fix(deps): update dependencies

[terraform-ibm-modules-ops]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
fastmcp	==2.12.5 -> ==2.13.0			project.dependencies	minor
hypothesis (changelog)	==6.140.2 -> ==6.142.4			project.optional-dependencies	minor
pydantic (changelog)	==2.11.9 -> ==2.12.3			project.dependencies	minor
python (source)	>=3.11.0 -> ==3.14.0			requires-python	pin
pyyaml (source)	>=6.0.2 -> ==6.0.2			project.dependencies	pin
ruff (source, changelog)	==0.14.1 -> ==0.14.2			project.optional-dependencies	patch
ruff (source, changelog)	==0.14.1 -> ==0.14.2			dependency-groups	patch

---

Release Notes

jlowin/fastmcp (fastmcp)

v2.13.0: : Cache Me If You Can

Compare Source

FastMCP 2.13.0 "Cache Me If You Can" represents a fundamental maturation of the framework. After months of community feedback on authentication and state management, this release delivers the infrastructure FastMCP needs to handle production workloads: persistent storage, response caching, and pragmatic OAuth improvements that reflect real-world deployment challenges.

💾 Pluggable storage backends bring persistent state to FastMCP servers. Built on py-key-value-aio, a new library from FastMCP maintainer Bill Easton (@​strawgate), the storage layer provides encrypted disk storage by default, platform-aware token management, and a simple key-value interface for application state. We're excited to bring this elegantly designed library into the FastMCP ecosystem - it's both powerful and remarkably easy to use, including wrappers to add encryption, TTLs, caching, and more to backends ranging from Elasticsearch, Redis, DynamoDB, filesystem, in-memory, and more! OAuth providers now automatically persist tokens across restarts, and developers can store arbitrary state without reaching for external databases. This foundation enables long-running sessions, cached credentials, and stateful applications built on MCP.

🔐 OAuth maturity brings months of production learnings into the framework. The new consent screen prevents confused deputy and authorization bypass attacks discovered in earlier versions while providing a clean UX with customizable branding. The OAuth proxy now issues its own tokens with automatic key derivation from client secrets, and RFC 7662 token introspection support enables enterprise auth flows. Path prefix mounting enables OAuth-protected servers to integrate into existing web applications under custom paths like /api, and MCP 1.17+ compliance with RFC 9728 ensures protocol compatibility. Combined with improved error handling and platform-aware token storage, OAuth is now production-ready and security-hardened for serious applications.

FastMCP now supports out-of-the-box authentication with:

• WorkOS and AuthKit
• GitHub
• Google
• Azure (Entra ID)
• AWS Cognito
• Auth0
• Descope
• Scalekit
• JWTs
• RFC 7662 token introspection

⚡ Response Caching Middleware dramatically improves performance for expensive operations. Cache tool and resource responses with configurable TTLs, reducing redundant API calls and speeding up repeated queries.

🔄 Server lifespans provide proper initialization and cleanup hooks that run once per server instance instead of per client session. This fixes a long-standing source of confusion in the MCP SDK and enables proper resource management for database connections, background tasks, and other server-level state. Note: this is a breaking behavioral change if you were using the lifespan parameter.

✨ Developer experience improvements include Pydantic input validation for better type safety, icon support for richer UX, RFC 6570 query parameters for resource templates, improved Context API methods (list_resources, list_prompts, get_prompt), and async file/directory resources.

This release includes contributions from 20 new contributors and represents the largest feature set in a while. Thank you to everyone who tested preview builds and filed issues - your feedback shaped these improvements!

What's Changed

New Features 🎉

• Add RFC 6570 query parameter support to resource templates by @​jlowin in #​1971
• Add Storage to FastMCP and switch OAuth to use it by @​strawgate in #​1913
• Add Pydantic-compatible input validation by @​jlowin in #​2073
• Add RFC 7662 token introspection provider by @​jlowin in #​2074
• Add Response Caching Middleware by @​strawgate in #​1845
• Support mounting OAuth-protected servers under path prefixes by @​jlowin in #​2119
• OAuth proxy issues its own tokens by @​jlowin in #​2109
• Implement icon support by @​jlowin in #​2121
• Add ToolInjectionMiddleware + Tools for Read/List Resource/Prompt for Client Compat by @​strawgate in #​2142

Enhancements 🔧

• Add Scalekit Provider for Enterprise Authentication by @​AkshayParihar33 in #​1927
• Add AuthKit DCR example by @​jlowin in #​1935
• Remove redirect path for authkit example by @​jlowin in #​1938
• feat: Follow OAuth 2.1 spec requirements on auth failures by @​tcarac in #​1923
• Refactor OAuth 2.1 error handling with TokenHandler subclass by @​jlowin in #​1948
• Expand timeouts by @​jlowin in #​1954
• Upgrade GitHub workflows to claude-code-action@​v1 by @​jlowin in #​1956
• Add --model claude-sonnet-4-5-20250929 to all workflows by @​jlowin in #​1963
• Improve env vars for marvin by @​jlowin in #​1972
• Add Any annotations to args and kwargs by @​strawgate in #​1994
• Mark GitHub Integration tests as flaky by @​strawgate in #​2000
• Internal refactor of MCP handlers by @​jlowin in #​2005
• Support initialize requests in middleware by @​jlowin in #​1546
• Updates to Logging Middleware by @​strawgate in #​1974
• add supabase-auth by @​aaazzam in #​1997
• Allow direct instantiation of Prompt and Resource classes by @​jlowin in #​2031
• Support customizable env file location by @​jlowin in #​2036
• Improve Tracebacks for narrow terminals by @​jlowin in #​1939
• Refactor mounting logic from managers to server by @​jlowin in #​2069
• feat: expose errlog on stdio transport by @​mpuhacz in #​1991
• feat: Add title, annotations and meta to mixin decorators by @​AnkeshThakur in #​2033
• Add warnings regarding memory store by @​strawgate in #​2052
• Also push client messages (info/warn/debug) to server debug log by @​strawgate in #​2063
• feat: add azp claim by @​roee-hersh in #​1945
• bump kv dependency to 0.2.2 by @​strawgate in #​2089
• Add auto-close workflow for issues needing MRE by @​jlowin in #​2100
• Add client_storage property to aws provider by @​rparme in #​2107
• Update version badge for azure auth docs by @​jlowin in #​2120
• Disable parallel test execution on Windows by @​jlowin in #​2128
• Support custom server name, icons, and link in OAuth Proxy consent page by @​jlowin in #​2135
• Replace subprocess tests with in-process async servers by @​jlowin in #​2006
• Progress replacing asyncio with anyio by @​jlowin in #​2143
• Update CLI logo by @​jlowin in #​2159
• Change auth init log to debug by @​jlowin in #​2160
• allow non write users for marvin flows by @​jlowin in #​2161
• Redesign OAuth consent screen for better UX by @​jlowin in #​2170
• Allow authorization consent screen to be disabled by @​jlowin in #​2172
• example: update server init usage by @​zzstoatzz in #​2200
• Update smart home example again by @​zzstoatzz in #​2201
• Use platformdirs for settings.home by @​jlowin in #​2213
• Add platform-aware OAuth token persistence by @​jlowin in #​2218
• Update CLI logo by @​jlowin in #​2220
• Improve OAuth error messages with custom handlers and middleware by @​jlowin in #​2221
• Fix martian concurrency controls and dedupe issues mcp servers by @​strawgate in #​2240
• Use abstract types for FastMCP class instantiation by @​strawgate in #​2219
• Derive jwt_signing_key from Client Secret, default to Encrypted Disk Store by @​strawgate in #​2223
• Delete performance ratio in unit test by @​jlowin in #​2250
• Small Clean-up by @​strawgate in #​2247
• Add list_resources, list_prompts, and get_prompt methods to Context by @​strawgate in #​2249
• Remove redundant None checks from Context methods by @​jlowin in #​2251

Fixes 🐞

• Fix Python 3.13 websockets deprecation warning by @​jlowin in #​1949
• Fix path resolution in install commands by @​jlowin in #​1951
• Fix SSE endpoint accepting POST requests instead of returning 405 by @​jlowin in #​1953
• Fix claude-code-action@​v1 authentication by @​jlowin in #​1958
• cli: fix banner width by removing emoji variation selectors by @​zzstoatzz in #​1975
• Fix improper conversion of list[Audio | File | Image] helpers by @​joshrubin-p360 in #​1970
• Update doc for tool-transformation regarding output_schema by @​geraint0923 in #​2009
• Azure (Entra) OAuth: Validate token against FastMCP app, not Graph. by @​nbaju1 in #​1891
• Default to FastMCP version when server version not specified by @​jlowin in #​2022
• Check if refresh_token is None by @​Kyle-Dinh in #​2025
• fix: wrong server name in explicit server entrypoint doc by @​alDuncanson in #​2046
• fixed a comment in File class by @​Anurag-gg in #​2066
• Prevent confused deputy attacks in OAuth proxy by @​jlowin in #​2056
• Fix: add missing json_response parameter to run_http_async by @​tradeqvest in #​2071
• Change middleware return types from list to Sequence by @​strawgate in #​2058
• Fix asyncio error when running FastMCP 1.x servers by @​chrisguidry in #​2084
• Escape all HTML to prevent XSS attack by @​jlowin in #​2090
• Remove shell=True from Windows subprocess calls by @​jlowin in #​2091
• Fix experimental parser missing top-level response schemas (#​2087) by @​jlowin in #​2092
• Fix nullable enum validation in OpenAPI converter by @​jlowin in #​2093
• Remove obsolete claude.py with Windows path bug by @​jlowin in #​2101
• Fix log handler to accept any JSON-serializable data type by @​jlowin in #​2102
• Fix missing import in Tool Transformation docs. by @​andrew-mclachlan in #​2108
• transform NotFoundError to standard MCP error by @​omeraha in #​2133
• Fix google scope example by @​jlowin in #​2144
• Update content type in advanced_tool function by @​hyeonjae in #​2147
• Make CORS opt-in via middleware parameter by @​jlowin in #​2150
• Remove warning message in common scenario of all client redirect uri'… by @​jlowin in #​2156
• Remove fonts which weren't rendering in all browsers by @​jlowin in #​2174
• Update environment vars in uvx transport by @​derluke in #​2169
• Restore gray monospace styling for OAuth callback screen by @​jlowin in #​2173
• bug fix in fastmcp install claude-code by @​valayDave in #​2165
• Expose OAuth token management parameters across all providers by @​jlowin in #​2222
• Mark test_github_api_schema_performance as integration test by @​strawgate in #​2242
• Fix Azure scope mismatch causing MCP client validation errors by @​jlowin in #​2243
• Add exc_info=True to inspect command error logging by @​aaazzam in #​2232
• Add version badge for run_server_async in tests docs by @​jlowin in #​2237
• Async FileResource and DirectoryResource by @​strawgate in #​2241

Breaking Changes 🛫

• Switch Lifespan to being a Server Lifespan by @​strawgate in #​2013
• Upgrade to MCP 1.17+ with RFC 9728 compliance by @​jlowin in #​2122

Docs 📚

• Add updates for 2.12.4 by @​jlowin in #​1929
• Update FastAPI docs by @​jlowin in #​1934
• Update ChatGPT docs for Chat mode with Developer Mode by @​jlowin in #​1936
• Additional Tool Transformation Examples for Client Wrapping by @​strawgate in #​2002
• Improve docs on prefix rules by @​jlowin in #​2028
• Add version badge to on_initialize docs by @​jlowin in #​2029
• Delete outdated root docs by @​jlowin in #​2075
• Clarify context is scoped to single MCP request by @​jlowin in #​2099
• Document container limitations for Image/Audio/File objects by @​jlowin in #​2118
• Add security policy by @​jlowin in #​2117
• Add storage backend documentation by @​jlowin in #​2137
• Docs by @​jlowin in #​2145
• Update changelog for 2.12.5 by @​jlowin in #​2146
• docs: Add AWS Cognito resource server requirement and CORS guidance by @​jlowin in #​2149
• Move sampling fallback handler docs to server section by @​jlowin in #​2163
• Fix dead links to py-key-value repository by @​strawgate in #​2217
• Fix middleware example: add context parameter to call_next() by @​jlowin in #​2215
• Add Documentation for FastMCP Server Testing by @​strawgate in #​2244

Dependencies 📦

• Bump py-key-value-aio to 0.2.6 by @​strawgate in #​2196

Other Changes 🦾

• Fix prompt_file input and bot attribution by @​jlowin in #​1960
• Improve Marvin and add a Martian by @​strawgate in #​1982
• Improve the Martian by @​strawgate in #​1983
• Fix Marvin labeling and shorten Martian responses by @​strawgate in #​1987

New Contributors

• @​AkshayParihar33 made their first contribution in #​1927
• @​tcarac made their first contribution in #​1923
• @​joshrubin-p360 made their first contribution in #​1970
• @​geraint0923 made their first contribution in #​2009
• @​nbaju1 made their first contribution in #​1891
• @​aaazzam made their first contribution in #​1997
• @​Kyle-Dinh made their first contribution in #​2025
• @​alDuncanson made their first contribution in #​2046
• @​Anurag-gg made their first contribution in #​2066
• @​tradeqvest made their first contribution in #​2071
• @​mpuhacz made their first contribution in #​1991
• @​AnkeshThakur made their first contribution in #​2033
• @​chrisguidry made their first contribution in #​2084
• @​roee-hersh made their first contribution in #​1945
• @​rparme made their first contribution in #​2107
• @​andrew-mclachlan made their first contribution in #​2108
• @​omeraha made their first contribution in #​2133
• @​hyeonjae made their first contribution in #​2147
• @​derluke made their first contribution in #​2169
• @​valayDave made their first contribution in #​2165

Full Changelog: jlowin/fastmcp@v2.12.4...v2.13.0

pydantic/pydantic (pydantic)

v2.12.3

Compare Source

GitHub release

What's Changed

This is the third 2.12 patch release, fixing issues related to the FieldInfo class, and reverting a change to the supported
after model validator function signatures.

• Raise a warning when an invalid after model validator function signature is raised by @​Viicos in #​12414.
  Starting in 2.12.0, using class methods for after model validators raised an error, but the error wasn't raised concistently. We decided
  to emit a deprecation warning instead.
• Add FieldInfo.asdict() method, improve documentation around FieldInfo by @​Viicos in #​12411.
  This also add back support for mutations on FieldInfo classes, that are reused as Annotated metadata. However, note that this is still
  not a supported pattern. Instead, please refer to the added example in the documentation.

The blog post section on changes was also updated to document the changes related to serialize_as_any.

v2.12.2

Compare Source

GitHub release

What's Changed

Fixes

• Release a new pydantic-core version, as a corrupted CPython 3.10 manylinux2014_aarch64 wheel got uploaded (pydantic-core#1843).
• Fix issue with recursive generic models with a parent model class by @​Viicos in #​12398

v2.12.1

Compare Source

GitHub release

What's Changed

This is the first 2.12 patch release, addressing most (but not all yet) regressions from the initial 2.12.0 release.

Fixes

• Do not evaluate annotations when inspecting validators and serializers by @​Viicos in #​12355
• Make sure None is converted as NoneType in Python 3.14 by @​Viicos in #​12370
• Backport V1 runtime warning when using Python 3.14 by @​Viicos in #​12367
• Fix error message for invalid validator signatures by @​Viicos in #​12366
• Populate field name in ValidationInfo for validation of default value by @​Viicos in pydantic-core#1826
• Encode credentials in MultiHostUrl builder by @​willswire in pydantic-core#1829
• Respect field serializers when using serialize_as_any serialization flag by @​davidhewitt in pydantic-core#1829
• Fix various RootModel serialization issues by @​davidhewitt in pydantic-core#1836

New Contributors

• @​willswire made their first contribution in pydantic-core#1829

v2.12.0

Compare Source

GitHub release

What's Changed

This is the final 2.12 release. It features the work of 20 external contributors and provides useful new features, along with initial Python 3.14 support.
Several minor changes (considered non-breaking changes according to our versioning policy)
are also included in this release. Make sure to look into them before upgrading.

Note that Pydantic V1 is not compatible with Python 3.14 and greater.

Changes (see the alpha and beta releases for additional changes since 2.11):

Packaging

• Update V1 copy to v1.10.24 by @​Viicos in #​12338

New Features

• Add extra parameter to the validate functions by @​anvilpete in #​12233
• Add exclude_computed_fields serialization option by @​Viicos in #​12334
• Add preverse_empty_path URL options by @​Viicos in #​12336
• Add union_format parameter to JSON Schema generation by @​Viicos in #​12147
• Add __qualname__ parameter for create_model by @​Atry in #​12001

Fixes

• Do not try to infer name from lambda definitions in pipelines API by @​Viicos in #​12289
• Use proper namespace for functions in TypeAdapter by @​Viicos in #​12324
• Use Any for context type annotation in TypeAdapter by @​inducer in #​12279
• Expose FieldInfo in pydantic.fields.__all__ by @​Viicos in #​12339
• Respect validation_alias in @validate_call by @​Viicos in #​12340
• Use Any as context annotation in plugin API by @​Viicos in #​12341
• Use proper stacklevel in warnings when possible by @​Viicos in #​12342

New Contributors

• @​anvilpete made their first contribution in #​12233
• @​JonathanWindell made their first contribution in #​12327
• @​inducer made their first contribution in #​12279
• @​Atry made their first contribution in #​12001

v2.11.10

Compare Source

GitHub release

What's Changed

Fixes

• Backport v1.10.24 changes by @​Viicos

astral-sh/ruff (ruff)

v0.14.2

Compare Source

Released on 2025-10-23.

Preview features

• [flake8-gettext] Resolve qualified names and built-in bindings (INT001, INT002, INT003) (#​19045)

Bug fixes

• Avoid reusing nested, interpolated quotes before Python 3.12 (#​20930)
• Catch syntax errors in nested interpolations before Python 3.12 (#​20949)
• [fastapi] Handle ellipsis defaults in FAST002 autofix (#​20810)
• [flake8-simplify] Skip SIM911 when unknown arguments are present (#​20697)
• [pyupgrade] Always parenthesize assignment expressions in fix for f-string (UP032) (#​21003)
• [pyupgrade] Fix UP032 conversion for decimal ints with underscores (#​21022)
• [fastapi] Skip autofix for keyword and __debug__ path params (FAST003) (#​20960)

Rule changes

• [flake8-bugbear] Skip B905 and B912 for fewer than two iterables and no starred arguments (#​20998)
• [ruff] Use DiagnosticTag for more pyflakes and pandas rules (#​20801)

CLI

• Improve JSON output from ruff rule (#​20168)

Documentation

• Add source to testimonial (#​20971)
• Document when a rule was added (#​21035)

Other changes

• [syntax-errors] Name is parameter and global (#​20426)
• [syntax-errors] Alternative match patterns bind different names (#​20682)

Contributors

• @​hengky-kurniawan-1
• @​ShalokShalom
• @​robsdedude
• @​LoicRiegel
• @​TaKO8Ki
• @​dylwil3
• @​11happy
• @​ntBre

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[terraform-ibm-modules-dev]

/run pipeline

[terraform-ibm-modules-dev]

/run pipeline

[terraform-ibm-modules-dev]

/run pipeline