chore(deps): bump fastmcp from 2.13.0 to 2.14.5

[dependabot]

Bumps fastmcp from 2.13.0 to 2.14.5.

Release notes

Sourced from fastmcp's releases.

v2.14.5: Sealed Docket

Fixes a memory leak in the memory:// docket broker where cancelled tasks accumulated instead of being cleaned up. Bumps pydocket to ≥0.17.2.

What's Changed

Enhancements 🔧

• Bump pydocket to 0.17.2 (memory leak fix) by @​chrisguidry in jlowin/fastmcp#2992

Docs 📚

• Add release notes for v2.14.4 and v2.14.5 by @​jlowin in jlowin/fastmcp#3063

Full Changelog: jlowin/fastmcp@v2.14.4...v2.14.5

v2.14.4: Package Deal

This patch release fixes a fresh install bug where the packaging library was previously installed as a transitive dependency but is no longer—causing an import error on fresh installs without dev dependencies. Also includes a pydocket version pin to avoid Redis connection noise in tests, plus backports from 3.x for $ref dereferencing in tool schemas and the task capabilities location fix.

What's Changed

Enhancements 🔧

• Add release notes for v2.14.2 and v2.14.3 by @​jlowin in jlowin/fastmcp#2851

Fixes 🐞

• Backport: Dereference $ref in tool schemas for MCP client compatibility by @​jlowin in jlowin/fastmcp#2861
• Fix task capabilities location (issue #2870) by @​jlowin in jlowin/fastmcp#2874
• Add missing packaging dependency by @​jlowin in jlowin/fastmcp#2989

Full Changelog: jlowin/fastmcp@v2.14.3...v2.14.4

v2.14.3: Time After Timeout

This patch release fixes an HTTP transport timeout bug where connections were defaulting to 5 seconds instead of respecting MCP's 30-second default, causing premature timeouts for slower operations. Also includes OAuth token storage fixes, Redis key isolation for ACL compliance, and improved ContextVar propagation for ASGI-mounted servers. Plus, the CLI will now nudge you when updates are available (you're welcome, future you).

What's Changed

Enhancements 🔧

• Add debug logging for OAuth token expiry diagnostics by @​jlowin in jlowin/fastmcp#2789
• Add CLI update notifications by @​jlowin in jlowin/fastmcp#2839
• Use pip instead of uv pip in upgrade instructions by @​jlowin in jlowin/fastmcp#2841

Fixes 🐞

• Backport OAuth token storage TTL fix to release/2.x by @​jlowin in jlowin/fastmcp#2798
• Prefix Redis keys with docket name for ACL isolation (2.x backport) by @​chrisguidry in jlowin/fastmcp#2812
• Fix ContextVar propagation for ASGI-mounted servers with tasks by @​chrisguidry in jlowin/fastmcp#2843
• Fix HTTP transport timeout defaulting to 5 seconds by @​jlowin in jlowin/fastmcp#2848

Full Changelog: jlowin/fastmcp@v2.14.2...v2.14.3

v2.14.2: Port Authority

... (truncated)

Changelog

Sourced from fastmcp's changelog.

---

title: "Changelog" icon: "list-check" rss: true

v3.0.0rc1: RC-ing is Believing

FastMCP 3 RC1 means we believe the API is stable. Beta 2 drew a wave of real-world adoption — production deployments, migration reports, integration testing — and the feedback overwhelmingly confirmed that the architecture works. This release closes gaps that surfaced under load: auth flows that needed to be async, background tasks that needed reliable notification delivery, and APIs still carrying beta-era naming. If nothing unexpected surfaces, this is what 3.0.0 looks like.

🚨 Breaking Changes — The ui= parameter is now app= with a unified AppConfig class (matching the feature's actual name), and 16 FastMCP() constructor kwargs have finally been removed. If you've been ignoring months of deprecation warnings, you'll get a TypeError with specific migration instructions.

🔐 Auth Improvements — Three changes that together round out FastMCP's auth story for production. auth= checks can now be async, so you can hit databases or external services during authorization — previously, passing an async function silently passed because the unawaited coroutine was truthy. Static Client Registration lets clients provide a pre-registered client_id/client_secret directly, bypassing DCR for servers that don't support it. And Azure OBO flows are now declarative via dependency injection:

from fastmcp.server.auth.providers.azure import EntraOBOToken
@​mcp.tool()
async def get_emails(
graph_token: str = EntraOBOToken(["https://graph.microsoft.com/Mail.Read"]),
):
# OBO exchange already happened — just use the token
...

⚡ Concurrent Sampling — When an LLM returns multiple tool calls in a single response, context.sample() can now execute them in parallel. Opt in with tool_concurrency=0 for unlimited parallelism, or set a bound. Tools that aren't safe to parallelize can declare sequential=True.

📡 Background Task Notifications — Background tasks now reliably push progress updates and elicit user input through the standard MCP protocol. A distributed Redis queue replaces polling (7,200 round-trips/hour → one blocking call), and ctx.elicit() in background tasks automatically relays through the client's standard elicitation_handler.

✅ OpenAPI Output Validation — When backends don't conform to their own OpenAPI schemas, the MCP SDK rejects the response and the tool fails. validate_output=False disables strict schema checking while still passing structured JSON to clients — a necessary escape hatch for imperfect APIs.

What's Changed

Enhancements 🔧

• generate-cli: auto-generate SKILL.md agent skill by @​jlowin in #3115
• Scope Martian triage to bug-labeled issues for jlowin by @​jlowin in #3124
• Add Azure OBO dependencies, auth token injection, and documentation by @​jlowin in #2918
• feat: add Static Client Registration (#3085) by @​martimfasantos in #3086
• Add concurrent tool execution with sequential flag by @​strawgate in #3022
• Add validate_output option for OpenAPI tools by @​jlowin in #3134
• Relay task elicitation through standard MCP protocol by @​chrisguidry in #3136
• Bump py-key-value-aio to >=0.4.0,<0.5.0 by @​strawgate in #3143
• Support async auth checks by @​jlowin in #3152
• Make $ref dereferencing optional via FastMCP(dereference_refs=...) by @​jlowin in #3151
• Expose local_provider property, deprecate FastMCP.remove_tool() by @​jlowin in #3155
• Add helpers for converting FunctionTool and TransformedTool to SamplingTool by @​strawgate in #3062
• Updates to github actions / workflows for claude by @​strawgate in #3157

Fixes 🐞

• Updated deprecation URL for V3 by @​SrzStephen in #3108

... (truncated)

Commits

• 21221b4 Add release notes for v2.14.4 and v2.14.5 (#3063)
• 7d32409 Merge pull request #2992 from jlowin/pydocket-github-validation
• 65d6f06 Bump pydocket to >=0.17.2
• 5f68078 Bump pydocket to >=0.17.2b3
• 0afa029 Make read_resource test flexible for MCP version differences
• 7ad97d9 Update test snapshot for MCP 1.26.0 serialization change
• cd0274c Bump pydocket to >=0.17.2b2
• f1a89eb Bump pydocket to >=0.17.2b1
• c9ed36e Point to fix-cancellation-handling branch
• 8cec853 Point to fix-redis-connection-guards branch
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)