chore(deps): bump mcp from 1.27.0 to 1.28.1 in /envs/textarena_env#994
chore(deps): bump mcp from 1.27.0 to 1.28.1 in /envs/textarena_env#994dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [mcp](https://github.com/modelcontextprotocol/python-sdk) from 1.27.0 to 1.28.1. - [Release notes](https://github.com/modelcontextprotocol/python-sdk/releases) - [Changelog](https://github.com/modelcontextprotocol/python-sdk/blob/main/RELEASE.md) - [Commits](modelcontextprotocol/python-sdk@v1.27.0...v1.28.1) --- updated-dependencies: - dependency-name: mcp dependency-version: 1.28.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
|
The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update. |
There was a problem hiding this comment.
Alignment Review Report
Dependabot native PR bumping the transitive mcp SDK 1.27.0 → 1.28.1 in envs/textarena_env/uv.lock (lock-only, +3/-3). Verified end-to-end — this is a clean, security-positive bump with nothing to fix.
Automated Checks
- Lint: N/A / not attributable.
.claude/hooks/lint.shexits non-zero, but only on the ~20 pre-existing unformattedenvs/**Python files (e.g.envs/textarena_env/server/gradio_ui.py) that also fail on a cleanmain. This PR only changesuv.lock, and lockfiles/TOML aren't linted — so none of that is this PR's doing. - Debug code: CLEAN.
check-debug.shonly scanssrc/; every hit is pre-existing there, none in the changed file.
Open RFCs Context
All RFCs are Draft / In Review. The only topically-adjacent one is RFC 003 – MCP Support (In Review; @Darktex, @pankit-eng), but it governs the MCP protocol/interface design, not the pinned mcp SDK version → no conflict. No RFC covers dependency management / PyPI pins.
Tier 1: Fixes Required
None.
Tier 2: Alignment Discussion
Principle Conflicts
None identified. mcp is transitive (via openenv → fastmcp → mcp; textarena_env declares no mcp pin), so a lock-only bump with no pyproject change is correct. This env's lock is "born clean" — already fully on pypi.org/simple (0 HF-mirror refs on both base and head) and already at revision = 3 — so there is no index-source flip and no revision bump, and therefore no reproducibility/provenance flag this time.
RFC Conflicts
None identified.
Process note (non-blocking, cc @burtenshaw)
.github/dependabot.yml's uv updater is configured directory: "/" with exclude-paths: ["envs/**"] (added in #566, 5f499da9), yet this native dependabot/uv/envs/textarena_env/... PR still edits envs/**. The codex/dependabot-envs-* aggregate roll-ups are the intended path for env locks. This looks like a platform limitation in the uv ecosystem's exclude-paths handling rather than anything to fix in this PR — flagging for awareness only.
Verification performed
uv lock --check --project envs/textarena_env→ passes (resolved 126 pkgs). Package set 124 → 124, 0 added/removed, onlymcpchanged.- Security (positive): base
1.27.0carries three advisories — CVE-2026-52870 (GHSA-hvrp-rf83-w775) + CVE-2026-52869 (GHSA-jpw9-pfvf-9f58), bothfixed_in 1.27.2, and CVE-2026-59950 (GHSA-vj7q-gjh5-988w),fixed_in 1.28.1only. Targeting 1.28.1 clears all three (1.28.1 has 0 known vulns); 1.27.2 would have left the third unfixed. - Hashes match live PyPI exactly (sdist
d51e36a5…size 638501; wheel2726bca5…size 222620);yanked: false;requires_python >=3.10(env is>=3.10). - 1.28.0 deprecations (WebSocket transport + experimental tasks) are a non-issue: 0 usages in
src/orenvs/textarena_env, and nofilterwarnings=erroranywhere.
Summary
- 0 mechanical issues to fix
- 0 alignment points for human review (1 non-blocking process note, cc @burtenshaw)
- 0 RFC conflicts
Sent by Cursor Automation: Pre-review
| [[package]] | ||
| name = "mcp" | ||
| version = "1.27.0" | ||
| version = "1.28.1" |
There was a problem hiding this comment.
mcp is a transitive dependency here (via openenv → fastmcp → mcp; textarena_env's pyproject.toml has no mcp pin, and the fastmcp dep-ref at line 760 imposes no version cap), so this lock-only bump with no pyproject change is correct.
Verified: uv lock --check passes (126 pkgs), package set 124 → 124 with only mcp changed, and this env's lock is born clean (0 HF-mirror refs, still revision = 3 → no index-flip, no revision bump).
Security-positive: base 1.27.0 carries 3 advisories — CVE-2026-52870 + CVE-2026-52869 (fixed in 1.27.2) and CVE-2026-59950 (fixed only in 1.28.1). So 1.28.1 (not 1.27.2) is what clears all three; 1.28.1 has 0 known vulns.
| { name = "uvicorn", marker = "sys_platform != 'emscripten'" }, | ||
| ] | ||
| sdist = { url = "https://files.pythonhosted.org/packages/8b/eb/c0cfc62075dc6e1ec1c64d352ae09ac051d9334311ed226f1f425312848a/mcp-1.27.0.tar.gz", hash = "sha256:d3dc35a7eec0d458c1da4976a48f982097ddaab87e278c5511d5a4a56e852b83", size = 607509, upload-time = "2026-04-02T14:48:08.88Z" } | ||
| sdist = { url = "https://files.pythonhosted.org/packages/6e/77/9450b8f251a13affb6281997d0523c4615f8a8b35d0b21ff30db3a5aac9d/mcp-1.28.1.tar.gz", hash = "sha256:d51e36a5f5644faea4f85ea649bfffa6bc6c26770d42798ad6a3de3d2ba69683", size = 638501, upload-time = "2026-06-26T12:57:29.093Z" } |
There was a problem hiding this comment.
sdist/wheel hashes verified against live PyPI: sdist d51e36a5… (size 638501) and wheel 2726bca5… (size 222620) match; yanked: false; requires_python >=3.10 (env requires-python >=3.10).
The 1.28.0 deprecations (WebSocket transport + experimental tasks) don't apply here — 0 usages in src/ or envs/textarena_env, and no filterwarnings=error, so no DeprecationWarning-as-error CI risk.


Bumps mcp from 1.27.0 to 1.28.1.
Release notes
Sourced from mcp's releases.
Commits
777b8d0[v1.x] Support TransportSecuritySettings in the WebSocket server transport (#...4720467[v1.x] Set Development Status classifier to Production/Stable (#2976)6df3d73[v1.x] Buffer per-request StreamableHTTP streams; store priming event before ...32d3290[v1.x] Pass a list to parametrize in test_docs_examples (pytest 9.1.0 compat)...0dca751[v1.x] Deflake the child process cleanup tests (#2839)52258a9[v1.x] Add a v2 status banner to the README (#2835)b8f4917[v1.x] Deprecate the WebSocket transport and the experimental tasks entry poi...2309e5efix: omit null optional fields from task result payloads (#2809)494eb11[v1.x] Support Python 3.14 (#2769)6213787[v1.x] Scope experimental tasks to the session that created them (#2720)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Note
Low Risk
Lockfile-only dependency bump with no repo code changes; minor risk if CI or runtime uses deprecated WebSocket/tasks APIs or strict warning filters.
Overview
Updates the locked
mcp(Model Context Protocol Python SDK) version inenvs/textarena_env/uv.lockfrom 1.27.0 to 1.28.1. No application source changes—only lockfile artifact URLs and hashes.1.28.x adds Python 3.14 support, omits null optional fields from task result payloads, and deprecates (with warnings when used) WebSocket transport helpers and experimental tasks APIs ahead of v2.
fastmcpin this env still depends onmcp; behavior should stay the same unless tests call those deprecated paths or treat newDeprecationWarnings as errors.Reviewed by Cursor Bugbot for commit 0958297. Bugbot is set up for automated code reviews on this repo. Configure here.