Commit e2e3693
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4&size=40){kind=avatar}
chore: bump fastmcp from 2.8.0 to 2.13.1 in /services/mcp-server (#163)
Bumps [fastmcp](https://github.com/jlowin/fastmcp) from 2.8.0 to 2.13.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/jlowin/fastmcp/releases">fastmcp's
releases</a>.</em></p>
<blockquote>
<h2>v2.13.0: Cache Me If You Can</h2>
<p>FastMCP 2.13.0 <strong>"Cache Me If You Can"</strong>
represents a fundamental maturation of the framework. After months of
community feedback on authentication and state management, this release
delivers the infrastructure FastMCP needs to handle production
workloads: persistent storage, response caching, and pragmatic OAuth
improvements that reflect real-world deployment challenges.</p>
<p>💾 <strong>Pluggable storage backends</strong> bring persistent state
to FastMCP servers. Built on <a
href="https://github.com/strawgate/py-key-value">py-key-value-aio</a>, a
new library from FastMCP maintainer Bill Easton (<a
href="https://github.com/strawgate"><code>@strawgate</code></a>), the
storage layer provides encrypted disk storage by default, platform-aware
token management, and a simple key-value interface for application
state. We're excited to bring this elegantly designed library into the
FastMCP ecosystem - it's both powerful and remarkably easy to use,
including wrappers to add encryption, TTLs, caching, and more to
backends ranging from Elasticsearch, Redis, DynamoDB, filesystem,
in-memory, and more! OAuth providers now automatically persist tokens
across restarts, and developers can store arbitrary state without
reaching for external databases. This foundation enables long-running
sessions, cached credentials, and stateful applications built on
MCP.</p>
<p>🔐 <strong>OAuth maturity</strong> brings months of production
learnings into the framework. The new consent screen prevents confused
deputy and authorization bypass attacks discovered in earlier versions
while providing a clean UX with customizable branding. The OAuth proxy
now issues its own tokens with automatic key derivation from client
secrets, and RFC 7662 token introspection support enables enterprise
auth flows. Path prefix mounting enables OAuth-protected servers to
integrate into existing web applications under custom paths like
<code>/api</code>, and MCP 1.17+ compliance with RFC 9728 ensures
protocol compatibility. Combined with improved error handling and
platform-aware token storage, OAuth is now production-ready and
security-hardened for serious applications.</p>
<p>FastMCP now supports out-of-the-box authentication with:</p>
<ul>
<li><strong><a
href="https://gofastmcp.com/integrations/workos">WorkOS</a></strong> and
<strong><a
href="https://gofastmcp.com/integrations/authkit">AuthKit</a></strong></li>
<li><strong><a
href="https://gofastmcp.com/integrations/github">GitHub</a></strong></li>
<li><strong><a
href="https://gofastmcp.com/integrations/google">Google</a></strong></li>
<li><strong><a
href="https://gofastmcp.com/integrations/azure">Azure</a></strong>
(Entra ID)</li>
<li><strong><a href="https://gofastmcp.com/integrations/aws-cognito">AWS
Cognito</a></strong></li>
<li><strong><a
href="https://gofastmcp.com/integrations/auth0">Auth0</a></strong></li>
<li><strong><a
href="https://gofastmcp.com/integrations/descope">Descope</a></strong></li>
<li><strong><a
href="https://gofastmcp.com/integrations/scalekit">Scalekit</a></strong></li>
<li><strong><a
href="https://gofastmcp.com/servers/auth/token-verification#jwt-token-verification">JWTs</a></strong></li>
<li><strong><a
href="https://gofastmcp.com/servers/auth/token-verification#token-introspection-protocol">RFC
7662 token introspection</a></strong></li>
</ul>
<p>⚡ <strong>Response Caching Middleware</strong> dramatically improves
performance for expensive operations. Cache tool and resource responses
with configurable TTLs, reducing redundant API calls and speeding up
repeated queries.</p>
<p>🔄 <strong>Server lifespans</strong> provide proper initialization and
cleanup hooks that run once per server instance instead of per client
session. This fixes a long-standing source of confusion in the MCP SDK
and enables proper resource management for database connections,
background tasks, and other server-level state. Note: this is a breaking
behavioral change if you were using the <code>lifespan</code>
parameter.</p>
<p>✨ <strong>Developer experience improvements</strong> include Pydantic
input validation for better type safety, icon support for richer UX, RFC
6570 query parameters for resource templates, improved Context API
methods (list_resources, list_prompts, get_prompt), and async
file/directory resources.</p>
<p>This release includes contributions from <strong>20</strong> new
contributors and represents the largest feature set in a while. Thank
you to everyone who tested preview builds and filed issues - your
feedback shaped these improvements!</p>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<h3>New Features 🎉</h3>
<ul>
<li>Add RFC 6570 query parameter support to resource templates by <a
href="https://github.com/jlowin"><code>@jlowin</code></a> in <a
href="https://redirect.github.com/jlowin/fastmcp/pull/1971">jlowin/fastmcp#1971</a></li>
<li>Add Storage to FastMCP and switch OAuth to use it by <a
href="https://github.com/strawgate"><code>@strawgate</code></a> in <a
href="https://redirect.github.com/jlowin/fastmcp/pull/1913">jlowin/fastmcp#1913</a></li>
<li>Add Pydantic-compatible input validation by <a
href="https://github.com/jlowin"><code>@jlowin</code></a> in <a
href="https://redirect.github.com/jlowin/fastmcp/pull/2073">jlowin/fastmcp#2073</a></li>
<li>Add RFC 7662 token introspection provider by <a
href="https://github.com/jlowin"><code>@jlowin</code></a> in <a
href="https://redirect.github.com/jlowin/fastmcp/pull/2074">jlowin/fastmcp#2074</a></li>
<li>Add Response Caching Middleware by <a
href="https://github.com/strawgate"><code>@strawgate</code></a> in <a
href="https://redirect.github.com/jlowin/fastmcp/pull/1845">jlowin/fastmcp#1845</a></li>
<li>Support mounting OAuth-protected servers under path prefixes by <a
href="https://github.com/jlowin"><code>@jlowin</code></a> in <a
href="https://redirect.github.com/jlowin/fastmcp/pull/2119">jlowin/fastmcp#2119</a></li>
<li>OAuth proxy issues its own tokens by <a
href="https://github.com/jlowin"><code>@jlowin</code></a> in <a
href="https://redirect.github.com/jlowin/fastmcp/pull/2109">jlowin/fastmcp#2109</a></li>
<li>Implement icon support by <a
href="https://github.com/jlowin"><code>@jlowin</code></a> in <a
href="https://redirect.github.com/jlowin/fastmcp/pull/2121">jlowin/fastmcp#2121</a></li>
<li>Add ToolInjectionMiddleware + Tools for Read/List Resource/Prompt
for Client Compat by <a
href="https://github.com/strawgate"><code>@strawgate</code></a> in <a
href="https://redirect.github.com/jlowin/fastmcp/pull/2142">jlowin/fastmcp#2142</a></li>
</ul>
<h3>Enhancements 🔧</h3>
<ul>
<li>Add Scalekit Provider for Enterprise Authentication by <a
href="https://github.com/AkshayParihar33"><code>@AkshayParihar33</code></a>
in <a
href="https://redirect.github.com/jlowin/fastmcp/pull/1927">jlowin/fastmcp#1927</a></li>
<li>Add AuthKit DCR example by <a
href="https://github.com/jlowin"><code>@jlowin</code></a> in <a
href="https://redirect.github.com/jlowin/fastmcp/pull/1935">jlowin/fastmcp#1935</a></li>
<li>Remove redirect path for authkit example by <a
href="https://github.com/jlowin"><code>@jlowin</code></a> in <a
href="https://redirect.github.com/jlowin/fastmcp/pull/1938">jlowin/fastmcp#1938</a></li>
<li>feat: Follow OAuth 2.1 spec requirements on auth failures by <a
href="https://github.com/tcarac"><code>@tcarac</code></a> in <a
href="https://redirect.github.com/jlowin/fastmcp/pull/1923">jlowin/fastmcp#1923</a></li>
<li>Refactor OAuth 2.1 error handling with TokenHandler subclass by <a
href="https://github.com/jlowin"><code>@jlowin</code></a> in <a
href="https://redirect.github.com/jlowin/fastmcp/pull/1948">jlowin/fastmcp#1948</a></li>
<li>Expand timeouts by <a
href="https://github.com/jlowin"><code>@jlowin</code></a> in <a
href="https://redirect.github.com/jlowin/fastmcp/pull/1954">jlowin/fastmcp#1954</a></li>
<li>Upgrade GitHub workflows to claude-code-action@v1 by <a
href="https://github.com/jlowin"><code>@jlowin</code></a> in <a
href="https://redirect.github.com/jlowin/fastmcp/pull/1956">jlowin/fastmcp#1956</a></li>
<li>Add --model claude-sonnet-4-5-20250929 to all workflows by <a
href="https://github.com/jlowin"><code>@jlowin</code></a> in <a
href="https://redirect.github.com/jlowin/fastmcp/pull/1963">jlowin/fastmcp#1963</a></li>
<li>Improve env vars for marvin by <a
href="https://github.com/jlowin"><code>@jlowin</code></a> in <a
href="https://redirect.github.com/jlowin/fastmcp/pull/1972">jlowin/fastmcp#1972</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/jlowin/fastmcp/blob/main/docs/changelog.mdx">fastmcp's
changelog</a>.</em></p>
<blockquote>
<hr />
<h2>title: "Changelog"
icon: "list-check"
rss: true</h2>
<!-- raw HTML omitted -->
<p><strong><a
href="https://github.com/jlowin/fastmcp/releases/tag/v2.13.0">v2.13.0:
Cache Me If You Can</a></strong></p>
<p>FastMCP 2.13 "Cache Me If You Can" represents a fundamental
maturation of the framework. After months of community feedback on
authentication and state management, this release delivers the
infrastructure FastMCP needs to handle production workloads: persistent
storage, response caching, and pragmatic OAuth improvements that reflect
real-world deployment challenges.</p>
<p>💾 <strong>Pluggable storage backends</strong> bring persistent state
to FastMCP servers. Built on <a
href="https://github.com/strawgate/py-key-value">py-key-value-aio</a>, a
new library from FastMCP maintainer Bill Easton (<a
href="https://github.com/strawgate"><code>@strawgate</code></a>), the
storage layer provides encrypted disk storage by default, platform-aware
token management, and a simple key-value interface for application
state. We're excited to bring this elegantly designed library into the
FastMCP ecosystem - it's both powerful and remarkably easy to use,
including wrappers to add encryption, TTLs, caching, and more to
backends ranging from Elasticsearch, Redis, DynamoDB, filesystem,
in-memory, and more! OAuth providers now automatically persist tokens
across restarts, and developers can store arbitrary state without
reaching for external databases. This foundation enables long-running
sessions, cached credentials, and stateful applications built on
MCP.</p>
<p>🔐 <strong>OAuth maturity</strong> brings months of production
learnings into the framework. The new consent screen prevents confused
deputy and authorization bypass attacks discovered in earlier versions
while providing a clean UX with customizable branding. The OAuth proxy
now issues its own tokens with automatic key derivation from client
secrets, and RFC 7662 token introspection support enables enterprise
auth flows. Path prefix mounting enables OAuth-protected servers to
integrate into existing web applications under custom paths like
<code>/api</code>, and MCP 1.17+ compliance with RFC 9728 ensures
protocol compatibility. Combined with improved error handling and
platform-aware token storage, OAuth is now production-ready and
security-hardened for serious applications.</p>
<p>FastMCP now supports out-of-the-box authentication with:</p>
<ul>
<li><strong><a
href="https://gofastmcp.com/integrations/workos">WorkOS</a></strong> and
<strong><a
href="https://gofastmcp.com/integrations/authkit">AuthKit</a></strong></li>
<li><strong><a
href="https://gofastmcp.com/integrations/github">GitHub</a></strong></li>
<li><strong><a
href="https://gofastmcp.com/integrations/google">Google</a></strong></li>
<li><strong><a
href="https://gofastmcp.com/integrations/azure">Azure</a></strong>
(Entra ID)</li>
<li><strong><a href="https://gofastmcp.com/integrations/aws-cognito">AWS
Cognito</a></strong></li>
<li><strong><a
href="https://gofastmcp.com/integrations/auth0">Auth0</a></strong></li>
<li><strong><a
href="https://gofastmcp.com/integrations/descope">Descope</a></strong></li>
<li><strong><a
href="https://gofastmcp.com/integrations/scalekit">Scalekit</a></strong></li>
<li><strong><a
href="https://gofastmcp.com/servers/auth/token-verification#jwt-token-verification">JWTs</a></strong></li>
<li><strong><a
href="https://gofastmcp.com/servers/auth/token-verification#token-introspection-protocol">RFC
7662 token introspection</a></strong></li>
</ul>
<p>⚡ <strong>Response Caching Middleware</strong> dramatically improves
performance for expensive operations. Cache tool and resource responses
with configurable TTLs, reducing redundant API calls and speeding up
repeated queries.</p>
<p>🔄 <strong>Server lifespans</strong> provide proper initialization and
cleanup hooks that run once per server instance instead of per client
session. This fixes a long-standing source of confusion in the MCP SDK
and enables proper resource management for database connections,
background tasks, and other server-level state. Note: this is a breaking
behavioral change if you were using the <code>lifespan</code>
parameter.</p>
<p>✨ <strong>Developer experience improvements</strong> include Pydantic
input validation for better type safety, icon support for richer UX, RFC
6570 query parameters for resource templates, improved Context API
methods (list_resources, list_prompts, get_prompt), and async
file/directory resources.</p>
<p>This release includes contributions from <strong>20</strong> new
contributors and represents the largest feature set in a while. Thank
you to everyone who tested preview builds and filed issues - your
feedback shaped these improvements!</p>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/jlowin/fastmcp/compare/v2.12.5...v2.13.0">v2.12.5...v2.13.0</a></p>
<!-- raw HTML omitted -->
<!-- raw HTML omitted -->
<p><strong><a
href="https://github.com/jlowin/fastmcp/releases/tag/v2.12.5">v2.12.5:
Safety Pin</a></strong></p>
<p>FastMCP 2.12.5 is a point release that pins the MCP SDK version below
1.17, which introduced a change affecting FastMCP users with auth
providers mounted as part of a larger application. This ensures the
<code>.well-known</code> payload appears in the expected location when
using FastMCP authentication providers with composite applications.</p>
<h2>What's Changed</h2>
<h3>Fixes 🐞</h3>
<ul>
<li>Pin MCP SDK version below 1.17 by <a
href="https://github.com/jlowin"><code>@jlowin</code></a> in <a
href="https://github.com/jlowin/fastmcp/commit/dab2b316ddc3883b7896a86da21cacb68da01e5c">a1b2c3d</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/jlowin/fastmcp/commit/716e50dae0b445fb7fd0251725fc827c045d5fdd"><code>716e50d</code></a>
chore: Update SDK documentation (<a
href="https://redirect.github.com/jlowin/fastmcp/issues/2214">#2214</a>)</li>
<li><a
href="https://github.com/jlowin/fastmcp/commit/5896daf6a1802d1546827f644c82a768df49e051"><code>5896daf</code></a>
Stage 2.13.0 updates (<a
href="https://redirect.github.com/jlowin/fastmcp/issues/2252">#2252</a>)</li>
<li><a
href="https://github.com/jlowin/fastmcp/commit/b57a39c69ca0476ead01fc3bcd0b209d21755151"><code>b57a39c</code></a>
Remove redundant None checks from Context methods (<a
href="https://redirect.github.com/jlowin/fastmcp/issues/2251">#2251</a>)</li>
<li><a
href="https://github.com/jlowin/fastmcp/commit/380835593c27ff8bd359020e354eeed8f8fa1b22"><code>3808355</code></a>
Async FileResource and DirectoryResource (<a
href="https://redirect.github.com/jlowin/fastmcp/issues/2241">#2241</a>)</li>
<li><a
href="https://github.com/jlowin/fastmcp/commit/1e5776f69c562db3e3dc9ed9983cc33a5c557bcd"><code>1e5776f</code></a>
Add list_resources, list_prompts, and get_prompt methods to Context (<a
href="https://redirect.github.com/jlowin/fastmcp/issues/2249">#2249</a>)</li>
<li><a
href="https://github.com/jlowin/fastmcp/commit/2f131196846f278085deb7dc01307e35ee35fafb"><code>2f13119</code></a>
Add Documentation for FastMCP Server Testing (<a
href="https://redirect.github.com/jlowin/fastmcp/issues/2244">#2244</a>)</li>
<li><a
href="https://github.com/jlowin/fastmcp/commit/c002bc389ca472a2b3d5937037b3af8048759830"><code>c002bc3</code></a>
Small Clean-up (<a
href="https://redirect.github.com/jlowin/fastmcp/issues/2247">#2247</a>)</li>
<li><a
href="https://github.com/jlowin/fastmcp/commit/19fbc8435ea990d44638cbe0661df920daffa34a"><code>19fbc84</code></a>
delete ratio test (<a
href="https://redirect.github.com/jlowin/fastmcp/issues/2250">#2250</a>)</li>
<li><a
href="https://github.com/jlowin/fastmcp/commit/063ffe9f64a02a688b55d636888852575d128497"><code>063ffe9</code></a>
Derive <code>jwt_signing_key</code> from Client Secret, default to
Encrypted Disk Store ...</li>
<li><a
href="https://github.com/jlowin/fastmcp/commit/577ed6e9a3d33268bbc1f0b528d08b918a912135"><code>577ed6e</code></a>
Fix middleware example: add context parameter to call_next() (<a
href="https://redirect.github.com/jlowin/fastmcp/issues/2215">#2215</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/jlowin/fastmcp/compare/v2.12.4...v2.13.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/stackitcloud/rag-template/network/alerts).
</details>
---------
Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Andreas Klos <[email protected]>1 parent b6d060b commit e2e3693
3 files changed
+1584
-1499
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
193 | 193 | | |
194 | 194 | | |
195 | 195 | | |
196 | | - | |
| 196 | + | |
197 | 197 | | |
198 | 198 | | |
199 | 199 | | |
| |||
0 commit comments