chore: bump fastmcp for security fixes, adopt uv exclude-newer#57
chore: bump fastmcp for security fixes, adopt uv exclude-newer#57jtroup wants to merge 1 commit into
exclude-newer#57Conversation
Greptile SummaryThis PR bumps
Confidence Score: 5/5All changes are confined to dependency metadata, tooling configuration, and a CalVer version string — no application logic is modified. The No files require special attention. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[uv lock / uv sync] --> B{Is package version\nuploaded within 7 days?}
B -- Yes --> C{Is package in\nexclude-newer-package override?}
C -- Yes\nfastmcp / fastmcp-slim --> D{Uploaded before\n2026-05-16?}
D -- Yes --> E[✅ Allowed\ne.g. fastmcp 3.3.1]
D -- No --> F[❌ Excluded]
C -- No --> F
B -- No --> E
Reviews (2): Last reviewed commit: "chore: bump fastmcp for security fixes, ..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| [tool.uv] | ||
| exclude-newer = "7 days" | ||
| # Remove this next line once fastmcp >= 3.3.2 is released and fall back to the global 7-day window. | ||
| exclude-newer-package = { fastmcp = "2026-05-16T00:00:00Z", fastmcp-slim = "2026-05-16T00:00:00Z" } |
There was a problem hiding this comment.
The per-package cutoff "2026-05-16T00:00:00Z" is an absolute date, not a relative window. Any fastmcp or fastmcp-slim release uploaded after that timestamp — including a hypothetical 3.3.2 security patch — will be excluded by uv lock until this line is manually removed. If a security fix ships before someone remembers to clean up the override (or before dependabot opens a PR), the lock will silently stay on 3.3.1. The inline comment calls it out, but given the stated motivation (picking up security fixes quickly), it may be worth tracking this as an issue or adding a CI assertion so the guard is lifted proactively.
There was a problem hiding this comment.
We get alerts from Aikido about CVEs in dependencies that matter, so this is covered IMO.
jtroup
force-pushed
the
elmo/nearby-parrot
branch
from
cb8ff6b to
009531d
Compare
1 participant
what
fastmcp/fastmcp-slimfrom3.2.4to3.3.1(refresh of
uv.lock).[tool.uv] exclude-newer = "7 days"inpyproject.tomlwith per-package overrides for
fastmcpandfastmcp-slimpinned to
2026-05-16so the new3.3.1release (uploaded2026-05-15) still resolves through the otherwise 7-dayfence.
uvto0.11.13andjustto1.50.0in.tool-versions; theuvbump is the minimum thatunderstands the relative
exclude-newersyntax and theper-package override.
pre-commitecosystem entry todependabot.yaml(monthly, 7-day cooldown, grouped,
choreprefix).2026.05.20.why
fastmcp 3.3.1ships security fixes we want to pick up, so theprimary driver is the version bump. Doing the bump is also a
good moment to harden dependency resolution:
exclude-newerrefuses package versions uploaded inside the configured window,
so a freshly published compromised release (Shai-Hulud, LiteLLM
etc.) cannot be pulled in before maintainers and detection
tooling have had a chance to react.
3.3.1itself sits insidethe 7-day window, hence the per-package exemption capped at
2026-05-16— it lets the security fix through withoutweakening the global default for everything else. Adding
pre-commit to dependabot keeps hook versions current alongside
the existing ecosystems.
testing
just lintjust testuv syncto confirm the new[tool.uv]block and lockfileoptions resolve cleanly with
uv 0.11.13.docs
No docs needed. The behaviour is internal to dependency
resolution and not user-facing.
🤖 Generated with Claude Code