Skip to content

chore(deps): bump mcp from 1.27.0 to 1.28.1 in /envs/textarena_env#994

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/envs/textarena_env/mcp-1.28.1
Open

chore(deps): bump mcp from 1.27.0 to 1.28.1 in /envs/textarena_env#994
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/envs/textarena_env/mcp-1.28.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 17, 2026

Copy link
Copy Markdown
Contributor

Bumps mcp from 1.27.0 to 1.28.1.

Release notes

Sourced from mcp's releases.

v1.28.0

Deprecations

Two API surfaces now emit DeprecationWarning ahead of their removal in v2. Nothing is removed in 1.x, and the warnings fire only when the deprecated API is called - importing the modules stays silent.

  • WebSocket transport - mcp.client.websocket.websocket_client and mcp.server.websocket.websocket_servermodelcontextprotocol/typescript-sdk#1783
  • Experimental tasks API - ClientSession.experimental, Server.experimental, ServerSession.experimental, and the experimental_task_handlers= kwarg on ClientSession. Tasks (SEP-1686) were removed from the MCP specification and are expected to return as a separate MCP extension.

If your test suite runs with filterwarnings = ["error"] and exercises these paths, add a scoped ignore such as ignore:The experimental tasks API is deprecated:DeprecationWarning or ignore:The WebSocket .* transport is deprecated:DeprecationWarning.

See #2828 for full details.

What's Changed

New Contributors

Full Changelog: modelcontextprotocol/python-sdk@v1.27.2...v1.28.0

v1.27.2

What's Changed

Full Changelog: modelcontextprotocol/python-sdk@v1.27.1...v1.27.2

v1.27.1

What's Changed

Full Changelog: modelcontextprotocol/python-sdk@v1.27.0...v1.27.1

Commits
  • 777b8d0 [v1.x] Support TransportSecuritySettings in the WebSocket server transport (#...
  • 4720467 [v1.x] Set Development Status classifier to Production/Stable (#2976)
  • 6df3d73 [v1.x] Buffer per-request StreamableHTTP streams; store priming event before ...
  • 32d3290 [v1.x] Pass a list to parametrize in test_docs_examples (pytest 9.1.0 compat)...
  • 0dca751 [v1.x] Deflake the child process cleanup tests (#2839)
  • 52258a9 [v1.x] Add a v2 status banner to the README (#2835)
  • b8f4917 [v1.x] Deprecate the WebSocket transport and the experimental tasks entry poi...
  • 2309e5e fix: omit null optional fields from task result payloads (#2809)
  • 494eb11 [v1.x] Support Python 3.14 (#2769)
  • 6213787 [v1.x] Scope experimental tasks to the session that created them (#2720)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note

Low Risk
Lockfile-only dependency bump with no repo code changes; minor risk if CI or runtime uses deprecated WebSocket/tasks APIs or strict warning filters.

Overview
Updates the locked mcp (Model Context Protocol Python SDK) version in envs/textarena_env/uv.lock from 1.27.0 to 1.28.1. No application source changes—only lockfile artifact URLs and hashes.

1.28.x adds Python 3.14 support, omits null optional fields from task result payloads, and deprecates (with warnings when used) WebSocket transport helpers and experimental tasks APIs ahead of v2. fastmcp in this env still depends on mcp; behavior should stay the same unless tests call those deprecated paths or treat new DeprecationWarnings as errors.

Reviewed by Cursor Bugbot for commit 0958297. Bugbot is set up for automated code reviews on this repo. Configure here.

Bumps [mcp](https://github.com/modelcontextprotocol/python-sdk) from 1.27.0 to 1.28.1.
- [Release notes](https://github.com/modelcontextprotocol/python-sdk/releases)
- [Changelog](https://github.com/modelcontextprotocol/python-sdk/blob/main/RELEASE.md)
- [Commits](modelcontextprotocol/python-sdk@v1.27.0...v1.28.1)

---
updated-dependencies:
- dependency-name: mcp
  dependency-version: 1.28.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added Dependencies python:uv Pull requests that update python:uv code labels Jul 17, 2026
@burtenshaw burtenshaw added environment size: small Small pull request labels Jul 17, 2026 — with Cursor
@bot-ci-comment

Copy link
Copy Markdown

The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alignment Review Report

Dependabot native PR bumping the transitive mcp SDK 1.27.0 → 1.28.1 in envs/textarena_env/uv.lock (lock-only, +3/-3). Verified end-to-end — this is a clean, security-positive bump with nothing to fix.

Automated Checks

  • Lint: N/A / not attributable. .claude/hooks/lint.sh exits non-zero, but only on the ~20 pre-existing unformatted envs/** Python files (e.g. envs/textarena_env/server/gradio_ui.py) that also fail on a clean main. This PR only changes uv.lock, and lockfiles/TOML aren't linted — so none of that is this PR's doing.
  • Debug code: CLEAN. check-debug.sh only scans src/; every hit is pre-existing there, none in the changed file.

Open RFCs Context

All RFCs are Draft / In Review. The only topically-adjacent one is RFC 003 – MCP Support (In Review; @Darktex, @pankit-eng), but it governs the MCP protocol/interface design, not the pinned mcp SDK version → no conflict. No RFC covers dependency management / PyPI pins.

Tier 1: Fixes Required

None.

Tier 2: Alignment Discussion

Principle Conflicts

None identified. mcp is transitive (via openenv → fastmcp → mcp; textarena_env declares no mcp pin), so a lock-only bump with no pyproject change is correct. This env's lock is "born clean" — already fully on pypi.org/simple (0 HF-mirror refs on both base and head) and already at revision = 3 — so there is no index-source flip and no revision bump, and therefore no reproducibility/provenance flag this time.

RFC Conflicts

None identified.

Process note (non-blocking, cc @burtenshaw)

.github/dependabot.yml's uv updater is configured directory: "/" with exclude-paths: ["envs/**"] (added in #566, 5f499da9), yet this native dependabot/uv/envs/textarena_env/... PR still edits envs/**. The codex/dependabot-envs-* aggregate roll-ups are the intended path for env locks. This looks like a platform limitation in the uv ecosystem's exclude-paths handling rather than anything to fix in this PR — flagging for awareness only.

Verification performed

  • uv lock --check --project envs/textarena_envpasses (resolved 126 pkgs). Package set 124 → 124, 0 added/removed, only mcp changed.
  • Security (positive): base 1.27.0 carries three advisories — CVE-2026-52870 (GHSA-hvrp-rf83-w775) + CVE-2026-52869 (GHSA-jpw9-pfvf-9f58), both fixed_in 1.27.2, and CVE-2026-59950 (GHSA-vj7q-gjh5-988w), fixed_in 1.28.1 only. Targeting 1.28.1 clears all three (1.28.1 has 0 known vulns); 1.27.2 would have left the third unfixed.
  • Hashes match live PyPI exactly (sdist d51e36a5… size 638501; wheel 2726bca5… size 222620); yanked: false; requires_python >=3.10 (env is >=3.10).
  • 1.28.0 deprecations (WebSocket transport + experimental tasks) are a non-issue: 0 usages in src/ or envs/textarena_env, and no filterwarnings=error anywhere.

Summary

  • 0 mechanical issues to fix
  • 0 alignment points for human review (1 non-blocking process note, cc @burtenshaw)
  • 0 RFC conflicts
Open in Web View Automation 

Sent by Cursor Automation: Pre-review

[[package]]
name = "mcp"
version = "1.27.0"
version = "1.28.1"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mcp is a transitive dependency here (via openenv → fastmcp → mcp; textarena_env's pyproject.toml has no mcp pin, and the fastmcp dep-ref at line 760 imposes no version cap), so this lock-only bump with no pyproject change is correct.

Verified: uv lock --check passes (126 pkgs), package set 124 → 124 with only mcp changed, and this env's lock is born clean (0 HF-mirror refs, still revision = 3 → no index-flip, no revision bump).

Security-positive: base 1.27.0 carries 3 advisories — CVE-2026-52870 + CVE-2026-52869 (fixed in 1.27.2) and CVE-2026-59950 (fixed only in 1.28.1). So 1.28.1 (not 1.27.2) is what clears all three; 1.28.1 has 0 known vulns.

{ name = "uvicorn", marker = "sys_platform != 'emscripten'" },
]
sdist = { url = "https://files.pythonhosted.org/packages/8b/eb/c0cfc62075dc6e1ec1c64d352ae09ac051d9334311ed226f1f425312848a/mcp-1.27.0.tar.gz", hash = "sha256:d3dc35a7eec0d458c1da4976a48f982097ddaab87e278c5511d5a4a56e852b83", size = 607509, upload-time = "2026-04-02T14:48:08.88Z" }
sdist = { url = "https://files.pythonhosted.org/packages/6e/77/9450b8f251a13affb6281997d0523c4615f8a8b35d0b21ff30db3a5aac9d/mcp-1.28.1.tar.gz", hash = "sha256:d51e36a5f5644faea4f85ea649bfffa6bc6c26770d42798ad6a3de3d2ba69683", size = 638501, upload-time = "2026-06-26T12:57:29.093Z" }

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sdist/wheel hashes verified against live PyPI: sdist d51e36a5… (size 638501) and wheel 2726bca5… (size 222620) match; yanked: false; requires_python >=3.10 (env requires-python >=3.10).

The 1.28.0 deprecations (WebSocket transport + experimental tasks) don't apply here — 0 usages in src/ or envs/textarena_env, and no filterwarnings=error, so no DeprecationWarning-as-error CI risk.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Dependencies environment python:uv Pull requests that update python:uv code size: small Small pull request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant