Bump fastmcp from 2.13.3 to 2.14.0 in the pip group across 1 directory

[dependabot]

Bumps the pip group with 1 update in the / directory: fastmcp.

Updates fastmcp from 2.13.3 to 2.14.0

Release notes

Sourced from fastmcp's releases.

v2.14.0: Task and You Shall Receive

FastMCP 2.14 begins adopting the MCP 2025-11-25 specification, headlined by protocol-native background tasks that let long-running operations report progress without blocking clients. This release also graduates the OpenAPI parser to standard, adds first-class support for several new spec features, and removes deprecated APIs accumulated across the 2.x series.

Background Tasks (SEP-1686)

Long-running operations (like tool calls) normally block MCP clients until they complete. The new MCP background task protocol (SEP-1686) lets clients start operations, track progress, and retrieve results without blocking. For FastMCP users, taking advantage of this new functionality is as easy as adding task=True to any async decorator. Under the hood, it's powered by Docket, the enterprise task scheduler at the heart of Prefect Cloud that handles millions of concurrent tasks every day.

from fastmcp import FastMCP
from fastmcp.dependencies import Progress
mcp = FastMCP("MyServer")
@​mcp.tool(task=True)
async def train_model(dataset: str, progress: Progress = Progress()) -> str:
await progress.set_total(100)
for epoch in range(100):
# ... training work ...
await progress.increment()
return "Model trained successfully"

Clients that call this tool in task-augmented mode (for FastMCP clients, that merely means another task=True!) receive a task ID immediately, poll for progress updates, and fetch results when ready. Background tasks work out-of-the-box with an in-memory backend, and users can optionally provide a Redis URL for persistence, horizontal scaling, and single-digit millisecond task pickup latency. When using Redis, users can also add additional Docket workers to scale out their task processing.

Read the docs here!

OpenAPI Parser Promotion

The experimental OpenAPI parser graduates to standard. The new architecture delivers improved performance through single-pass schema processing and cleaner internal abstractions. Existing code works unchanged; users of the experimental module should update their imports.

MCP 2025-11-25 Spec Support

This release begins adopting the MCP 2025-11-25 specification. Beyond the core SDK updates, FastMCP adds first-class developer experiences for:

• SEP-1686: Background tasks with progress tracking
• SEP-1699: SSE polling and event resumability, with full AsyncKeyValue support
• SEP-1330: Multi-select enum elicitation schemas
• SEP-1034: Default values for elicitation schemas
• SEP-986: Tool name validation at registration time

As the MCP SDK continues to adopt more of the specification, FastMCP will add corresponding high-level APIs.

Breaking Changes & Cleanup

This release removes deprecated APIs accumulated across the 2.x series: BearerAuthProvider, Context.get_http_request(), the dependencies parameter, legacy resource prefix formats, and several deprecated methods. The upgrade guide provides migration paths for each.

What's Changed

... (truncated)

Changelog

Sourced from fastmcp's changelog.

---

title: "Changelog" icon: "list-check" rss: true

v3.0.0b1: This Beta Work

FastMCP 3.0 rebuilds the framework around three primitives: components, providers, and transforms. Providers source components dynamically—from decorators, filesystems, OpenAPI specs, remote servers, or anywhere else. Transforms modify components as they flow to clients—renaming, namespacing, filtering, securing. The features that required specialized subsystems in v2 now compose naturally from these building blocks.

🔌 Provider Architecture unifies how components are sourced. FileSystemProvider discovers decorated functions from directories with optional hot-reload. SkillsProvider exposes agent skill files as MCP resources. OpenAPIProvider and ProxyProvider get cleaner integrations. Providers are composable—share one across servers, or attach many to one server.

🔄 Transforms add middleware for components. Namespace mounted servers, rename verbose tools, filter by version, control visibility—all without touching source code. ResourcesAsTools and PromptsAsTools expose non-tool components to tool-only clients.

📋 Component Versioning lets you register @tool(version="2.0") alongside older versions. Clients see the highest version by default but can request specific versions. VersionFilter serves different API versions from one codebase.

💾 Session-Scoped State persists across requests. await ctx.set_state() and await ctx.get_state() now survive the full session. Per-session visibility via ctx.enable_components() lets servers adapt dynamically to each client.

⚡ DX Improvements include --reload for auto-restart during development, automatic threadpool dispatch for sync functions, tool timeouts, pagination for large component lists, and OpenTelemetry tracing.

🔐 Component Authorization via @tool(auth=require_scopes("admin")) and AuthMiddleware for server-wide policies.

Breaking changes are minimal: for most servers, updating the import statement is all you need. See the migration guide for details.

What's Changed

New Features 🎉

• Refactor resource behavior and add meta support by @​jlowin in #2611
• Refactor prompt behavior and add meta support by @​jlowin in #2610
• feat: Provider abstraction for dynamic MCP components by @​jlowin in #2622
• Unify component storage in LocalProvider by @​jlowin in #2680
• Introduce ResourceResult as canonical resource return type by @​jlowin in #2734
• Introduce Message and PromptResult as canonical prompt types by @​jlowin in #2738
• Add --reload flag for auto-restart on file changes by @​jlowin in #2816
• Add FileSystemProvider for filesystem-based component discovery by @​jlowin in #2823
• Add standalone decorators and eliminate fastmcp.fs module by @​jlowin in #2832
• Add authorization checks to components and servers by @​jlowin in #2855
• Decorators return functions instead of component objects by @​jlowin in #2856
• Add transform system for modifying components in provider chains by @​jlowin in #2836
• Add OpenTelemetry tracing support by @​chrisguidry in #2869
• Add component versioning and VersionFilter transform by @​jlowin in #2894
• Add version discovery and calling a certain version for components by @​jlowin in #2897
• Refactor visibility to mark-based enabled system by @​jlowin in #2912
• Add session-specific visibility control via Context by @​jlowin in #2917
• Add Skills Provider for exposing agent skills as MCP resources by @​jlowin in #2944

Enhancements 🔧

• Convert mounted servers to MountedProvider by @​jlowin in #2635
• Simplify .key as computed property by @​jlowin in #2648
• Refactor MountedProvider into FastMCPProvider + TransformingProvider by @​jlowin in #2653

... (truncated)

Commits

• 3d6fd46 chore: remove tests/test_examples.py (#2593)
• 03b62d2 feat: handle error from the initialize middleware (#2531)
• 95e58e8 fix: preserve exception propagation through transport cleanup (#2591)
• 855e01e chore: Update SDK documentation (#2588)
• d56f55a Add smart fallback for missing access token expiry (#2587)
• d35b867 chore: Update SDK documentation (#2517)
• 080ffa5 Fix nested server mount routing for 3+ levels deep (#2586)
• 0bcd69c Remove overly restrictive MIME type validation from Resource (#2585)
• 9b41d16 Remove deprecated mount/import argument order and separator params (#2582)
• 95fb8b4 Fix proxy tool result meta attribute forwarding (#2526)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Note

Medium Risk
Dependency-only change, but it upgrades MCP protocol tooling and widens the mcp version range, which could introduce runtime or API incompatibilities.

Overview
Updates MCP-related dependencies in pyproject.toml: bumps fastmcp from 2.13.3 to 2.14.0 and widens the allowed mcp range from <1.23 to <1.27.

^{Written by Cursor Bugbot for commit 8242ff0. This will update automatically on new commits. Configure here.}