Bump fastmcp from 2.13.0.2 to 2.14.0 in /server/hello

[dependabot]

Bumps fastmcp from 2.13.0.2 to 2.14.0.

Release notes

Sourced from fastmcp's releases.

v2.14.0: Task and You Shall Receive

FastMCP 2.14 begins adopting the MCP 2025-11-25 specification, headlined by protocol-native background tasks that let long-running operations report progress without blocking clients. This release also graduates the OpenAPI parser to standard, adds first-class support for several new spec features, and removes deprecated APIs accumulated across the 2.x series.

Background Tasks (SEP-1686)

Long-running operations (like tool calls) normally block MCP clients until they complete. The new MCP background task protocol (SEP-1686) lets clients start operations, track progress, and retrieve results without blocking. For FastMCP users, taking advantage of this new functionality is as easy as adding task=True to any async decorator. Under the hood, it's powered by Docket, the enterprise task scheduler at the heart of Prefect Cloud that handles millions of concurrent tasks every day.

from fastmcp import FastMCP
from fastmcp.dependencies import Progress
mcp = FastMCP("MyServer")
@​mcp.tool(task=True)
async def train_model(dataset: str, progress: Progress = Progress()) -> str:
await progress.set_total(100)
for epoch in range(100):
# ... training work ...
await progress.increment()
return "Model trained successfully"

Clients that call this tool in task-augmented mode (for FastMCP clients, that merely means another task=True!) receive a task ID immediately, poll for progress updates, and fetch results when ready. Background tasks work out-of-the-box with an in-memory backend, and users can optionally provide a Redis URL for persistence, horizontal scaling, and single-digit millisecond task pickup latency. When using Redis, users can also add additional Docket workers to scale out their task processing.

Read the docs here!

OpenAPI Parser Promotion

The experimental OpenAPI parser graduates to standard. The new architecture delivers improved performance through single-pass schema processing and cleaner internal abstractions. Existing code works unchanged; users of the experimental module should update their imports.

MCP 2025-11-25 Spec Support

This release begins adopting the MCP 2025-11-25 specification. Beyond the core SDK updates, FastMCP adds first-class developer experiences for:

• SEP-1686: Background tasks with progress tracking
• SEP-1699: SSE polling and event resumability, with full AsyncKeyValue support
• SEP-1330: Multi-select enum elicitation schemas
• SEP-1034: Default values for elicitation schemas
• SEP-986: Tool name validation at registration time

As the MCP SDK continues to adopt more of the specification, FastMCP will add corresponding high-level APIs.

Breaking Changes & Cleanup

This release removes deprecated APIs accumulated across the 2.x series: BearerAuthProvider, Context.get_http_request(), the dependencies parameter, legacy resource prefix formats, and several deprecated methods. The upgrade guide provides migration paths for each.

What's Changed

... (truncated)

Changelog

Sourced from fastmcp's changelog.

---

title: "Changelog" icon: "list-check" rss: true

v2.14.1: 'Tis a Gift to Be Sample

FastMCP 2.14.1 introduces sampling with tools (SEP-1577), enabling servers to pass tools to ctx.sample() for agentic workflows where the LLM can automatically execute tool calls in a loop. The new ctx.sample_step() method provides single LLM calls that return SampleStep objects for custom control flow, while result_type enables structured outputs via validated Pydantic models.

🤖 AnthropicSamplingHandler joins the existing OpenAI handler, providing multi-provider sampling support out of the box.

⚡ OpenAISamplingHandler promoted from experimental status—sampling handlers are now production-ready with a unified API.

What's Changed

New Features 🎉

• Sampling with tools by @​jlowin in #2538
• Add AnthropicSamplingHandler by @​jlowin in #2677

Enhancements 🔧

• Add Python 3.13 to ubuntu CI by @​jlowin in #2648
• Remove legacy task initialization workaround by @​jlowin in #2649
• Consolidate session state reset logic by @​jlowin in #2651
• Unify SamplingHandler; promote OpenAI from experimental by @​jlowin in #2656
• Add tool_names parameter to mount() for name customization by @​jlowin in #2660
• Use streamable HTTP client API from MCP SDK by @​jlowin in #2678
• Deprecate exclude_args in favor of Depends() by @​jlowin in #2693

Fixes 🐞

• Fix prompt tasks to return mcp.types.PromptMessage by @​jlowin in #2650
• Fix Windows test warnings by @​jlowin in #2653
• Cleanup cancelled connection startup by @​jlowin in #2679
• Fix tool choice bug in sampling examples by @​shawnthapa in #2686

Docs 📚

• Simplify Docket tip wording by @​chrisguidry in #2662

Other Changes 🦾

• Bump pydocket to ≥0.15.5 by @​jlowin in #2694

New Contributors

• @​shawnthapa made their first contribution in #2686

Full Changelog: v2.14.0...v2.14.1

v2.14.0: Task and You Shall Receive

FastMCP 2.14 begins adopting the MCP 2025-11-25 specification, introducing protocol-native background tasks (SEP-1686) that enable long-running operations to report progress without blocking clients. The experimental OpenAPI parser graduates to standard, the OpenAISamplingHandler is promoted from experimental, and deprecated APIs accumulated across the 2.x series are removed.

... (truncated)

Commits

• 3d6fd46 chore: remove tests/test_examples.py (#2593)
• 03b62d2 feat: handle error from the initialize middleware (#2531)
• 95e58e8 fix: preserve exception propagation through transport cleanup (#2591)
• 855e01e chore: Update SDK documentation (#2588)
• d56f55a Add smart fallback for missing access token expiry (#2587)
• d35b867 chore: Update SDK documentation (#2517)
• 080ffa5 Fix nested server mount routing for 3+ levels deep (#2586)
• 0bcd69c Remove overly restrictive MIME type validation from Resource (#2585)
• 9b41d16 Remove deprecated mount/import argument order and separator params (#2582)
• 95fb8b4 Fix proxy tool result meta attribute forwarding (#2526)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	fastmcp@​2.14.0

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Embedded URLs or IPs: pypi fastmcp URLs: https://github.com/jlowin/fastmcp, https://picsum.photos/400/300, https://picsum.photos/300/200, https://bsky.social, http://127.0.0.1:8000/mcp, https://your-app.authkit.app, http://127.0.0.1:8000/api/mcp/github/mcp, http://127.0.0.1:8000/api/mcp/google/mcp, https://your-env.scalekit.com, https://mozilla.github.io/pdf.js/web/compressed.tracemonkey-pldi-09.pdf, https://surgemsg.com/, https://api.surgemsg.com/messages, https://api.github.com/repos/, https://valkey.io/, https://gofastmcp.com/docs/tasks, https://gofastmcp.com/clients/auth/oauth#token-storage, https://fastmcp-test-server.example.com, https://dev.example.com, https://gofastmcp.com/deployment/http#mounting-authenticated-servers, http://example.com/api, http://oauth.net/core/2.1/#registration, https://modelcontextprotocol.io/specification/2025-06-18/basic/security_best_practices#confused-deputy-problem, https://gofastmcp.com/servers/auth/oauth-proxy#confused-deputy-attacks, https://openid.net/specs/openid-connect-discovery-1_0.html, https://datatracker.ietf.org/doc/html/rfc8414, https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata, https://datatracker.ietf.org/doc/html/rfc8414#section-2, https://oidc.config.url, https://your.server.url, https://auth0.config.url, https://my-server.com, https://graph.microsoft.com/User.Read, https://app.descope.com/mcp-servers, https://docs.descope.com/identity-federation/inbound-apps/creating-inbound-apps#method-2-dynamic-client-registration-dcr, https://your-fastmcp-server.com, https://api.descope.com, https://discord.com/api/oauth2/@me, https://discord.com/oauth2/authorize, https://discord.com/api/oauth2/token, https://api.github.com/user, https://api.github.com/user/repos, https://github.com/login/oauth/authorize, https://github.com/login/oauth/access_token, https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/oauth2/v1/tokeninfo, https://www.googleapis.com/oauth2/v2/userinfo, https://accounts.google.com/o/oauth2/v2/auth, https://oauth2.googleapis.com/token, http://fastmcp.example.com, https://auth.example.com/oauth/introspect, https://fastmcp.example.com, https://app.scalekit.com/, https://docs.scalekit.com/mcp/overview/, https://abc123.supabase.co, https://your-fastmcp-server.com/oauth2/callback, https://workos.com/docs/authkit/mcp/integrating/token-verification, https://your-workos-domain.authkit.app, http://127.0.0.1, https://app.example.com/auth/, https://gofastmcp.com/deployment/asgi, https://github.com/jlowin/fastmcp/issues, https://gofastmcp.com/patterns/decorating-methods, https://gofastmcp.com/docs/servers/tools, https://gofastmcp.com, https://fastmcp.cloud, https://astral.sh/uv/install.sh, https://gofastmcp.com/public/schemas/fastmcp.json/v1.json, https://gofastmcp.com/assets/brand/blue-logo.png, https://api.example.com/v1, http://malicious.com, https://example.com, http://example.com, http://127.0.0.1:3000/path, https://api.example.com/mcp, ftp://example.com, https://mcp.example.com/server1/v1.0/mcp, https://mcp.example.com, https://mcp.example.com/api/mcp/, https://mcp.example.com/api/mcp, https://github.com/jlowin/fastmcp/pull/643, http://example.com/api/sse/stream, http://example.com/api/sse, http://example.com/api/sse/, http://example.com/api/sse?param=value, http://example.com/asset/image.jpg, https://example.com/assets/file, https://example.com:8080/mcp, https://x.com, https://github.com/modelcontextprotocol/python-sdk/pull/659, https://some.fake.url/, https://github.com/settings/developers, http://127.0.0.1:9100/auth/callback, https://api.githubcopilot.com/mcp/, http://example.com/data, https://example.com/.well-known/openid-configuration, https://example.com:8000/, https://example.com/authorize, https://example.com/oauth/token, https://example.com/.well-known/jwks.json, https://cognito-idp.us-east-1.amazonaws.com/us-east-1_XXXXXXXXX, https://test.auth.us-east-1.amazoncognito.com/oauth2/authorize, https://test.auth.us-east-1.amazoncognito.com/oauth2/token, https://cognito-idp.us-east-1.amazonaws.com/us-east-1_XXXXXXXXX/.well-known/jwks.json, https://test.auth.us-east-1.amazoncognito.com/oauth2/userInfo, https://example.com/, https://env-example.com, https://env-example.com/, https://myserver.com, https://myserver.com/, https://envserver.com, https://envserver.com/, https://login.microsoftonline.com/my-tenant-id/oauth2/v2.0/authorize, https://login.microsoftonline.com/my-tenant-id/oauth2/v2.0/token, https://login.microsoftonline.com/my-tenant/discovery/v2.0/keys, https://login.microsoftonline.com/my-tenant/v2.0, https://srv.example, https://should.be.ignored, https://login.microsoftonline.com/test-tenant/oauth2/v2.0/authorize, https://login.microsoftonline.com/test-tenant/oauth2/v2.0/token, https://login.microsoftonline.com/test-tenant/v2.0, https://login.microsoftonline.com/test-tenant/discovery/v2.0/keys, https://login.microsoftonline.us/gov-tenant-id/oauth2/v2.0/authorize, https://login.microsoftonline.us/gov-tenant-id/oauth2/v2.0/token, https://login.microsoftonline.us/gov-tenant-id/v2.0, https://login.microsoftonline.us/gov-tenant-id/discovery/v2.0/keys, https://login.microsoftonline.us/env-tenant-id/oauth2/v2.0/authorize, https://login.microsoftonline.us/env-tenant-id/oauth2/v2.0/token, https://login.microsoftonline.us/env-tenant-id/v2.0, https://login.microsoftonline.us/env-tenant-id/discovery/v2.0/keys, https://graph.microsoft.com/.default, https://graph.microsoft.com/Mail.Send, https://api.descope.com/v1/apps/agentic/P2abc123/M123/.well-known/openid-configuration, https://api.descope.com/v1/apps/agentic/P2env123/M123/.well-known/openid-configuration, https://api.descope.com/v1/apps/P2oldenv123, http://env-server.com, http://env-server.com/, https://api.descope.com/v1/apps/agentic/P2abc123/M123, https://api.descope.com/v1/apps/P2abc123, https://api.descope.com/P2abc123/.well-known/jwks.json, https://api.descope.com/v1/apps/agentic/P2new123/M123/.well-known/openid-configuration, https://old.descope.com, https://api.descope.com/v1/apps/agentic/P2new123/M123, https://api.descope.com/v1/apps/agentic/P2test123/M123/.well-known/openid-configuration, https://github.com/testuser.png, https://www.googleapis.com/auth/userinfo.profile, https://auth.example.com/introspect, https://my-env.scalekit.com, https://legacy.scalekit.com, https://legacy-app.com/, https://preferred-base.com/, https://unused-base.com/, https://env-scalekit.com, https://envserver.com/mcp, https://legacy-env.com/, https://test-env.scalekit.com, http://test-server.com, http://test-server.com/, https://my-env.scalekit.com/, https://my-env.scalekit.com/keys, https://my-env.scalekit.com/resources/sk_resource_456, https://test-env.scalekit.com/token, https://test-env.scalekit.com/authorize, https://test-env.scalekit.com/.well-known/oauth-authorization-server/resources/sk_resource_test_456, https://env123.supabase.co, https://abc123.supabase.co/, https://abc123.supabase.co/auth/v1/.well-known/jwks.json, https://abc123.supabase.co/auth/v1, https://test123.supabase.co, https://test.authkit.app, https://env.authkit.app, https://test.authkit.app/oauth2/authorize, https://test.authkit.app/oauth2/token, https://respectful-lullaby-34-staging.authkit.app, https://auth.example.com, https://my-server.com/.well-known/oauth-protected-resource/api/v1/mcp, https://my-server.com/mcp, https://my-server.com/api/v2/services/mcp, https://test.com, https://myserver.com/register, https://example.com/icon.png, https://test-server.com, https://test-server.com/mcp, https://other-server.com, https://other-server.com/mcp, https://test.example.com, https://api.example.com, https://evil.example.com, https://wrong-api.example.com, https://test.example.com/.well-known/jwks.json, https://any.example.com, https://any-api.example.com, https://other-api.example.com, https://third-party.example.com, https://other-issuer.example.com, https://wrong-issuer.example.com, https://my-auth-server.com, https://myserver.example, https://oauth.example.com/authorize, https://oauth.example.com/token, https://proxy.example.com, https://example.com/custom-icon.png, https://auth.example.com/, https://api.example.com/api, https://api.example.com/api/mcp, https://api.example.com/outer/inner, https://api.example.com/outer/inner/mcp, https://upstream.example.com/authorize, https://upstream.example.com/token, https://api.example.com/api/authorize, https://api.example.com/api/token, https://api.example.com/api/register, https://api.example.com/api/, https://auth.example.com/authorize, https://auth.example.com/token, https://api.example.com/, https://auth.example.com/revoke, https://issuer.example.com, https://docs.example.com, https://auth.com/authorize, https://auth.com/token, https://api.com, https://resource.example.com, https://idp.example.com/authorize, https://idp.example.com/token, https://idp.example.com/.well-known/jwks.json, https://idp.example.com, http://127.0.0.1:3000, https://claude.ai/api/mcp/auth_callback, https://app.example.com/, https://app.example.com/callback, https://anywhere.com:9999/path, https://accounts.google.com/.well-known/openid-configuration, https://example.com/oauth/introspect, http://example.com:3000/callback, https://api.example.com/callback, https://example.com/callback, http://app.example.com/callback, https://app.example.com:8080/auth/callback, https://api.example.com:3000/auth/redirect, http://app.example.com:8080/auth/callback, http://127.0.0.1:8080, https://app.example.com, https://api.trusted.io/auth, https://other.example.com/callback, http://example.com/callback, https://api.example.com/.well-known/oauth-protected-resource/mcp, https://api.example.com/v1/, https://api.example.com/v1/.well-known/oauth-protected-resource/mcp, https://api.example.com/v1/mcp, https://auth1.example.com, https://auth2.example.com, https://auth1.example.com/, https://auth2.example.com/, https://accounts.google.com, https://accounts.google.com/, https://doc.my-server.com/resource-docs, http://test.com, https://resource.example.com/, https://github.com/jlowin/fastmcp/issues/1300, https://raw.githubusercontent.com/github/rest-api-description/refs/heads/main/descriptions-next/ghes-3.17/ghes-3.17.json, https://example.com/greet-icon.png, https://example.com/wave-icon.png, https://example.com/user-icon.png, https://example.com/welcome-icon.png, http://example.com/mcp/, https://mcptest.com, https://client.example.com/callback, https://auth.example.com/register, https://docs.example.com/, https://client.example.com/other-callback, https://client.example.com, https://attacker.example.com/callback, https://api.example.com/v1/users, https://example.com/tool-icon.png, https://example.com/resource-icon.png, https://example.com/template-icon.png, https://example.com/prompt-icon.png, https://example.com/icon-48.png, https://example.com/icon-96.png, https://example.com/icon.svg, http://127.0.0.1:9999/sse/, https://github.com/jlowin/fastmcp/issues/2583, http://example.com/path, https://github.com/jlowin/fastmcp/issues/1369, https://api.example.com/users/123, https://api.example.com/v1/users/123, https://api.example.com/users/42, https://api.example.com/search, https://example.com/calculator.png, https://example.com/data.png, https://example.com/user.png, https://example.com/analyze.png, https://example.com/tool-small.png, https://example.com/tool-large.png, https://example.com/v1-tool.png, https://example.com/server.png, https://example.com/tool.png Location: Package overview From: server/hello/requirements.txt → pypi/fastmcp@2.14.0 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/fastmcp@2.14.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: pypi fastmcp URLs: https://valkey.io/, https://gofastmcp.com/docs/tasks, https://gofastmcp.com/clients/auth/oauth#token-storage, https://fastmcp-test-server.example.com, https://dev.example.com, https://gofastmcp.com/deployment/http#mounting-authenticated-servers, http://example.com/api, http://oauth.net/core/2.1/#registration, https://modelcontextprotocol.io/specification/2025-06-18/basic/security_best_practices#confused-deputy-problem, https://gofastmcp.com/servers/auth/oauth-proxy#confused-deputy-attacks, https://openid.net/specs/openid-connect-discovery-1_0.html, https://datatracker.ietf.org/doc/html/rfc8414, https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata, https://datatracker.ietf.org/doc/html/rfc8414#section-2, https://oidc.config.url, https://your.server.url, https://auth0.config.url, https://my-server.com, https://graph.microsoft.com/User.Read, https://app.descope.com/mcp-servers, https://docs.descope.com/identity-federation/inbound-apps/creating-inbound-apps#method-2-dynamic-client-registration-dcr, https://your-fastmcp-server.com, https://api.descope.com, https://discord.com/api/oauth2/@me, https://discord.com/oauth2/authorize, https://discord.com/api/oauth2/token, https://api.github.com/user, https://api.github.com/user/repos, https://github.com/login/oauth/authorize, https://github.com/login/oauth/access_token, https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/oauth2/v1/tokeninfo, https://www.googleapis.com/oauth2/v2/userinfo, https://accounts.google.com/o/oauth2/v2/auth, https://oauth2.googleapis.com/token, http://fastmcp.example.com, https://auth.example.com/oauth/introspect, https://fastmcp.example.com, https://app.scalekit.com/, https://your-env.scalekit.com, https://docs.scalekit.com/mcp/overview/, https://abc123.supabase.co, https://your-app.authkit.app, https://your-fastmcp-server.com/oauth2/callback, https://workos.com/docs/authkit/mcp/integrating/token-verification, https://your-workos-domain.authkit.app, http://127.0.0.1, https://app.example.com/auth/, https://gofastmcp.com/deployment/asgi, https://github.com/jlowin/fastmcp/issues, https://gofastmcp.com/patterns/decorating-methods, https://gofastmcp.com/docs/servers/tools, https://gofastmcp.com, https://fastmcp.cloud, https://astral.sh/uv/install.sh, https://gofastmcp.com/public/schemas/fastmcp.json/v1.json, https://gofastmcp.com/assets/brand/blue-logo.png Location: Package overview From: server/hello/requirements.txt → pypi/fastmcp@2.14.0 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/fastmcp@2.14.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report