chore(deps): bump fastmcp from 3.2.0 to 3.2.3

[dependabot]

Bumps fastmcp from 3.2.0 to 3.2.3.

Release notes

Sourced from fastmcp's releases.

v3.2.3: Redis or Not

fakeredis 2.35.0 shipped an undocumented rename (FakeConnection → FakeAsyncRedisConnection) that broke pydocket's memory:// backend, causing fastmcp[tasks] installs to fail at startup with an ImportError. This pins fakeredis<2.35.0 in the tasks extra as a stopgap until a fixed pydocket ships.

What's Changed

Fixes 🐞

• Pin fakeredis<2.35.0 in tasks extra by @​jlowin in PrefectHQ/fastmcp#3804

Docs 📚

• Document session state isolation across mount boundaries by @​jlowin in PrefectHQ/fastmcp#3801

Full Changelog: PrefectHQ/fastmcp@v3.2.2...v3.2.3

v3.2.2: Audience Appreciation

The Azure audience fix in 3.2.1 overcorrected: it switched token validation from client_id to identifier_uri, which fixed custom Application ID URIs but broke the default case where Azure AD v2 tokens set aud to the bare client ID GUID. Both formats are now accepted.

What's Changed

Fixes 🐞

• fix: accept both client_id and identifier_uri as Azure audience by @​jlowin in PrefectHQ/fastmcp#3797

Dependencies 📦

• chore(deps): bump the uv group across 2 directories with 1 update by @​dependabot[bot] in PrefectHQ/fastmcp#3795

Full Changelog: PrefectHQ/fastmcp@v3.2.1...v3.2.2

v3.2.1: Audience Participation

Most of the fixes in this patch are about auth providers getting audience validation wrong. Cognito token verification was checking the aud JWT claim, but Cognito access tokens don't include one; they use client_id instead. Azure was hardcoding the raw client ID as the expected audience, ignoring the identifier_uri parameter even though Entra v2.0 tokens use the Application ID URI as aud. Both now validate correctly without changing the provider API. Consent cookies also had an unbounded growth problem in high-DCR-client environments, eventually blowing past reverse proxy header limits; they're now capped as an LRU.

On the OpenAPI side, nullable: true fields from 3.0 specs were leaking into tool input schemas as-is instead of being converted to JSON Schema's type: ["string", "null"]. Server variable templates in base URLs (like https://{region}.api.example.com) were also being passed through raw instead of substituted with their defaults.

Smaller fixes: form submissions from Prefab UI now correctly handle unchecked boolean checkboxes, the client no longer crashes on error responses with empty or non-text content from third-party servers, and asyncio.iscoroutinefunction no longer emits deprecation warnings on Python 3.14.

What's Changed

Breaking Changes ⚠️

• fix(google): use sub (user ID) for client_id instead of aud (app ID) by @​shigechika in PrefectHQ/fastmcp#3722
• fix: remove CSP from tool metadata, keep on resource only by @​jlowin in PrefectHQ/fastmcp#3754

Enhancements ✨

• [codex] Add FastMCP docs telemetry by @​aaazzam in PrefectHQ/fastmcp#3727
• chore: split SDK navigation into standalone $ref file by @​jlowin in PrefectHQ/fastmcp#3773
• fix: bump ty to >=0.0.29 and suppress new false positives by @​jlowin in PrefectHQ/fastmcp#3790

Fixes 🐞

• fix: use explicit None checks for JWT exp validation by @​jlowin in PrefectHQ/fastmcp#3724

... (truncated)

Commits

• d1adb04 Pin fakeredis<2.35.0 in tasks extra (#3804)
• 0194c6e Document session state isolation across mount boundaries (#3801)
• 6592aaa fix: accept both client_id and identifier_uri as Azure audience (#3797)
• 9f0d8d3 chore(deps): bump the uv group across 2 directories with 1 update (#3795)
• 556fd8f Harden client tool result error handling (#3778)
• e064ba6 chore: Update SDK documentation (#3791)
• a3c5cc1 chore: Update SDK documentation (#3757)
• f5be772 fix: bump ty to >=0.0.29 and suppress new false positives (#3790)
• f14456d docs: document forward_resource parameter on OAuthProxy (#3788)
• 2b9d3ee fix: use identifier_uri as audience for Azure token validation (#3787)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[overcut-ai]

Completed Working on "Code Review"

✅ Code review complete. No issues found - all changes look good! ✅

✅ Workflow completed successfully.

---

👉 View complete log

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 2 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 3dfcc3c.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

uv.lock

Package	Version	License	Issue Type
fastmcp	3.2.4	Null	Unknown License
griffelib	2.0.2	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
pip/fastmcp	3.2.4	Unknown	Unknown
pip/griffelib	2.0.2	Unknown	Unknown

Scanned Files

• uv.lock