Skip to content

fix(deps): bump mcp to 1.27.2 and upgrade vulnerable dependencies#308

Merged
BartoszBlizniak merged 5 commits into
masterfrom
fix/security-deps-bump
Jun 10, 2026
Merged

fix(deps): bump mcp to 1.27.2 and upgrade vulnerable dependencies#308
BartoszBlizniak merged 5 commits into
masterfrom
fix/security-deps-bump

Conversation

@BartoszBlizniak

@BartoszBlizniak BartoszBlizniak commented Jun 10, 2026

Copy link
Copy Markdown
Member

Description

Bumps mcp 1.9.1 → 1.27.2 and regenerates requirements.txt, resolving all 17 open Dependabot alerts (mcp, urllib3, requests, starlette, python-multipart, python-dotenv, idna, pytest, pygments) and the matching requirements.txt code scanning alerts.

PyJWT>=2.0.0 becomes PyJWT[crypto]>=2.0.0 in setup.py: mcp ≥1.23 requires pyjwt[crypto], and a bare top-level PyJWT requirement makes the PEX zipapp resolver drop the extra, shipping a zipapp without cryptography wheels that fails at startup on macOS. The dependency stays declared because the OIDC token cache imports jwt directly (see #309 review — library-based decode retained per maintainer preference).

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation update
  • Refactoring
  • Other (please describe)

Additional Notes

mcp 1.27.2 requires Python ≥3.10, matching the existing python_requires; no supported version dropped. Verified: full pytest green on Python 3.10–3.14 (incl. Alpine/ARM64 zipapp CI), live API smoke tests (push/download round-trip), MCP server stdio smoke test (initialize, 88 tools, live tool call) under mcp 1.27.2, and a locally built zipapp containing the cryptography wheels for macOS/Linux.

Copilot AI review requested due to automatic review settings June 10, 2026 11:53
@BartoszBlizniak BartoszBlizniak requested a review from a team as a code owner June 10, 2026 11:53

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the CLI’s pinned MCP dependency and regenerates the compiled dependency lockfile to address security alerts and align runtime requirements for zipapp/PEX packaging.

Changes:

  • Bump mcp from 1.9.1 to 1.27.2 (in both setup.py and requirements.in).
  • Switch PyJWT>=2.0.0 to PyJWT[crypto]>=2.0.0 in setup.py to ensure the crypto extra is preserved in zipapp/PEX resolution.
  • Regenerate requirements.txt with updated pinned transitive versions (and record the pip-compile --no-emit-index-url ... invocation).

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

File Description
setup.py Bumps MCP and ensures PyJWT’s crypto extra is explicitly required for packaging/runtime correctness.
requirements.txt Refreshes the compiled/pinned dependency set to match updated MCP and vulnerability-driven upgrades.
requirements.in Updates the pinned MCP version in the input set used for compiling the lockfile.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@BartoszBlizniak BartoszBlizniak merged commit 08b1b22 into master Jun 10, 2026
40 checks passed
@BartoszBlizniak BartoszBlizniak deleted the fix/security-deps-bump branch June 10, 2026 14:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

3 participants