Update fastmcp requirement from <2.15,>=2.13 to >=2.13,<3.1

[dependabot]

Updates the requirements on fastmcp to permit the latest version.

Release notes

Sourced from fastmcp's releases.

v3.0.0: Three at Last

FastMCP 3.0 is stable. Two betas, two release candidates, 21 new contributors, and more than 100,000 pre-release installs later — the architecture held up, the upgrade path was smooth, and we're shipping it.

The surface API is largely unchanged — @mcp.tool() still works exactly as before. What changed is everything underneath: a provider/transform architecture that makes FastMCP extensible, observable, and composable in ways v2 couldn't support. If we did our jobs right, you'll barely notice the redesign. You'll just notice that more is possible.

This is also the release where FastMCP moves from jlowin/fastmcp to PrefectHQ/fastmcp. GitHub forwards all links, PyPI is the same, imports are the same. A major version felt like the right moment to make it official.

Build servers from anything

🔌 Components no longer have to live in one file with one server. FileSystemProvider discovers tools from directories with hot-reload. OpenAPIProvider wraps REST APIs. ProxyProvider proxies remote MCP servers. SkillsProvider delivers agent skills as resources. Write your own provider for whatever source makes sense. Compose multiple providers into one server, share one across many, or chain them with transforms that rename, namespace, filter, version, and secure components as they flow to clients. ResourcesAsTools and PromptsAsTools expose non-tool components to tool-only clients.

Ship to production

🔐 Component versioning: serve @tool(version="2.0") alongside older versions from one codebase. Granular authorization on individual components with async auth checks, server-wide policies via AuthMiddleware, and scope-based access control. OAuth gets CIMD, Static Client Registration, Azure OBO via dependency injection, JWT audience validation, and confused-deputy protections. OpenTelemetry tracing with MCP semantic conventions. Response size limiting. Background tasks with distributed Redis notification and ctx.elicit() relay. Security fixes include dropping diskcache (CVE-2025-69872) and upgrading python-multipart and protobuf for additional CVEs.

Adapt per session

💾 Session state persists across requests via ctx.set_state() / ctx.get_state(). ctx.enable_components() and ctx.disable_components() let servers adapt dynamically per client — show admin tools after authentication, progressively reveal capabilities, or scope access by role.

Develop faster

⚡ --reload auto-restarts on file changes. Standalone decorators return the original function, so decorated tools stay callable in tests and non-MCP contexts. Sync functions auto-dispatch to a threadpool. Tool timeouts, MCP-compliant pagination, composable lifespans, PingMiddleware for keepalive, and concurrent tool execution when the LLM returns multiple calls in one response.

Use FastMCP as a CLI

🖥️ fastmcp list and fastmcp call query and invoke tools on any server from a terminal. fastmcp discover scans your editor configs (Claude Desktop, Cursor, Goose, Gemini CLI) and finds configured servers by name. fastmcp generate-cli writes a standalone typed CLI where every tool is a subcommand. fastmcp install registers your server with Claude Desktop, Cursor, or Goose in one command.

Build apps (3.1 preview)

📱 Spec-level support for MCP Apps is in: ui:// resource scheme, typed UI metadata via AppConfig, extension negotiation, and runtime detection. The full Apps experience lands in 3.1.

---

If you hit 3.0 because you didn't pin your dependencies and something breaks — the upgrade guides will get you sorted. We minimized breaking changes, but a major version is a major version.

pip install fastmcp -U

📖 Documentation 🚀 Upgrade from FastMCP v2 🔀 Upgrade from MCP Python SDK 📰 What's New in FastMCP 3.0

What's Changed

New Features 🎉

... (truncated)

Changelog

Sourced from fastmcp's changelog.

---

title: "Changelog" icon: "list-check" rss: true tag: NEW

v3.0.0: Three at Last

FastMCP 3.0 is stable. Two betas, two release candidates, 21 new contributors, and more than 100,000 daily pre-release installs later — the architecture held up, the upgrade path was smooth, and we're shipping it.

The surface API is largely unchanged — @mcp.tool() still works exactly as before. What changed is everything underneath: a provider/transform architecture that makes FastMCP extensible, observable, and composable in ways v2 couldn't support. If we did our jobs right, you'll barely notice the redesign. You'll just notice that more is possible.

This is also the release where FastMCP moves from jlowin/fastmcp to PrefectHQ/fastmcp. GitHub forwards all links, PyPI is the same, imports are the same. A major version felt like the right moment to make it official.

Build servers from anything

🔌 Components no longer have to live in one file with one server. FileSystemProvider discovers tools from directories with hot-reload. OpenAPIProvider wraps REST APIs. ProxyProvider proxies remote MCP servers. SkillsProvider delivers agent skills as resources. Write your own provider for whatever source makes sense. Compose multiple providers into one server, share one across many, or chain them with transforms that rename, namespace, filter, version, and secure components as they flow to clients. ResourcesAsTools and PromptsAsTools expose non-tool components to tool-only clients.

Ship to production

🔐 Component versioning: serve @tool(version="2.0") alongside older versions from one codebase. Granular authorization on individual components with async auth checks, server-wide policies via AuthMiddleware, and scope-based access control. OAuth gets CIMD, Static Client Registration, Azure OBO via dependency injection, JWT audience validation, and confused-deputy protections. OpenTelemetry tracing with MCP semantic conventions. Response size limiting. Background tasks with distributed Redis notification and ctx.elicit() relay. Security fixes include dropping diskcache (CVE-2025-69872) and upgrading python-multipart and protobuf for additional CVEs.

Adapt per session

💾 Session state persists across requests via ctx.set_state() / ctx.get_state(). ctx.enable_components() and ctx.disable_components() let servers adapt dynamically per client — show admin tools after authentication, progressively reveal capabilities, or scope access by role.

Develop faster

⚡ --reload auto-restarts on file changes. Standalone decorators return the original function, so decorated tools stay callable in tests and non-MCP contexts. Sync functions auto-dispatch to a threadpool. Tool timeouts, MCP-compliant pagination, composable lifespans, PingMiddleware for keepalive, and concurrent tool execution when the LLM returns multiple calls in one response.

Use FastMCP as a CLI

🖥️ fastmcp list and fastmcp call query and invoke tools on any server from a terminal. fastmcp discover scans your editor configs (Claude Desktop, Cursor, Goose, Gemini CLI) and finds configured servers by name. fastmcp generate-cli writes a standalone typed CLI where every tool is a subcommand. fastmcp install registers your server with Claude Desktop, Cursor, or Goose in one command.

Build apps (3.1 preview)

📱 Spec-level support for MCP Apps is in: ui:// resource scheme, typed UI metadata via AppConfig, extension negotiation, and runtime detection. The full Apps experience lands in 3.1.

---

If you hit 3.0 because you didn't pin your dependencies and something breaks — the upgrade guides will get you sorted. We minimized breaking changes, but a major version is a major version.

pip install fastmcp -U

📖 Documentation

... (truncated)

Commits

• 92f4c50 v3.0.0 release notes, changelog, and README updates (#3222)
• e717e16 Update thumbnail background (#3219)
• 8a13032 Use standard traceparent/tracestate keys per OTel MCP semconv (#3221)
• a2efd68 Normalize repo references to PrefectHQ/fastmcp casing (#3218)
• 78010ef Fix invalid uv add fastmcp@latest command (#3217)
• 1eb57ba Add upgrade guides for users coming from the MCP SDK (#3215)
• 958e657 Update docs for 3.0 GA release (#3216)
• 6572981 Fix MDX parsing error and update card images (#3213)
• 7aba0df Cache OBO credentials on AzureProvider for token reuse (#3212)
• 9b248a1 Update repository references for transfer to prefecthq (#3207)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)