: uv - dependency-name: starlette dependency-version: 0.49.1 dependency-type: indirect dependency-group: uv - dependency-name: h11 dependency-version: 0.16.0 dependency-type: indirect dependency-group: uv - dependency-name: starlette dependency-version: 0.49.1 dependency-type: indirect dependency-group: uv - dependency-name: h11 dependency-version: 0.16.0 dependency-type: indirect dependency-group: uv - dependency-name: starlette dependency-version: 0.49.1 dependency-type: indirect dependency-group: uv ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jan 17, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump the uv group across 3 directories with 5 updates #3224

Bump the uv group across 3 directories with 5 updates #3224

dependabot bot commented on behalf of github Jan 17, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Bump the uv group across 3 directories with 5 updates #3224

Are you sure you want to change the base?

Bump the uv group across 3 directories with 5 updates #3224

Conversation

dependabot bot commented on behalf of github Jan 17, 2026

v1.23.0

Summary

What's Changed

New Contributors

v1.22.0

What's Changed

New Contributors

v1.21.2

Hotfix Release

Related:

What's Changed

v2.32.4

2.32.4 (2025-06-10)

2.32.4 (2025-06-10)

Version 0.49.1

Fixed

Version 0.49.0

Added

Changed

New Contributors

Version 0.48.0

Added

Changed

New Contributors

0.49.1 (October 28, 2025)

Fixed

0.49.0 (October 28, 2025)

Added

Changed

0.48.0 (September 13, 2025)

Added

Changed

0.47.3 (August 24, 2025)

Fixed

0.47.2 (July 20, 2025)

Fixed

0.47.1 (June 21, 2025)

Fixed

2.6.3

🚀 urllib3 is fundraising for HTTP/2 support

Changes

2.6.2

🚀 urllib3 is fundraising for HTTP/2 support

Changes

2.6.1

🚀 urllib3 is fundraising for HTTP/2 support

Changes

2.6.0

🚀 urllib3 is fundraising for HTTP/2 support

Security

2.6.3 (2026-01-07)

2.6.2 (2025-12-11)

2.6.1 (2025-12-08)

2.6.0 (2025-12-05)

Security

v1.23.0

Summary

What's Changed

New Contributors

v1.22.0

What's Changed

New Contributors

v1.21.2

Hotfix Release

Related:

What's Changed

Version 0.49.1

Fixed

Version 0.49.0

Added

Changed

New Contributors

Version 0.48.0

Added

Changed