deps: bump the production-dependencies group with 2 updates

[dependabot]

Bumps the production-dependencies group with 2 updates: fastmcp and graphql-core.

Updates fastmcp from 3.3.1 to 3.4.2

Release notes

Sourced from fastmcp's releases.

v3.4.2: Heads Up

FastMCP 3.4.2 restores JWT compatibility for providers that include private, non-critical JWS header parameters. Tokens from providers like Clerk can carry header metadata such as cat without being rejected before signature and claim validation, while unsupported critical headers are still rejected.

What's Changed

Fixes 🐞

• Allow private JWT headers by @​jlowin in PrefectHQ/fastmcp#4290

Docs 📚

• Docs: add v3.4.1 changelog entries by @​jlowin in PrefectHQ/fastmcp#4289

Full Changelog: PrefectHQ/fastmcp@v3.4.1...v3.4.2

v3.4.1: Floor It

FastMCP 3.4.1 floors Starlette at >=1.0.1 so installs can no longer resolve to a version affected by CVE-2026-48710 — previously the dependency was only constrained transitively through mcp, which allowed vulnerable versions. It also makes OAuthProxy log refresh-token cache misses instead of failing silently.

What's Changed

Enhancements ✨

• Log refresh-token misses in OAuthProxy instead of failing silently by @​jlowin in PrefectHQ/fastmcp#4276

Security 🔒

• Add explicit starlette>=1.0.1 floor (CVE-2026-48710) by @​jlowin in PrefectHQ/fastmcp#4286

Docs 📚

• Document --notes-start-tag in release instructions by @​jlowin in PrefectHQ/fastmcp#4275

Full Changelog: PrefectHQ/fastmcp@v3.4.0...v3.4.1

v3.4.0: Remote Control

FastMCP 3.4 is about reaching servers that live somewhere else. The headline is fastmcp-remote, a standalone bridge that connects stdio-only MCP hosts to servers hosted over HTTP. Around it, this release hardens the proxy layer those remote connections depend on — making bridges fail loudly instead of silently, and keeping authenticated sessions alive across the long idle periods that remote clients are prone to.

fastmcp-remote

Some MCP hosts still insist on launching a local stdio command, even when the server you want is already running over HTTP. FastMCP could already proxy a remote URL through fastmcp run, but that pulls in the full server-runner surface. fastmcp-remote is the small, single-purpose version: one URL in, one local stdio proxy out.

{
  "mcpServers": {
    "linear": {
      "command": "uvx",
      "args": ["fastmcp-remote", "https://mcp.linear.app/mcp"]
    }
  }
}

OAuth is enabled automatically for HTTPS servers, with support for explicit bearer tokens and custom headers when you need them. The implementation stays on FastMCP primitives — Client, OAuth, create_proxy, and stdio — and credits the original npm mcp-remote project for the command shape.

... (truncated)

Commits

• 3b8538e Allow private JWT headers (#4290)
• 0445c31 chore: Update SDK documentation (#4223)
• 9261793 Docs: add v3.4.1 changelog entries (#4289)
• e1b52d0 Add explicit starlette>=1.0.1 floor (CVE-2026-48710) (#4286)
• e58f386 Log refresh-token misses in OAuthProxy instead of failing silently (#4276)
• 3f09c68 Document --notes-start-tag requirement in release instructions (#4275)
• e124bde Fix MDX syntax error in changelog (#4270)
• dae11bb Backfill changelog and updates through v3.4.0 (#4269)
• 0f4f78c Fix resource templates with query params on proxied servers (#4251)
• 1a06130 Fix GitHub MCP resource integration test (#4253)
• Additional commits viewable in compare view

Updates graphql-core from 3.2.8 to 3.2.11

Release notes

Sourced from graphql-core's releases.

v3.2.11

Patch-release GraphQL-core v3.2.11, based on GraphQL.js v16.14.1.

This patch-release supports Python 3.7 to 3.14.

Notable changes:

• Allow configuration of the ofType introspection depth
• Add support for directives on directive definitions
• Restore variable own-property checks in value_from_ast
• Remove unused variable-definition tracking in ValuesOfCorrectTypeRule

Thanks to all who are sponsoring me (@​Cito) for maintaining this project.

v3.2.10

Patch-release GraphQL-core v3.2.10, based on GraphQL.js v16.13.0.

This patch-release supports Python 3.7 to 3.14.

New features:

• Add support for schema coordinates (parsing and resolving)
• Support descriptions on executable definitions (e.g. variable definitions)
• Add a max_coercion_errors option

Bug fixes:

• Fix incorrect validation errors when variable descriptions are used
• Don't add sibling errors after null propagation has occurred
• Remove erroneous oneOf validation from the "values of correct type" rule
• Validate that nullable variables aren't passed to oneOf input object fields (per spec)
• Catch unhandled exceptions during abstract type resolution

Thanks to all who are sponsoring me (@​Cito) for maintaining this project.

v3.2.9

Patch-release GraphQL-core v3.2.9, based on GraphQL.js v16.10.0.

This patch-release supports Python 3.7 to 3.14.

Notable changes:

• Fix OverlappingFieldsCanBeMergedRule to catch field-merge conflicts hidden behind nested fragments
• Fix handling of empty selection sets
• Correctly type extensions in GraphQLFormattedError
• Add kind to the introspection query/mutation/subscription root types
• Expose token_count on DocumentNode
• Preserve schema and input-field properties (e.g. descriptions) when sorting

Thanks to @​kathychurch and @​arichberg for reporting the sorting issue.

... (truncated)

Commits

• d5a5464 Bump version
• 6d7c4dd docs: fix inline examples, deprecation descriptions, type category
• 456fa2c Allow configuration of the ofType introspection depth
• 672281d Add support for directives on directive definitions
• 1922ab7 Restore variable own-property checks in valueFromAST
• 0ccc1a5 Use Object.create(null) to avoid prototype issues
• 12bcb49 Bump version
• 4070240 Incorrect validation errors when variable descriptions are used
• 66adfb4 Sibling errors should not be added after propagation
• 20de4b0 Schema coordinates
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.