Skip to content

v1.34.6 — Dependency security refresh (pip-audit clean)

Choose a tag to compare

@UPinar UPinar released this 02 Jul 19:07

Maintenance release rolling up dependency upgrades since v1.34.5. No HTTP
route, response schema, or MCP tool changes — purely a refreshed,
security-patched dependency stack. pip-audit now reports zero known
vulnerabilities
for the installed set.

Dependency upgrades (dependabot #55#58)

  • fastapi 0.138.0 → 0.138.1 (starlette stays pinned at 1.3.1)
  • mcp 1.28.0 → 1.28.1
  • click 8.4.1 → 8.4.2
  • phonenumbers 9.0.32 → 9.0.33

Transitive pins (new in requirements.txt)

These are pulled in by mcp/httpx/CacheControl and are invisible to
dependabot (not previously in the manifest); pinned explicitly to their
patched versions after a pip-audit sweep:

  • pyjwt == 2.13.0 — clears PYSEC-2026-175…179
  • pydantic-settings == 2.14.2 — clears GHSA-4xgf-cpjx-pc3j
  • idna == 3.15 — clears PYSEC-2026-215
  • msgpack == 1.2.1 — clears GHSA-6v7p-g79w-8964

Tests

  • Full suite green: 2602 passed; ruff clean; pip-audit: no known
    vulnerabilities.

Surface (unchanged)

  • 54 MCP tools, 7 Resources, 3 Prompts. No tool/schema/endpoint change.