From 96ccd4c8f59d05b275dead65cd0fe5b69ca3b6f5 Mon Sep 17 00:00:00 2001 From: Willie Abrams Date: Wed, 1 Apr 2026 08:12:18 -0500 Subject: [PATCH 1/3] Bump pip dependencies to fix security vulnerabilities MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - PyJWT 2.10.1 → 2.12.0 (unknown crit header extensions) - fastmcp 2.14.3 → 3.2.0 (multiple CVEs, critical/high/medium) - Flask 3.1.0 → 3.1.3 (session/cookie handling) - Flask-Cors 5.0.0 → 6.0.0 (CORS matching vulnerabilities) - Pillow 11.3.0 → 12.1.1 (out-of-bounds write on PSD images) Co-Authored-By: Claude Opus 4.6 (1M context) --- requirements.txt | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/requirements.txt b/requirements.txt index 585522c..fbf3ced 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,15 +1,15 @@ elasticsearch==8.19.3 -PyJWT==2.10.1 -fastmcp==2.14.3 -Flask==3.1.0 -Flask-Cors==5.0.0 +PyJWT==2.12.0 +fastmcp==3.2.0 +Flask==3.1.3 +Flask-Cors==6.0.0 opentelemetry-distro==0.57b0 opentelemetry-exporter-otlp==1.36.0 opentelemetry-instrumentation==0.57b0 opentelemetry-instrumentation-elasticsearch==0.57b0 opentelemetry-instrumentation-flask==0.57b0 opentelemetry-instrumentation-wsgi==0.57b0 -pillow==11.3.0 +pillow==12.1.1 pydantic==2.11.7 python-dotenv==1.1.1 requests==2.33.0 \ No newline at end of file From d313b3d1dfbcd8f1e8ae4b059a2f001bba26ef94 Mon Sep 17 00:00:00 2001 From: Willie Abrams Date: Wed, 1 Apr 2026 08:19:31 -0500 Subject: [PATCH 2/3] Fix test that fails when AUTH_ENABLED defaults to true The content API key test was hitting the studio-level auth check before reaching the content-level check. Co-Authored-By: Claude Opus 4.6 (1M context) --- tests/unit/test_client.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/unit/test_client.py b/tests/unit/test_client.py index 92336de..06bc297 100644 --- a/tests/unit/test_client.py +++ b/tests/unit/test_client.py @@ -113,6 +113,7 @@ def test_setup_clients_rejects_studio_api_key_with_basic_auth_when_auth_enabled( _setup_clients() def test_setup_clients_rejects_content_api_key_with_basic_auth(self, monkeypatch): + monkeypatch.setattr("server.client.AUTH_ENABLED", False) monkeypatch.setattr("server.client.ELASTIC_CLOUD_ID", "") monkeypatch.setattr("server.client.ELASTICSEARCH_URL", "http://localhost:9200") monkeypatch.setattr("server.client.CONTENT_ELASTIC_CLOUD_ID", "") From 97191380f1abd6023c6232434d611404c7375a6e Mon Sep 17 00:00:00 2001 From: Willie Abrams Date: Wed, 1 Apr 2026 08:40:02 -0500 Subject: [PATCH 3/3] Fix test for fastmcp 3.x: @mcp.tool returns function directly In fastmcp 3.x the .fn attribute was removed since the decorator returns the original function instead of a wrapper object. Co-Authored-By: Claude Opus 4.6 (1M context) --- tests/unit/test_conversations_owner_visibility.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/unit/test_conversations_owner_visibility.py b/tests/unit/test_conversations_owner_visibility.py index 5028e9f..5db1903 100644 --- a/tests/unit/test_conversations_owner_visibility.py +++ b/tests/unit/test_conversations_owner_visibility.py @@ -92,5 +92,5 @@ def mock_search(text, filters, sort, size, page, aggs, user=None, es_client=None monkeypatch.setattr("server.fastmcp.api.conversations.search", mock_search) - fastmcp.conversations_search.fn(ctx=None) + fastmcp.conversations_search(ctx=None) assert captured["user"] == "alice"