Skip to content

chore(deps): bump mcp from 1.27.1 to 1.28.1 in /envs/wildfire_env#984

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/envs/wildfire_env/mcp-1.28.1
Closed

chore(deps): bump mcp from 1.27.1 to 1.28.1 in /envs/wildfire_env#984
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/envs/wildfire_env/mcp-1.28.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 16, 2026

Copy link
Copy Markdown
Contributor

Bumps mcp from 1.27.1 to 1.28.1.

Release notes

Sourced from mcp's releases.

v1.28.0

Deprecations

Two API surfaces now emit DeprecationWarning ahead of their removal in v2. Nothing is removed in 1.x, and the warnings fire only when the deprecated API is called - importing the modules stays silent.

  • WebSocket transport - mcp.client.websocket.websocket_client and mcp.server.websocket.websocket_servermodelcontextprotocol/typescript-sdk#1783
  • Experimental tasks API - ClientSession.experimental, Server.experimental, ServerSession.experimental, and the experimental_task_handlers= kwarg on ClientSession. Tasks (SEP-1686) were removed from the MCP specification and are expected to return as a separate MCP extension.

If your test suite runs with filterwarnings = ["error"] and exercises these paths, add a scoped ignore such as ignore:The experimental tasks API is deprecated:DeprecationWarning or ignore:The WebSocket .* transport is deprecated:DeprecationWarning.

See #2828 for full details.

What's Changed

New Contributors

Full Changelog: modelcontextprotocol/python-sdk@v1.27.2...v1.28.0

v1.27.2

What's Changed

Full Changelog: modelcontextprotocol/python-sdk@v1.27.1...v1.27.2

Commits
  • 777b8d0 [v1.x] Support TransportSecuritySettings in the WebSocket server transport (#...
  • 4720467 [v1.x] Set Development Status classifier to Production/Stable (#2976)
  • 6df3d73 [v1.x] Buffer per-request StreamableHTTP streams; store priming event before ...
  • 32d3290 [v1.x] Pass a list to parametrize in test_docs_examples (pytest 9.1.0 compat)...
  • 0dca751 [v1.x] Deflake the child process cleanup tests (#2839)
  • 52258a9 [v1.x] Add a v2 status banner to the README (#2835)
  • b8f4917 [v1.x] Deprecate the WebSocket transport and the experimental tasks entry poi...
  • 2309e5e fix: omit null optional fields from task result payloads (#2809)
  • 494eb11 [v1.x] Support Python 3.14 (#2769)
  • 6213787 [v1.x] Scope experimental tasks to the session that created them (#2720)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note

Low Risk
Lockfile-only transitive dependency bump; wildfire_env does not import mcp directly.

Overview
Updates the resolved mcp (Model Context Protocol Python SDK) version in envs/wildfire_env/uv.lock from 1.27.1 to 1.28.1. Wildfire env does not declare mcp directly; it comes in transitively through openenvfastmcp.

There are no application or test source changes in this repo—only lockfile pins and hashes. Upstream 1.28.x adds deprecation warnings for WebSocket transport and experimental tasks APIs (still present in 1.x), Python 3.14 support, and auth/transport fixes in the 1.27.2 line. Reviewers should only care if CI runs strict DeprecationWarning handling against MCP WebSocket or experimental task code paths (not used in wildfire_env sources).

Reviewed by Cursor Bugbot for commit 9f1797c. Bugbot is set up for automated code reviews on this repo. Configure here.

Bumps [mcp](https://github.com/modelcontextprotocol/python-sdk) from 1.27.1 to 1.28.1.
- [Release notes](https://github.com/modelcontextprotocol/python-sdk/releases)
- [Changelog](https://github.com/modelcontextprotocol/python-sdk/blob/main/RELEASE.md)
- [Commits](modelcontextprotocol/python-sdk@v1.27.1...v1.28.1)

---
updated-dependencies:
- dependency-name: mcp
  dependency-version: 1.28.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added Dependencies python:uv Pull requests that update python:uv code labels Jul 16, 2026
@burtenshaw burtenshaw added environment size: small Small pull request labels Jul 16, 2026 — with Cursor
@bot-ci-comment

Copy link
Copy Markdown

The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alignment Review Report

Dependabot bump of mcp 1.27.1 → 1.28.1 in envs/wildfire_env. mcp is a transitive dep (via openenvfastmcpmcp); wildfire_env/pyproject.toml pins no mcp, so a lock-only change is correct (the diff touches only envs/wildfire_env/uv.lock, no pyproject.toml). Verified against live PyPI and with uv lock --check.

Automated Checks

  • Lint: PASS (N/A to diff) — the only changed file is a uv.lock; lint.sh (ruff/usort) and CI lint .py only, never lockfiles/TOML. uv lock --check --project envs/wildfire_env → resolved cleanly, lock consistent with pyproject.
  • Debug code: CLEANcheck-debug.sh scans only src/; this PR changes no src/ files.

Open RFCs Context

All RFCs are Draft/In Review. RFC 003 "MCP Support" (In Review) is topically adjacent since the mcp package is bumped, but it governs the MCP protocol/interface design, not the SDK's pinned version — no conflict. No RFC covers Python packaging / dependency indexes, so the lock changes below carry no RFC conflict.

Tier 1: Fixes Required

None. The bump is internally consistent and verified:

  • Package set 152 → 152 (0 added / 0 removed); only mcp changed version. Its 14-entry dependency block is byte-identical before/after, so 1.28.1's requirements are met by the existing locked graph.
  • Hashes match PyPI exactly — sdist d51e36a5… (638501 B), wheel 2726bca5… (222620 B); requires-python >=3.10; not yanked.
  • Security-positive: base mcp 1.27.1 is affected by CVE-2026-52870 (GHSA-hvrp-rf83-w775 — experimental-tasks cross-client access) and CVE-2026-52869 (GHSA-jpw9-pfvf-9f58 — SSE/Streamable-HTTP session-id-only auth), both fixed_in 1.27.2. 1.28.1 clears both (0 known vulns).

Tier 2: Alignment Discussion

Principle Conflicts

ALIGNMENT FLAG: Lockfile silently re-sourced from the internal HF mirror to public PyPI

  • Principle at stake: "Container isolation for reproducibility" (PRINCIPLES.md L15)
  • The concern: Beyond the named mcp bump, this re-lock rewrites the source registry of all 171 package entries from https://pypi.registries.huggingface.tech/https://pypi.org/simple and bumps the lockfile revision = 2 → 3. Artifact URLs (files.pythonhosted.org) and hashes are unchanged (2310 = 2310), so it's almost certainly benign, but it (a) silently changes declared provenance under a PR framed as a single dep bump, and (b) widens a cross-env split — ~24 envs still declare the HF mirror while ~13 (incl. the canonical echo_env) are on public PyPI. Registry choice is a team decision, so flagging rather than "fixing" (I did not edit the generated lock).
  • Suggested reviewer: @Darktex (+ @burtenshaw)

RFC Conflicts

None identified.

Process / heads-up (non-blocking)

  • Dependabot scope bypass (cc @burtenshaw): .github/dependabot.yml scopes the uv updater to directory: "/" with exclude-paths: ["envs/**"] (L8–9), yet this native dependabot/uv/envs/wildfire_env/… PR modified envs/. The uv ecosystem doesn't appear to honor exclude-paths (the intended path for env locks is the aggregated codex/dependabot-envs-* roll-ups).
  • revision 3 / base-image uv: PR CI (UV_VERSION 0.9.3) handles rev-3 fine. Heads-up only: openenv-base ships uv 0.5.27, which predates rev-3 support, so a uv sync --frozen during a container rebuild could fail. It won't trigger on this lock-only PR (docker-build keys on Dockerfile/*.py, not uv.lock), and rev-3 envs already ship — verify-not-block.

Summary

  • 0 mechanical issues to fix
  • 1 alignment point for human review (index-source flip / provenance)
  • 0 RFC conflicts

Net: a correct, security-positive transitive bump; the only recurring discussion item is the incidental index-flip + the dependabot scoping bypass.

Open in Web View Automation 

Sent by Cursor Automation: Pre-review

Comment thread envs/wildfire_env/uv.lock
name = "mcp"
version = "1.27.1"
source = { registry = "https://pypi.registries.huggingface.tech/" }
version = "1.28.1"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mcp 1.27.1 → 1.28.1 (transitive via openenvfastmcpmcp; wildfire_env pins no mcp, so lock-only is correct).

Verified vs live PyPI: wheel 2726bca5… (222620 B), sdist d51e36a5… (638501 B), requires-python >=3.10, not yanked, 0 known vulnerabilities. uv lock --check passes and the 14-entry mcp dependency block is unchanged, so 1.28.1's floors are already satisfied by the locked graph.

Security-positive: base 1.27.1 is affected by CVE-2026-52870 (GHSA-hvrp-rf83-w775) and CVE-2026-52869 (GHSA-jpw9-pfvf-9f58), both fixed_in 1.27.2; 1.28.1 clears both.

Comment thread envs/wildfire_env/uv.lock
name = "aiofile"
version = "3.9.0"
source = { registry = "https://pypi.registries.huggingface.tech/" }
source = { registry = "https://pypi.org/simple" }

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Incidental to the mcp bump: every package's source registry flips from the internal pypi.registries.huggingface.tech mirror to public pypi.org/simple (171 entries → 0 mirror left). Artifact URLs/hashes are unchanged, so this is benign, but it silently changes declared provenance and widens the cross-env split (~24 envs still on the HF mirror, ~13 incl. echo_env on public PyPI). Not auto-fixing — registry choice is a team call. See the top-level reproducibility flag (@Darktex / @burtenshaw).

Comment thread envs/wildfire_env/uv.lock
@@ -1,5 +1,5 @@
version = 1
revision = 2
revision = 3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lockfile revision 2 → 3 (written by a newer uv). PR CI (uv 0.9.3) handles rev-3 fine. Heads-up only: openenv-base currently ships uv 0.5.27, which predates rev-3 support — worth verifying the container-build uv version before relying on uv sync --frozen for this env in a rebuild. Won't trigger on this lock-only PR.

@burtenshaw

Copy link
Copy Markdown
Collaborator

Aggregated into #921.

@burtenshaw burtenshaw closed this Jul 17, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 17, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot
dependabot Bot deleted the dependabot/uv/envs/wildfire_env/mcp-1.28.1 branch July 17, 2026 07:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Dependencies environment python:uv Pull requests that update python:uv code size: small Small pull request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant