chore(deps): bump fastmcp from 2.12.4 to 2.14.0

[dependabot]

Bumps fastmcp from 2.12.4 to 2.14.0.

Release notes

Sourced from fastmcp's releases.

v2.14.0: Task and You Shall Receive

FastMCP 2.14 begins adopting the MCP 2025-11-25 specification, headlined by protocol-native background tasks that let long-running operations report progress without blocking clients. This release also graduates the OpenAPI parser to standard, adds first-class support for several new spec features, and removes deprecated APIs accumulated across the 2.x series.

Background Tasks (SEP-1686)

Long-running operations (like tool calls) normally block MCP clients until they complete. The new MCP background task protocol (SEP-1686) lets clients start operations, track progress, and retrieve results without blocking. For FastMCP users, taking advantage of this new functionality is as easy as adding task=True to any async decorator. Under the hood, it's powered by Docket, the enterprise task scheduler at the heart of Prefect Cloud that handles millions of concurrent tasks every day.

from fastmcp import FastMCP
from fastmcp.dependencies import Progress
mcp = FastMCP("MyServer")
@​mcp.tool(task=True)
async def train_model(dataset: str, progress: Progress = Progress()) -> str:
await progress.set_total(100)
for epoch in range(100):
# ... training work ...
await progress.increment()
return "Model trained successfully"

Clients that call this tool in task-augmented mode (for FastMCP clients, that merely means another task=True!) receive a task ID immediately, poll for progress updates, and fetch results when ready. Background tasks work out-of-the-box with an in-memory backend, and users can optionally provide a Redis URL for persistence, horizontal scaling, and single-digit millisecond task pickup latency. When using Redis, users can also add additional Docket workers to scale out their task processing.

Read the docs here!

OpenAPI Parser Promotion

The experimental OpenAPI parser graduates to standard. The new architecture delivers improved performance through single-pass schema processing and cleaner internal abstractions. Existing code works unchanged; users of the experimental module should update their imports.

MCP 2025-11-25 Spec Support

This release begins adopting the MCP 2025-11-25 specification. Beyond the core SDK updates, FastMCP adds first-class developer experiences for:

• SEP-1686: Background tasks with progress tracking
• SEP-1699: SSE polling and event resumability, with full AsyncKeyValue support
• SEP-1330: Multi-select enum elicitation schemas
• SEP-1034: Default values for elicitation schemas
• SEP-986: Tool name validation at registration time

As the MCP SDK continues to adopt more of the specification, FastMCP will add corresponding high-level APIs.

Breaking Changes & Cleanup

This release removes deprecated APIs accumulated across the 2.x series: BearerAuthProvider, Context.get_http_request(), the dependencies parameter, legacy resource prefix formats, and several deprecated methods. The upgrade guide provides migration paths for each.

What's Changed

... (truncated)

Changelog

Sourced from fastmcp's changelog.

---

title: "Changelog" icon: "list-check" rss: true tag: NEW

v3.0.2: Threecovery Mode II

Two community-contributed fixes: auth headers from MCP transport no longer leak through to downstream OpenAPI APIs, and background task workers now correctly receive the originating request ID. Plus a new docs example for context-aware tool factories.

Fixes 🐞

• fix: prevent MCP transport auth header from leaking to downstream OpenAPI APIs by @​stakeswky in #3262
• fix: propagate origin_request_id to background task workers by @​gfortaine in #3175

Docs 📚

• Add v3.0.1 release notes by @​jlowin in #3259
• docs: add context-aware tool factory example by @​machov in #3264

Full Changelog: v3.0.1...v3.0.2

v3.0.1: Three-covery Mode

First patch after 3.0 — mostly smoothing out rough edges discovered in the wild. The big ones: middleware state that wasn't surviving the trip to tool handlers now does, Tool.from_tool() accepts callables again, OpenAPI schemas with circular references no longer crash discovery, and decorator overloads now return the correct types in function mode. Also adds verify_id_token to OIDCProxy for providers (like some Azure AD configs) that issue opaque access tokens but standard JWT id_tokens.

Enhancements 🔧

• Add verify_id_token option to OIDCProxy by @​jlowin in #3248

Fixes 🐞

• Fix v3.0.0 changelog compare link by @​jlowin in #3223
• Fix MDX parse error in upgrade guide prompts by @​jlowin in #3227
• Fix non-serializable state lost between middleware and tools by @​jlowin in #3234
• Accept callables in Tool.from_tool() by @​jlowin in #3235
• Preserve skill metadata through provider wrapping by @​jlowin in #3237
• Fix circular reference crash in OpenAPI schemas by @​jlowin in #3245
• Fix NameError with future annotations and Context/Depends parameters by @​jlowin in #3243
• Fix ty ignore syntax in OpenAPI provider by @​jlowin in #3253
• Use max_completion_tokens instead of deprecated max_tokens in OpenAI handler by @​jlowin in #3254
• Fix ty compatibility with upgraded deps by @​jlowin in #3257
• Fix decorator overload return types for function mode by @​jlowin in #3258

Docs 📚

• Sync README with welcome.mdx, fix install count by @​jlowin in #3224
• Document dict-to-Message prompt migration in upgrade guides by @​jlowin in #3225
• Fix v2 upgrade guide: remove incorrect v1 import advice by @​jlowin in #3226

... (truncated)

Commits

• 3d6fd46 chore: remove tests/test_examples.py (#2593)
• 03b62d2 feat: handle error from the initialize middleware (#2531)
• 95e58e8 fix: preserve exception propagation through transport cleanup (#2591)
• 855e01e chore: Update SDK documentation (#2588)
• d56f55a Add smart fallback for missing access token expiry (#2587)
• d35b867 chore: Update SDK documentation (#2517)
• 080ffa5 Fix nested server mount routing for 3+ levels deep (#2586)
• 0bcd69c Remove overly restrictive MIME type validation from Resource (#2585)
• 9b41d16 Remove deprecated mount/import argument order and separator params (#2582)
• 95fb8b4 Fix proxy tool result meta attribute forwarding (#2526)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Agent Server images for this PR

• GHCR package: https://github.com/OpenHands/agent-sdk/pkgs/container/agent-server

Variants & Base Images

Variant	Architectures	Base Image	Docs / Tags
java	amd64, arm64	eclipse-temurin:17-jdk	Link
python	amd64, arm64	nikolaik/python-nodejs:python3.12-nodejs22	Link
golang	amd64, arm64	golang:1.21-bookworm	Link

Pull (multi-arch manifest)

# Each variant is a multi-arch manifest supporting both amd64 and arm64
docker pull ghcr.io/openhands/agent-server:2a3e425-python

Run

docker run -it --rm \
  -p 8000:8000 \
  --name agent-server-2a3e425-python \
  ghcr.io/openhands/agent-server:2a3e425-python

All tags pushed for this build

ghcr.io/openhands/agent-server:2a3e425-golang-amd64
ghcr.io/openhands/agent-server:2a3e425-golang_tag_1.21-bookworm-amd64
ghcr.io/openhands/agent-server:2a3e425-golang-arm64
ghcr.io/openhands/agent-server:2a3e425-golang_tag_1.21-bookworm-arm64
ghcr.io/openhands/agent-server:2a3e425-java-amd64
ghcr.io/openhands/agent-server:2a3e425-eclipse-temurin_tag_17-jdk-amd64
ghcr.io/openhands/agent-server:2a3e425-java-arm64
ghcr.io/openhands/agent-server:2a3e425-eclipse-temurin_tag_17-jdk-arm64
ghcr.io/openhands/agent-server:2a3e425-python-amd64
ghcr.io/openhands/agent-server:2a3e425-nikolaik_s_python-nodejs_tag_python3.12-nodejs22-amd64
ghcr.io/openhands/agent-server:2a3e425-python-arm64
ghcr.io/openhands/agent-server:2a3e425-nikolaik_s_python-nodejs_tag_python3.12-nodejs22-arm64
ghcr.io/openhands/agent-server:2a3e425-golang
ghcr.io/openhands/agent-server:2a3e425-java
ghcr.io/openhands/agent-server:2a3e425-python

About Multi-Architecture Support

• Each variant tag (e.g., 2a3e425-python) is a multi-arch manifest supporting both amd64 and arm64
• Docker automatically pulls the correct architecture for your platform
• Individual architecture tags (e.g., 2a3e425-python-amd64) are also available if needed

[github-actions]

API breakage checks (Griffe)

Result: Failed

Log excerpt (first 1000 characters)

============================================================
Checking openhands-sdk (openhands.sdk)
============================================================
Comparing openhands-sdk 1.11.5 against 1.11.4
::notice title=openhands-sdk API::Ignoring Field metadata-only change (non-breaking): load_public_skills
::notice title=openhands-sdk API::Ignoring Field metadata-only change (non-breaking): temperature
::warning file=openhands-sdk/openhands/sdk/llm/llm.py,line=196,title=LLM.top_p::Attribute value was changed: `Field(default=1.0, ge=0, le=1)` -> `Field(default=None, ge=0, le=1, description='Nucleus sampling parameter. Defaults to None (uses provider default). Set to a value between 0 and 1 to control diversity of outputs.')`
::error title=SemVer::Breaking changes detected (1); require at least minor version bump from 1.11.x, but new is 1.11.5

============================================================
Checking openhands-workspace (openhands.workspace)
============================

Action log

[github-actions]

Agent server REST API breakage checks (OpenAPI)

Result: Passed

Action log

[all-hands-bot]

⚠️ Eval Risk - Human Review Required

This dependency update updates MCP-related dependencies that could affect agent behavior. Per repo guidelines, flagging for lightweight eval testing before merge.

Key Concerns

🟠 Breaking Changes in fastmcp 2.14.0

• Removes deprecated APIs: BearerAuthProvider, Context.get_http_request(), dependencies parameter
• Quick grep shows we don't use these, but verify no import breakages
• Release notes: https://github.com/PrefectHQ/fastmcp/releases/tag/v2.14.0

🟠 MCP Spec Update (1.23.0 → 1.26.0)

• Adopts MCP 2025-11-25 specification
• Since we use MCP for agent tool integration (openhands/sdk/mcp/), changes could affect:
  • Tool discovery/execution behavior
  • Prompt handling
  • Resource management
• Recommendation: Run basic agent tests with MCP tools to catch behavior changes

🟡 Dependency Expansion

• Adds 15+ new transitive dependencies: redis, pydocket, keyring, beartype, croniter, fakeredis, lupa, etc.
• Driven by new background task support (powered by Docket)
• Consider impact on build time, deployment size, and security surface area
• If background tasks aren't needed, check if fastmcp has lighter install options

Verdict

✋ Do not merge without testing - Run lightweight evals to verify MCP tool behavior is unchanged.

[aivong-openhands]

@OpenHands verify no import breakages

[openhands-ai]

I'm on it! aivong-openhands can track my progress at all-hands.dev

[github-actions]

Coverage Report •

File	Stmts	Miss	Cover	Missing
TOTAL	20092	5438	72%

report-only-changed-files is enabled. No files were changed during this commit :)

[openhands-ai]

Summary

I verified that the fastmcp upgrade from 2.12.4 to 2.14.0 (PR #2266) introduces no import breakages.

Verification Performed:

1. Import Testing - All 3 fastmcp imports used in the codebase work correctly:

   • from fastmcp import Client as AsyncMCPClient ✓
   • from fastmcp.client.logging import LogMessage ✓
   • from fastmcp.mcp_config import MCPConfig ✓

2. Test Suite - Ran 193 MCP and skill-related tests, all passed ✓

3. Pre-commit Checks - Ruff, Pyright, and all code quality checks pass ✓

Note:

There are 10 deprecation warnings about streamable_http_client being the preferred API going forward, but these are non-blocking and don't affect functionality.

Conclusion: The upgrade is safe to merge. No code changes were needed or made - this was purely a verification task.

[aivong-openhands]

@OpenHands check if background tasks are needed. Also check if fastmcp has lighter install options

[openhands-ai]

I'm on it! aivong-openhands can track my progress at all-hands.dev

[openhands-ai]

Summary

I investigated two questions about the fastmcp upgrade from 2.12.4 to 2.14.0:

1. Are background tasks needed?

No. Our codebase only uses these fastmcp components:

• Client (AsyncMCPClient) - for MCP client connections
• MCPConfig - for configuration parsing
• LogMessage - for logging
• FastMCP and get_context - only in tests

We do not use any background task features (task=True, Progress, CurrentDocket, etc.).

2. Does fastmcp have lighter install options?

Not in v2.14.0. The pydocket background task library is a core dependency in v2.14.0:

dependencies = [
    ...
    "pydocket>=0.15.2",  # Required, not optional
    ...
]

The only optional extra in 2.14.0 is [openai].

However, in fastmcp 3.x, pydocket was moved to an optional [tasks] extra, making lighter installs possible there.

Recommendation

The PR is safe to merge:

• ✅ All our imports work correctly
• ✅ We don't use deprecated APIs removed in 2.14.0
• ✅ Tests pass

If install size becomes a concern, the options are to wait for fastmcp 3.x (which has optional [tasks]) or request a backport of this feature to a 2.14.x patch release.

---

No code changes were made - this was an investigation-only task.

[aivong-openhands]

On my local openhands repo, I pointed https://github.com/OpenHands/OpenHands/blob/main/openhands/app_server/sandbox/sandbox_spec_service.py#L16 to the python arm64 agent server image built in this PR https://github.com/OpenHands/software-agent-sdk/actions/runs/22626406879/job/65564124817?pr=2266.

I set up deepwiki as an MCP server and invoked it in a conversation: