From 0621e4ec2e61c71163d58b2acace7a23d09dcea6 Mon Sep 17 00:00:00 2001 From: Bartosz Blizniak Date: Wed, 10 Jun 2026 12:50:17 +0100 Subject: [PATCH 1/3] fix(deps): bump mcp to 1.27.2 and upgrade vulnerable dependencies --- requirements.in | 2 +- requirements.txt | 53 +++++++++++++++++++++++++++++++++++++----------- setup.py | 7 +++++-- 3 files changed, 47 insertions(+), 15 deletions(-) diff --git a/requirements.in b/requirements.in index 38946bcf..c75851c7 100644 --- a/requirements.in +++ b/requirements.in @@ -8,4 +8,4 @@ pre-commit pylint pytest-cov python-toon -mcp==1.9.1 +mcp==1.27.2 diff --git a/requirements.txt b/requirements.txt index 28fce239..2a371b79 100644 --- a/requirements.txt +++ b/requirements.txt @@ -2,7 +2,7 @@ # This file is autogenerated by pip-compile with Python 3.10 # by the following command: # -# pip-compile --output-file=requirements.txt requirements.in setup.py +# pip-compile --no-emit-index-url --output-file=requirements.txt requirements.in setup.py # annotated-types==0.7.0 # via pydantic @@ -14,6 +14,10 @@ anyio==4.12.1 # starlette astroid==4.0.3 # via pylint +attrs==26.1.0 + # via + # jsonschema + # referencing backports-tarfile==1.2.0 # via jaraco-context build==1.4.0 @@ -28,6 +32,8 @@ certifi==2026.1.4 # httpcore # httpx # requests +cffi==2.0.0 + # via cryptography cfgv==3.5.0 # via pre-commit charset-normalizer==3.4.4 @@ -51,6 +57,8 @@ configparser==7.2.0 # via click-configfile coverage[toml]==7.13.1 # via pytest-cov +cryptography==48.0.0 + # via pyjwt dill==0.4.1 # via pylint distlib==0.4.0 @@ -77,7 +85,7 @@ httpx-sse==0.4.3 # via mcp identify==2.6.16 # via pre-commit -idna==3.11 +idna==3.18 # via # anyio # httpx @@ -96,13 +104,17 @@ jaraco-functools==4.4.0 # via keyring json5==0.13.0 # via cloudsmith-cli (setup.py) +jsonschema==4.26.0 + # via mcp +jsonschema-specifications==2025.9.1 + # via jsonschema keyring==25.7.0 # via cloudsmith-cli (setup.py) markdown-it-py==4.0.0 # via rich mccabe==0.7.0 # via pylint -mcp==1.9.1 +mcp==1.27.2 # via # -r requirements.in # cloudsmith-cli (setup.py) @@ -131,6 +143,8 @@ pluggy==1.6.0 # pytest-cov pre-commit==4.5.1 # via -r requirements.in +pycparser==3.0 + # via cffi pydantic==2.12.5 # via # mcp @@ -139,19 +153,22 @@ pydantic-core==2.41.5 # via pydantic pydantic-settings==2.12.0 # via mcp -pygments==2.19.2 +pygments==2.20.0 # via # pytest # rich -pyjwt==2.12.1 - # via cloudsmith-cli (setup.py) +pyjwt[crypto]==2.12.1 + # via + # cloudsmith-cli (setup.py) + # mcp + # pyjwt pylint==4.0.4 # via -r requirements.in pyproject-hooks==1.2.0 # via # build # pip-tools -pytest==9.0.2 +pytest==9.0.3 # via pytest-cov pytest-cov==7.0.0 # via -r requirements.in @@ -159,9 +176,9 @@ python-dateutil==2.9.0.post0 # via # cloudsmith-api # freezegun -python-dotenv==1.2.1 +python-dotenv==1.2.2 # via pydantic-settings -python-multipart==0.0.21 +python-multipart==0.0.32 # via mcp python-toon==0.1.2 # via @@ -169,7 +186,11 @@ python-toon==0.1.2 # cloudsmith-cli (setup.py) pyyaml==6.0.3 # via pre-commit -requests==2.32.5 +referencing==0.37.0 + # via + # jsonschema + # jsonschema-specifications +requests==2.34.2 # via # cloudsmith-cli (setup.py) # requests-toolbelt @@ -177,6 +198,10 @@ requests-toolbelt==1.0.0 # via cloudsmith-cli (setup.py) rich==14.3.3 # via cloudsmith-cli (setup.py) +rpds-py==0.30.0 + # via + # jsonschema + # referencing semver==3.0.4 # via cloudsmith-cli (setup.py) six==1.17.0 @@ -186,7 +211,7 @@ six==1.17.0 # python-dateutil sse-starlette==3.2.0 # via mcp -starlette==0.52.1 +starlette==1.2.1 # via # mcp # sse-starlette @@ -203,19 +228,23 @@ typing-extensions==4.15.0 # via # anyio # astroid + # cryptography # exceptiongroup + # mcp # pydantic # pydantic-core # pyjwt + # referencing # starlette # typing-inspection # uvicorn # virtualenv typing-inspection==0.4.2 # via + # mcp # pydantic # pydantic-settings -urllib3==2.6.3 +urllib3==2.7.0 # via # cloudsmith-api # cloudsmith-cli (setup.py) diff --git a/setup.py b/setup.py index 3a2800a0..86ac7213 100644 --- a/setup.py +++ b/setup.py @@ -56,8 +56,11 @@ def get_long_description(): "json5>=0.9.0", # For parsing JSONC (JSON with comments) in VS Code settings "cloudsmith-api>=2.0.25,<3.0", # Compatible upto (but excluding) 3.0+ "keyring>=25.4.1", - "mcp==1.9.1", - "PyJWT>=2.0.0", + "mcp==1.27.2", + # The crypto extra must be declared here: mcp requires pyjwt[crypto], + # and a bare PyJWT requirement makes the PEX zipapp resolver drop the + # extra (and with it the cryptography wheels). + "PyJWT[crypto]>=2.0.0", "python-toon==0.1.2", "requests>=2.18.4", "requests_toolbelt>=1.0.0", From 40273c8085eb13c12d6fd797179096f9db23e73b Mon Sep 17 00:00:00 2001 From: Bartosz Blizniak Date: Wed, 10 Jun 2026 13:12:55 +0100 Subject: [PATCH 2/3] fix(deps): drop direct PyJWT requirement --- requirements.txt | 5 +---- setup.py | 8 ++++---- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/requirements.txt b/requirements.txt index 2a371b79..f53e302d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -158,10 +158,7 @@ pygments==2.20.0 # pytest # rich pyjwt[crypto]==2.12.1 - # via - # cloudsmith-cli (setup.py) - # mcp - # pyjwt + # via mcp pylint==4.0.4 # via -r requirements.in pyproject-hooks==1.2.0 diff --git a/setup.py b/setup.py index 86ac7213..c6c5c09d 100644 --- a/setup.py +++ b/setup.py @@ -57,10 +57,10 @@ def get_long_description(): "cloudsmith-api>=2.0.25,<3.0", # Compatible upto (but excluding) 3.0+ "keyring>=25.4.1", "mcp==1.27.2", - # The crypto extra must be declared here: mcp requires pyjwt[crypto], - # and a bare PyJWT requirement makes the PEX zipapp resolver drop the - # extra (and with it the cryptography wheels). - "PyJWT[crypto]>=2.0.0", + # PyJWT is intentionally not declared here. It is only consumed via + # mcp's pyjwt[crypto] requirement, and re-declaring it bare at the + # top level makes the PEX zipapp resolver drop the crypto extra + # (and with it the cryptography wheels). "python-toon==0.1.2", "requests>=2.18.4", "requests_toolbelt>=1.0.0", From cc5461513115c9ba244ac9e916483bd39f93d45d Mon Sep 17 00:00:00 2001 From: Bartosz Blizniak Date: Wed, 10 Jun 2026 15:38:24 +0100 Subject: [PATCH 3/3] fix(deps): restore direct PyJWT[crypto] requirement --- requirements.txt | 5 ++++- setup.py | 8 ++++---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/requirements.txt b/requirements.txt index f53e302d..2a371b79 100644 --- a/requirements.txt +++ b/requirements.txt @@ -158,7 +158,10 @@ pygments==2.20.0 # pytest # rich pyjwt[crypto]==2.12.1 - # via mcp + # via + # cloudsmith-cli (setup.py) + # mcp + # pyjwt pylint==4.0.4 # via -r requirements.in pyproject-hooks==1.2.0 diff --git a/setup.py b/setup.py index c6c5c09d..86ac7213 100644 --- a/setup.py +++ b/setup.py @@ -57,10 +57,10 @@ def get_long_description(): "cloudsmith-api>=2.0.25,<3.0", # Compatible upto (but excluding) 3.0+ "keyring>=25.4.1", "mcp==1.27.2", - # PyJWT is intentionally not declared here. It is only consumed via - # mcp's pyjwt[crypto] requirement, and re-declaring it bare at the - # top level makes the PEX zipapp resolver drop the crypto extra - # (and with it the cryptography wheels). + # The crypto extra must be declared here: mcp requires pyjwt[crypto], + # and a bare PyJWT requirement makes the PEX zipapp resolver drop the + # extra (and with it the cryptography wheels). + "PyJWT[crypto]>=2.0.0", "python-toon==0.1.2", "requests>=2.18.4", "requests_toolbelt>=1.0.0",