chore(deps): Bump the dependencies group with 4 updates

[dependabot]

Bumps the dependencies group with 4 updates: fastmcp, hypothesis, ruff and ty.

Updates fastmcp from 3.3.1 to 3.4.1

Release notes

Sourced from fastmcp's releases.

v3.4.1: Floor It

FastMCP 3.4.1 floors Starlette at >=1.0.1 so installs can no longer resolve to a version affected by CVE-2026-48710 — previously the dependency was only constrained transitively through mcp, which allowed vulnerable versions. It also makes OAuthProxy log refresh-token cache misses instead of failing silently.

What's Changed

Enhancements ✨

• Log refresh-token misses in OAuthProxy instead of failing silently by @​jlowin in PrefectHQ/fastmcp#4276

Security 🔒

• Add explicit starlette>=1.0.1 floor (CVE-2026-48710) by @​jlowin in PrefectHQ/fastmcp#4286

Docs 📚

• Document --notes-start-tag in release instructions by @​jlowin in PrefectHQ/fastmcp#4275

Full Changelog: PrefectHQ/fastmcp@v3.4.0...v3.4.1

v3.4.0: Remote Control

FastMCP 3.4 is about reaching servers that live somewhere else. The headline is fastmcp-remote, a standalone bridge that connects stdio-only MCP hosts to servers hosted over HTTP. Around it, this release hardens the proxy layer those remote connections depend on — making bridges fail loudly instead of silently, and keeping authenticated sessions alive across the long idle periods that remote clients are prone to.

fastmcp-remote

Some MCP hosts still insist on launching a local stdio command, even when the server you want is already running over HTTP. FastMCP could already proxy a remote URL through fastmcp run, but that pulls in the full server-runner surface. fastmcp-remote is the small, single-purpose version: one URL in, one local stdio proxy out.

{
  "mcpServers": {
    "linear": {
      "command": "uvx",
      "args": ["fastmcp-remote", "https://mcp.linear.app/mcp"]
    }
  }
}

OAuth is enabled automatically for HTTPS servers, with support for explicit bearer tokens and custom headers when you need them. The implementation stays on FastMCP primitives — Client, OAuth, create_proxy, and stdio — and credits the original npm mcp-remote project for the command shape.

Bridges That Fail Loudly

Proxies are lazy bridges: they don't touch the upstream server during construction, but they do forward real MCP requests once a client connects. As of 3.4, initialize is part of that forwarded surface — so a proxy only reports a successful handshake after the upstream server initializes too. A missing backend, a wrong URL (the server root instead of /mcp), denied upstream auth, or a non-MCP upstream now fails the downstream initialize instead of producing a "connected" proxy whose capability fetches quietly come back empty. The proxy also forwards ping upstream now.

This is an intentional behavior change from 3.3, and the reason bridge callers like fastmcp-remote surface real upstream failures instead of degrading into empty tool lists.

Auth That Survives Idle Time

Remote sessions sit idle, and short-lived upstream tokens punish that. fastmcp_access_token_expiry_seconds decouples the FastMCP-issued token's lifetime from the upstream expires_in — the FastMCP token is just a reference into proxy storage, re-validated and transparently refreshed on every request, so it can safely outlive a 5-minute upstream token without forcing a full OAuth flow after every idle period. When the upstream issues no refresh token, the lifetime is capped to match.

from fastmcp.server.auth.providers.github import GitHubProvider
auth = GitHubProvider(
</tr></table>

... (truncated)

Changelog

Sourced from fastmcp's changelog.

---

title: "Changelog" icon: "list-check" rss: true tag: NEW

v3.4.1: Floor It

FastMCP 3.4.1 floors Starlette at >=1.0.1 so installs can no longer resolve to a version affected by CVE-2026-48710, which was previously only constrained transitively through mcp. It also makes OAuthProxy log refresh-token cache misses instead of failing silently.

Enhancements ✨

• Log refresh-token misses in OAuthProxy instead of failing silently by @​jlowin in #4276

Security 🔒

• Add explicit starlette>=1.0.1 floor (CVE-2026-48710) by @​jlowin in #4286

Docs 📚

• Document --notes-start-tag in release instructions by @​jlowin in #4275

Full Changelog: v3.4.0...v3.4.1

v3.4.0: Remote Control

FastMCP 3.4 is about reaching servers that live somewhere else. The headline is fastmcp-remote, a standalone bridge that connects stdio-only MCP hosts to servers hosted over HTTP. Around it, the proxy layer those connections depend on is hardened: a proxy now forwards initialize upstream and fails loudly when the backend is missing or misconfigured, instead of reporting a connected-but-empty proxy. And FastMCP-issued access tokens can now outlive short-lived upstream tokens, so authenticated sessions survive the long idle periods remote clients are prone to.

New Features 🎉

• Add fastmcp-remote bridge package by @​jlowin in #4208

Breaking Changes ⚠️

• Forward proxy initialize as bridge behavior by @​jlowin in #4228

Enhancements ✨

• ci: require external PRs to link a tracked issue by @​strawgate in #4173
• feat: new options --host and --no-log-panel | --log-panel to cli dev apps by @​itaru2622 in #4123
• Add valid_scopes and extra_authorize_params to WorkOSProvider by @​tiagoskaneta in #4135
• Add token_expiry_threshold_seconds for proactive token refresh by @​mohankumarelec in #4142
• Add review-issue skill for triaging gated external contributions by @​jlowin in #4212
• Add contract gate to review-issue skill by @​jlowin in #4214
• Let ToolResult return an error result via is_error by @​jlowin in #4217
• Update published docs after PyPI release by @​jlowin in #4211
• Allow pre-bound HTTP sockets by @​jlowin in #4222
• Add targeted coverage tests by @​strawgate in #4230
• Upgrade ty to 0.0.39 by @​jlowin in #4225
• Decouple FastMCP access token lifetime from upstream expires_in by @​jlowin in #4254

Security 🔒

• feat(code-mode): default sandbox limits and per-execution tool-call cap by @​strawgate in #4170
• Security: Fix 3 findings in GitHub Actions workflows by @​jpr5 in #4183

... (truncated)

Commits

• e1b52d0 Add explicit starlette>=1.0.1 floor (CVE-2026-48710) (#4286)
• e58f386 Log refresh-token misses in OAuthProxy instead of failing silently (#4276)
• 3f09c68 Document --notes-start-tag requirement in release instructions (#4275)
• e124bde Fix MDX syntax error in changelog (#4270)
• dae11bb Backfill changelog and updates through v3.4.0 (#4269)
• 0f4f78c Fix resource templates with query params on proxied servers (#4251)
• 1a06130 Fix GitHub MCP resource integration test (#4253)
• 58e0f53 Decouple FastMCP access token lifetime from upstream expires_in (#4254)
• 8e66b0a Upgrade ty to 0.0.39 (#4225)
• 53b2016 Close upstream OAuth clients (#4248)
• Additional commits viewable in compare view

Updates hypothesis from 6.155.1 to 6.155.2

Commits

• fcc26c4 Bump hypothesis version to 6.155.2 and update changelog
• 13cdd0b Merge pull request #4760 from Zac-HD/datetime-symbolic-4759
• e48846d format
• b4152ea rewrite comments and improve test
• 6b18db3 fixed flake
• eb7d53a Update pinned dependencies
• 1bbeb59 Fix update_pyodide_versions for relocated xbuildenv metadata
• 552a461 Make date/time drawing symbolic-execution friendly
• 2c6dfdb Merge pull request #4758 from bsluther/docs-fix-assume-condition
• 1416fe1 Fix assume condition in adapting-strategies.rst
• See full diff in compare view

Updates ruff from 0.15.15 to 0.15.16

Release notes

Sourced from ruff's releases.

0.15.16

Release Notes

Released on 2026-06-04.

Preview features

• [flake8-async] Implement yield-in-context-manager-in-async-generator (ASYNC119) (#24644)
• [pylint] Narrow diagnostic range and exclude cases without exception handlers (PLW0717) (#25440)
• [ruff] Treat yield before break from a terminal loop as terminal (RUF075) (#25447)

Bug fixes

• [eradicate] Avoid flagging ruff:ignore comments as code (ERA001) (#25537)
• [eradicate] Fix ERA001/RUF100 conflict when noqa is on commented-out code (#25414)
• [pyflakes] Avoid removing the format call when it would change behavior (F523) (#25320)
• [pylint] Avoid syntax errors in invalid character replacements in f-strings before Python 3.12 (PLE2510, PLE2512, PLE2513, PLE2514, PLE2515) (#25544)
• [pyupgrade] Avoid converting format calls with more kinds of side effects (UP032) (#25484)

Rule changes

• [flake8-pytest-style] Avoid fixes for ambiguous argnames and argvalues combinations (PT006) (#24776)

Performance

• Drop excess capacity from statement suites during parsing (#25368)

Documentation

• [pydocstyle] Improve discoverability of rules enabled for each convention (#24973)
• [ruff] Restore example code for Python versions before 3.15 (RUF017) (#25439)
• Fix typo bin/active → bin/activate in tutorial (#25473)

Other changes

• Shrink additional parser AST collections (#25465)

Contributors

• @​Redslayer112
• @​koriyoshi2041
• @​George-Ogden
• @​TejasAmle
• @​anishgirianish
• @​ntBre
• @​MichaReiser
• @​loganrosen
• @​RafaelJohn9
• @​adityasingh2400

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.16

Released on 2026-06-04.

Preview features

• [flake8-async] Implement yield-in-context-manager-in-async-generator (ASYNC119) (#24644)
• [pylint] Narrow diagnostic range and exclude cases without exception handlers (PLW0717) (#25440)
• [ruff] Treat yield before break from a terminal loop as terminal (RUF075) (#25447)

Bug fixes

• [eradicate] Avoid flagging ruff:ignore comments as code (ERA001) (#25537)
• [eradicate] Fix ERA001/RUF100 conflict when noqa is on commented-out code (#25414)
• [pyflakes] Avoid removing the format call when it would change behavior (F523) (#25320)
• [pylint] Avoid syntax errors in invalid character replacements in f-strings before Python 3.12 (PLE2510, PLE2512, PLE2513, PLE2514, PLE2515) (#25544)
• [pyupgrade] Avoid converting format calls with more kinds of side effects (UP032) (#25484)

Rule changes

• [flake8-pytest-style] Avoid fixes for ambiguous argnames and argvalues combinations (PT006) (#24776)

Performance

• Drop excess capacity from statement suites during parsing (#25368)

Documentation

• [pydocstyle] Improve discoverability of rules enabled for each convention (#24973)
• [ruff] Restore example code for Python versions before 3.15 (RUF017) (#25439)
• Fix typo bin/active → bin/activate in tutorial (#25473)

Other changes

• Shrink additional parser AST collections (#25465)

Contributors

• @​Redslayer112
• @​koriyoshi2041
• @​George-Ogden
• @​TejasAmle
• @​anishgirianish
• @​ntBre
• @​MichaReiser
• @​loganrosen
• @​RafaelJohn9
• @​adityasingh2400

Commits

• 6c498ab Bump 0.15.16 (#25635)
• e51e132 [flake8-async] Implement yield-in-context-manager-in-async-generator (`AS...
• 7c6dcd9 [ty] Add caching for pattern match narrowing (#25613)
• 27058fc [ty] Compact retained definition and expression identities (#25606)
• bf80d05 Fix CODEOWNERS syntax (#25622)
• 10ccd51 Shrink additional parser AST collections (#25465)
• 0d7135f [ty] Upgrade Salsa (#25545)
• 49493a3 [ty] Show type alias value on hover (#25381)
• 85207d3 [ty] sys.implementation.version is not sys.version_info (#25608)
• a8a0614 [ty] Avoid retaining duplicate function signatures (#25609)
• Additional commits viewable in compare view

Updates ty from 0.0.42 to 0.0.44

Release notes

Sourced from ty's releases.

0.0.44

Release Notes

Released on 2026-06-04.

Bug fixes

• Avoid treating sys.implementation.version like sys.version_info (#25608)
• Fix anchor point for override diagnostics (#25621)

LSP server

• Show type alias value on hover (#25381)

Performance

• Add caching for pattern match narrowing (#25613)
• Compact retained definition and expression identities (#25606)
• Reuse expression cache for TypedDict union inference (#25643)
• Upgrade Salsa (#25545)

Core type checking

• Enable narrowing for unions of TypedDict (#25188)

Contributors

• @​lerebear
• @​MichaReiser
• @​carljm
• @​pierrem964
• @​charliermarsh
• @​Hugo-Polloli

Install ty 0.0.44

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://releases.astral.sh/github/ty/releases/download/0.0.44/ty-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://releases.astral.sh/github/ty/releases/download/0.0.44/ty-installer.ps1 | iex"

Download ty 0.0.44

... (truncated)

Changelog

Sourced from ty's changelog.

0.0.44

Released on 2026-06-04.

Bug fixes

• Avoid treating sys.implementation.version like sys.version_info (#25608)
• Fix anchor point for override diagnostics (#25621)

LSP server

• Show type alias value on hover (#25381)

Performance

• Add caching for pattern match narrowing (#25613)
• Compact retained definition and expression identities (#25606)
• Reuse expression cache for TypedDict union inference (#25643)
• Upgrade Salsa (#25545)

Core type checking

• Enable narrowing for unions of TypedDict (#25188)

Contributors

• @​lerebear
• @​MichaReiser
• @​carljm
• @​pierrem964
• @​charliermarsh
• @​Hugo-Polloli

0.0.43

Released on 2026-06-03.

Bug fixes

• Don't inject Unknown from non-callable elements of intersection call (#25538)
• Don't needlessly disambiguate the same type alias (#25563)
• Fix variance inference for nested type aliases (#25567)
• Ignore rejected member annotations for synthesized bindings (#25427)
• Normalize dynamic class literals in cycle recovery (#25558)
• Register file roots for first-party search paths (#25522)
• Treat union-bound typevars like unions for possibly-missing-attribute (#25561)

LSP server

• Suppress importable completions that are already in scope (#25479)

... (truncated)

Commits

• f5523e2 Bump version to 0.0.44 (#3667)
• 29ce314 Bump version to 0.0.43 (#3648)
• 794322d Update docker/build-push-action action to v7.2.0 (#3629)
• ce89685 Update prek dependencies (#3628)
• 792fb71 Update docker/login-action action to v4.2.0 (#3630)
• 5c37747 Update docker/metadata-action action to v6.1.0 (#3631)
• 5a3e169 Update docker/setup-buildx-action action to v4.1.0 (#3632)
• c2500cc Release: Force usage of PyPI as the index (#3616)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions