chore(deps): bump mcp from 1.27.1 to 1.28.1 in /envs/wildfire_env#984
chore(deps): bump mcp from 1.27.1 to 1.28.1 in /envs/wildfire_env#984dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [mcp](https://github.com/modelcontextprotocol/python-sdk) from 1.27.1 to 1.28.1. - [Release notes](https://github.com/modelcontextprotocol/python-sdk/releases) - [Changelog](https://github.com/modelcontextprotocol/python-sdk/blob/main/RELEASE.md) - [Commits](modelcontextprotocol/python-sdk@v1.27.1...v1.28.1) --- updated-dependencies: - dependency-name: mcp dependency-version: 1.28.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
|
The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update. |
There was a problem hiding this comment.
Alignment Review Report
Dependabot bump of mcp 1.27.1 → 1.28.1 in envs/wildfire_env. mcp is a transitive dep (via openenv → fastmcp → mcp); wildfire_env/pyproject.toml pins no mcp, so a lock-only change is correct (the diff touches only envs/wildfire_env/uv.lock, no pyproject.toml). Verified against live PyPI and with uv lock --check.
Automated Checks
- Lint: PASS (N/A to diff) — the only changed file is a
uv.lock;lint.sh(ruff/usort) and CI lint.pyonly, never lockfiles/TOML.uv lock --check --project envs/wildfire_env→ resolved cleanly, lock consistent with pyproject. - Debug code: CLEAN —
check-debug.shscans onlysrc/; this PR changes nosrc/files.
Open RFCs Context
All RFCs are Draft/In Review. RFC 003 "MCP Support" (In Review) is topically adjacent since the mcp package is bumped, but it governs the MCP protocol/interface design, not the SDK's pinned version — no conflict. No RFC covers Python packaging / dependency indexes, so the lock changes below carry no RFC conflict.
Tier 1: Fixes Required
None. The bump is internally consistent and verified:
- Package set 152 → 152 (0 added / 0 removed); only
mcpchanged version. Its 14-entry dependency block is byte-identical before/after, so 1.28.1's requirements are met by the existing locked graph. - Hashes match PyPI exactly — sdist
d51e36a5…(638501 B), wheel2726bca5…(222620 B);requires-python >=3.10; not yanked. - Security-positive: base
mcp 1.27.1is affected by CVE-2026-52870 (GHSA-hvrp-rf83-w775 — experimental-tasks cross-client access) and CVE-2026-52869 (GHSA-jpw9-pfvf-9f58 — SSE/Streamable-HTTP session-id-only auth), bothfixed_in 1.27.2. 1.28.1 clears both (0 known vulns).
Tier 2: Alignment Discussion
Principle Conflicts
ALIGNMENT FLAG: Lockfile silently re-sourced from the internal HF mirror to public PyPI
- Principle at stake: "Container isolation for reproducibility" (PRINCIPLES.md L15)
- The concern: Beyond the named
mcpbump, this re-lock rewrites thesourceregistry of all 171 package entries fromhttps://pypi.registries.huggingface.tech/→https://pypi.org/simpleand bumps the lockfilerevision = 2 → 3. Artifact URLs (files.pythonhosted.org) and hashes are unchanged (2310 = 2310), so it's almost certainly benign, but it (a) silently changes declared provenance under a PR framed as a single dep bump, and (b) widens a cross-env split — ~24 envs still declare the HF mirror while ~13 (incl. the canonicalecho_env) are on public PyPI. Registry choice is a team decision, so flagging rather than "fixing" (I did not edit the generated lock). - Suggested reviewer: @Darktex (+ @burtenshaw)
RFC Conflicts
None identified.
Process / heads-up (non-blocking)
- Dependabot scope bypass (cc @burtenshaw):
.github/dependabot.ymlscopes theuvupdater todirectory: "/"withexclude-paths: ["envs/**"](L8–9), yet this nativedependabot/uv/envs/wildfire_env/…PR modifiedenvs/. Theuvecosystem doesn't appear to honorexclude-paths(the intended path for env locks is the aggregatedcodex/dependabot-envs-*roll-ups). - revision 3 / base-image
uv: PR CI (UV_VERSION 0.9.3) handles rev-3 fine. Heads-up only:openenv-baseshipsuv 0.5.27, which predates rev-3 support, so auv sync --frozenduring a container rebuild could fail. It won't trigger on this lock-only PR (docker-build keys on Dockerfile/*.py, notuv.lock), and rev-3 envs already ship — verify-not-block.
Summary
- 0 mechanical issues to fix
- 1 alignment point for human review (index-source flip / provenance)
- 0 RFC conflicts
Net: a correct, security-positive transitive bump; the only recurring discussion item is the incidental index-flip + the dependabot scoping bypass.
Sent by Cursor Automation: Pre-review
| name = "mcp" | ||
| version = "1.27.1" | ||
| source = { registry = "https://pypi.registries.huggingface.tech/" } | ||
| version = "1.28.1" |
There was a problem hiding this comment.
mcp 1.27.1 → 1.28.1 (transitive via openenv → fastmcp → mcp; wildfire_env pins no mcp, so lock-only is correct).
Verified vs live PyPI: wheel 2726bca5… (222620 B), sdist d51e36a5… (638501 B), requires-python >=3.10, not yanked, 0 known vulnerabilities. uv lock --check passes and the 14-entry mcp dependency block is unchanged, so 1.28.1's floors are already satisfied by the locked graph.
Security-positive: base 1.27.1 is affected by CVE-2026-52870 (GHSA-hvrp-rf83-w775) and CVE-2026-52869 (GHSA-jpw9-pfvf-9f58), both fixed_in 1.27.2; 1.28.1 clears both.
| name = "aiofile" | ||
| version = "3.9.0" | ||
| source = { registry = "https://pypi.registries.huggingface.tech/" } | ||
| source = { registry = "https://pypi.org/simple" } |
There was a problem hiding this comment.
Incidental to the mcp bump: every package's source registry flips from the internal pypi.registries.huggingface.tech mirror to public pypi.org/simple (171 entries → 0 mirror left). Artifact URLs/hashes are unchanged, so this is benign, but it silently changes declared provenance and widens the cross-env split (~24 envs still on the HF mirror, ~13 incl. echo_env on public PyPI). Not auto-fixing — registry choice is a team call. See the top-level reproducibility flag (@Darktex / @burtenshaw).
| @@ -1,5 +1,5 @@ | |||
| version = 1 | |||
| revision = 2 | |||
| revision = 3 | |||
There was a problem hiding this comment.
Lockfile revision 2 → 3 (written by a newer uv). PR CI (uv 0.9.3) handles rev-3 fine. Heads-up only: openenv-base currently ships uv 0.5.27, which predates rev-3 support — worth verifying the container-build uv version before relying on uv sync --frozen for this env in a rebuild. Won't trigger on this lock-only PR.
|
Aggregated into #921. |
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |


Bumps mcp from 1.27.1 to 1.28.1.
Release notes
Sourced from mcp's releases.
Commits
777b8d0[v1.x] Support TransportSecuritySettings in the WebSocket server transport (#...4720467[v1.x] Set Development Status classifier to Production/Stable (#2976)6df3d73[v1.x] Buffer per-request StreamableHTTP streams; store priming event before ...32d3290[v1.x] Pass a list to parametrize in test_docs_examples (pytest 9.1.0 compat)...0dca751[v1.x] Deflake the child process cleanup tests (#2839)52258a9[v1.x] Add a v2 status banner to the README (#2835)b8f4917[v1.x] Deprecate the WebSocket transport and the experimental tasks entry poi...2309e5efix: omit null optional fields from task result payloads (#2809)494eb11[v1.x] Support Python 3.14 (#2769)6213787[v1.x] Scope experimental tasks to the session that created them (#2720)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Note
Low Risk
Lockfile-only transitive dependency bump; wildfire_env does not import
mcpdirectly.Overview
Updates the resolved
mcp(Model Context Protocol Python SDK) version inenvs/wildfire_env/uv.lockfrom 1.27.1 to 1.28.1. Wildfire env does not declaremcpdirectly; it comes in transitively throughopenenv→fastmcp.There are no application or test source changes in this repo—only lockfile pins and hashes. Upstream 1.28.x adds deprecation warnings for WebSocket transport and experimental tasks APIs (still present in 1.x), Python 3.14 support, and auth/transport fixes in the 1.27.2 line. Reviewers should only care if CI runs strict
DeprecationWarninghandling against MCP WebSocket or experimental task code paths (not used in wildfire_env sources).Reviewed by Cursor Bugbot for commit 9f1797c. Bugbot is set up for automated code reviews on this repo. Configure here.