Bump fastmcp from 3.1.1 to 3.3.1 in /mcp-demo-server

[dependabot]

Bumps fastmcp from 3.1.1 to 3.3.1.

Release notes

Sourced from fastmcp's releases.

v3.3.1: Loop There It Is

FastMCP 3.3.1 is a hotfix for the 3.3 packaging split. Clean installs of 3.3.0 could fail on standalone component imports like from fastmcp.tools import tool because component modules reached auth and task primitives through fastmcp.server, pulling in the server/provider stack and exposing a circular import.

Component-level auth and task primitives now live in lightweight utility modules, with the old server import paths preserved as compatibility re-exports. Component imports stay lightweight, existing server-facing imports continue to work, and the release also includes small docs corrections from the 3.3 rollout.

What's Changed

Fixes 🐞

• fix(docs): use valid FA icon on client-only package page by @​jlowin in PrefectHQ/fastmcp#4139
• Decouple component imports from server by @​jlowin in PrefectHQ/fastmcp#4150

Full Changelog: PrefectHQ/fastmcp@v3.3.0...v3.3.1

v3.3.0: Slim Reaper

FastMCP 3.3 ships fastmcp-slim, a new lightweight distribution that separates the client from the server stack. It also closes out a meaningful backlog of security hardening, observability improvements, and auth additions that accumulated through the 3.2 cycle.

fastmcp-slim

The full FastMCP package pulls in Starlette, Uvicorn, and the rest of the server machinery — necessary for running a server, but wasteful if you're writing a client, a script, or an agent that just needs to talk to MCP. fastmcp-slim is a dependency-light distribution that ships the client and transport layer without any of that.

The import namespace is unchanged:

from fastmcp import Client
async with Client("https://example.com/mcp") as client:
result = await client.call_tool("my_tool", {"arg": "value"})

Install fastmcp-slim[client] anywhere you want FastMCP's client without the server footprint — CI environments, lightweight agents, library dependencies that shouldn't force Uvicorn on downstream users.

Security

The OAuth proxy received three hardening upgrades. Silent consent is now guarded against AS-in-the-middle attacks — a malicious authorization server can no longer silently approve a consent it wasn't meant to handle. Redirect URI allowlist matching now rejects dot-segment paths (/../, /./) that could otherwise bypass prefix checks. And ResponseCachingMiddleware partitions its cache by access token, closing a gap where different users could see each other's cached responses.

Auth

AzureB2CProvider adds first-class support for Azure AD B2C user flows. The OCI provider is fixed for 3.x installs. And OAuthProxy gains a public update_scopes() API for updating the proxy's required scopes after initialization — useful for servers that determine scope requirements at runtime.

Observability

OTEL instrumentation is now fully compliant with MCP semantic conventions. List operations (list_tools, list_resources, list_prompts, list_resource_templates) are instrumented, and delegate spans on proxy servers are enriched with backend attributes.

Thread Affinity

Sync tools run in a thread pool by default. If your tool holds thread-local state or is bound to a specific thread (UI frameworks, some database drivers), you can now opt out:

... (truncated)

Commits

• d8dcc27 Decouple component imports from server (#4150)
• 255e3e4 fix(docs): use valid FA icon on client-only package page (#4139)
• 73df4dc chore: Update SDK documentation (#4096)
• ee48a0f Refine fastmcp-slim packaging (#4125)
• bb4894d Add fastmcp-slim for client-only installs (#4122)
• 8209093 fix(http): terminate active streamable-HTTP transports before lifespan shutdo...
• cf59a45 Fix OCI Provider issue in 3.x version. Add OCI auth provider example … (#4116)
• 89b99ec fix(proxy): fall back to live identifier for backend_* span attributes (#4109)
• 310314c fix: cli option --no-banner is NOT passed to cli but server-spec in-correctly...
• 28722f8 fix: drop exc_info for expected tool failures, remove unreachable ValidationE...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Summary by cubic

Upgrade fastmcp to 3.3.1 in mcp-demo-server to pick up 3.3 security hardening, auth/OTEL improvements, and the 3.3.1 hotfix for component import loops. Keeps the demo server current and avoids circular import errors on clean installs.

^{Written for commit d22f2d4. Summary will update on new commits. Review in cubic}

Greptile Summary

This PR bumps fastmcp from 3.1.1 to 3.3.1 in mcp-demo-server/requirements.txt. The Dockerfile installs dependencies directly from this file, so no other changes are required.

• The server uses only stable core APIs (FastMCP, @mcp.tool(), mcp.run()), none of which have breaking changes in the 3.2–3.3 range.
• The 3.3.x line adds fastmcp-slim, OAuth security hardening, OTEL improvements, and a hotfix for a circular-import issue on standalone component imports — none of these affect this server's usage pattern.

Confidence Score: 5/5

Straightforward dependency bump with no breaking API changes for this server's usage.

The change touches one line in one file. The server's use of FastMCP is limited to FastMCP(), @mcp.tool(), and mcp.run(transport='streamable-http') — all stable interfaces. The 3.3.1 hotfix specifically resolves a circular-import regression from 3.3.0, making this a safer target than 3.3.0 alone. No API removals or behavioral changes affect this codebase.

No files require special attention.

Important Files Changed

Filename	Overview
mcp-demo-server/requirements.txt	Single-line bump of fastmcp from 3.1.1 to 3.3.1; Dockerfile already installs from this file so no additional changes needed.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[requirements.txt\nfastmcp==3.1.1] -->|bump| B[requirements.txt\nfastmcp==3.3.1]
    B --> C[Dockerfile\npip install -r requirements.txt]
    C --> D[main.py\nFastMCP server]
    D --> E[Tools exposed via\nstreamable-http transport]

Loading

_{Reviews (1): Last reviewed commit: "Bump fastmcp from 3.1.1 to 3.3.1 in /mcp..." | Re-trigger Greptile}

[cubic-dev-ai]

No issues found across 1 file

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

_{Re-trigger cubic}