chore(deps): bump fastmcp from 2.12.0 to 3.4.2 in /sdk

[dependabot]

Bumps fastmcp from 2.12.0 to 3.4.2.

Release notes

Sourced from fastmcp's releases.

v3.4.2: Heads Up

FastMCP 3.4.2 restores JWT compatibility for providers that include private, non-critical JWS header parameters. Tokens from providers like Clerk can carry header metadata such as cat without being rejected before signature and claim validation, while unsupported critical headers are still rejected.

What's Changed

Fixes 🐞

• Allow private JWT headers by @​jlowin in PrefectHQ/fastmcp#4290

Docs 📚

• Docs: add v3.4.1 changelog entries by @​jlowin in PrefectHQ/fastmcp#4289

Full Changelog: PrefectHQ/fastmcp@v3.4.1...v3.4.2

v3.4.1: Floor It

FastMCP 3.4.1 floors Starlette at >=1.0.1 so installs can no longer resolve to a version affected by CVE-2026-48710 — previously the dependency was only constrained transitively through mcp, which allowed vulnerable versions. It also makes OAuthProxy log refresh-token cache misses instead of failing silently.

What's Changed

Enhancements ✨

• Log refresh-token misses in OAuthProxy instead of failing silently by @​jlowin in PrefectHQ/fastmcp#4276

Security 🔒

• Add explicit starlette>=1.0.1 floor (CVE-2026-48710) by @​jlowin in PrefectHQ/fastmcp#4286

Docs 📚

• Document --notes-start-tag in release instructions by @​jlowin in PrefectHQ/fastmcp#4275

Full Changelog: PrefectHQ/fastmcp@v3.4.0...v3.4.1

v3.4.0: Remote Control

FastMCP 3.4 is about reaching servers that live somewhere else. The headline is fastmcp-remote, a standalone bridge that connects stdio-only MCP hosts to servers hosted over HTTP. Around it, this release hardens the proxy layer those remote connections depend on — making bridges fail loudly instead of silently, and keeping authenticated sessions alive across the long idle periods that remote clients are prone to.

fastmcp-remote

Some MCP hosts still insist on launching a local stdio command, even when the server you want is already running over HTTP. FastMCP could already proxy a remote URL through fastmcp run, but that pulls in the full server-runner surface. fastmcp-remote is the small, single-purpose version: one URL in, one local stdio proxy out.

{
  "mcpServers": {
    "linear": {
      "command": "uvx",
      "args": ["fastmcp-remote", "https://mcp.linear.app/mcp"]
    }
  }
}

OAuth is enabled automatically for HTTPS servers, with support for explicit bearer tokens and custom headers when you need them. The implementation stays on FastMCP primitives — Client, OAuth, create_proxy, and stdio — and credits the original npm mcp-remote project for the command shape.

... (truncated)

Changelog

Sourced from fastmcp's changelog.

---

title: "Changelog" icon: "list-check" rss: true tag: NEW

v3.4.1: Floor It

FastMCP 3.4.1 floors Starlette at >=1.0.1 so installs can no longer resolve to a version affected by CVE-2026-48710, which was previously only constrained transitively through mcp. It also makes OAuthProxy log refresh-token cache misses instead of failing silently.

Enhancements ✨

• Log refresh-token misses in OAuthProxy instead of failing silently by @​jlowin in #4276

Security 🔒

• Add explicit starlette>=1.0.1 floor (CVE-2026-48710) by @​jlowin in #4286

Docs 📚

• Document --notes-start-tag in release instructions by @​jlowin in #4275

Full Changelog: v3.4.0...v3.4.1

v3.4.0: Remote Control

FastMCP 3.4 is about reaching servers that live somewhere else. The headline is fastmcp-remote, a standalone bridge that connects stdio-only MCP hosts to servers hosted over HTTP. Around it, the proxy layer those connections depend on is hardened: a proxy now forwards initialize upstream and fails loudly when the backend is missing or misconfigured, instead of reporting a connected-but-empty proxy. And FastMCP-issued access tokens can now outlive short-lived upstream tokens, so authenticated sessions survive the long idle periods remote clients are prone to.

New Features 🎉

• Add fastmcp-remote bridge package by @​jlowin in #4208

Breaking Changes ⚠️

• Forward proxy initialize as bridge behavior by @​jlowin in #4228

Enhancements ✨

• ci: require external PRs to link a tracked issue by @​strawgate in #4173
• feat: new options --host and --no-log-panel | --log-panel to cli dev apps by @​itaru2622 in #4123
• Add valid_scopes and extra_authorize_params to WorkOSProvider by @​tiagoskaneta in #4135
• Add token_expiry_threshold_seconds for proactive token refresh by @​mohankumarelec in #4142
• Add review-issue skill for triaging gated external contributions by @​jlowin in #4212
• Add contract gate to review-issue skill by @​jlowin in #4214
• Let ToolResult return an error result via is_error by @​jlowin in #4217
• Update published docs after PyPI release by @​jlowin in #4211
• Allow pre-bound HTTP sockets by @​jlowin in #4222
• Add targeted coverage tests by @​strawgate in #4230
• Upgrade ty to 0.0.39 by @​jlowin in #4225
• Decouple FastMCP access token lifetime from upstream expires_in by @​jlowin in #4254

Security 🔒

• feat(code-mode): default sandbox limits and per-execution tool-call cap by @​strawgate in #4170
• Security: Fix 3 findings in GitHub Actions workflows by @​jpr5 in #4183

... (truncated)

Commits

• 3b8538e Allow private JWT headers (#4290)
• 0445c31 chore: Update SDK documentation (#4223)
• 9261793 Docs: add v3.4.1 changelog entries (#4289)
• e1b52d0 Add explicit starlette>=1.0.1 floor (CVE-2026-48710) (#4286)
• e58f386 Log refresh-token misses in OAuthProxy instead of failing silently (#4276)
• 3f09c68 Document --notes-start-tag requirement in release instructions (#4275)
• e124bde Fix MDX syntax error in changelog (#4270)
• dae11bb Backfill changelog and updates through v3.4.0 (#4269)
• 0f4f78c Fix resource templates with query params on proxied servers (#4251)
• 1a06130 Fix GitHub MCP resource integration test (#4253)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.