v1.34.6 — Dependency security refresh (pip-audit clean)
Maintenance release rolling up dependency upgrades since v1.34.5. No HTTP
route, response schema, or MCP tool changes — purely a refreshed,
security-patched dependency stack. pip-audit now reports zero known
vulnerabilities for the installed set.
Dependency upgrades (dependabot #55–#58)
- fastapi 0.138.0 → 0.138.1 (starlette stays pinned at 1.3.1)
- mcp 1.28.0 → 1.28.1
- click 8.4.1 → 8.4.2
- phonenumbers 9.0.32 → 9.0.33
Transitive pins (new in requirements.txt)
These are pulled in by mcp/httpx/CacheControl and are invisible to
dependabot (not previously in the manifest); pinned explicitly to their
patched versions after a pip-audit sweep:
- pyjwt == 2.13.0 — clears PYSEC-2026-175…179
- pydantic-settings == 2.14.2 — clears GHSA-4xgf-cpjx-pc3j
- idna == 3.15 — clears PYSEC-2026-215
- msgpack == 1.2.1 — clears GHSA-6v7p-g79w-8964
Tests
- Full suite green: 2602 passed; ruff clean;
pip-audit: no known
vulnerabilities.
Surface (unchanged)
- 54 MCP tools, 7 Resources, 3 Prompts. No tool/schema/endpoint change.