Bump fastmcp from 2.12.2 to 2.14.0

[dependabot]

Bumps fastmcp from 2.12.2 to 2.14.0.

Release notes

Sourced from fastmcp's releases.

v2.14.0: Task and You Shall Receive

FastMCP 2.14 begins adopting the MCP 2025-11-25 specification, headlined by protocol-native background tasks that let long-running operations report progress without blocking clients. This release also graduates the OpenAPI parser to standard, adds first-class support for several new spec features, and removes deprecated APIs accumulated across the 2.x series.

Background Tasks (SEP-1686)

Long-running operations (like tool calls) normally block MCP clients until they complete. The new MCP background task protocol (SEP-1686) lets clients start operations, track progress, and retrieve results without blocking. For FastMCP users, taking advantage of this new functionality is as easy as adding task=True to any async decorator. Under the hood, it's powered by Docket, the enterprise task scheduler at the heart of Prefect Cloud that handles millions of concurrent tasks every day.

from fastmcp import FastMCP
from fastmcp.dependencies import Progress
mcp = FastMCP("MyServer")
@​mcp.tool(task=True)
async def train_model(dataset: str, progress: Progress = Progress()) -> str:
await progress.set_total(100)
for epoch in range(100):
# ... training work ...
await progress.increment()
return "Model trained successfully"

Clients that call this tool in task-augmented mode (for FastMCP clients, that merely means another task=True!) receive a task ID immediately, poll for progress updates, and fetch results when ready. Background tasks work out-of-the-box with an in-memory backend, and users can optionally provide a Redis URL for persistence, horizontal scaling, and single-digit millisecond task pickup latency. When using Redis, users can also add additional Docket workers to scale out their task processing.

Read the docs here!

OpenAPI Parser Promotion

The experimental OpenAPI parser graduates to standard. The new architecture delivers improved performance through single-pass schema processing and cleaner internal abstractions. Existing code works unchanged; users of the experimental module should update their imports.

MCP 2025-11-25 Spec Support

This release begins adopting the MCP 2025-11-25 specification. Beyond the core SDK updates, FastMCP adds first-class developer experiences for:

• SEP-1686: Background tasks with progress tracking
• SEP-1699: SSE polling and event resumability, with full AsyncKeyValue support
• SEP-1330: Multi-select enum elicitation schemas
• SEP-1034: Default values for elicitation schemas
• SEP-986: Tool name validation at registration time

As the MCP SDK continues to adopt more of the specification, FastMCP will add corresponding high-level APIs.

Breaking Changes & Cleanup

This release removes deprecated APIs accumulated across the 2.x series: BearerAuthProvider, Context.get_http_request(), the dependencies parameter, legacy resource prefix formats, and several deprecated methods. The upgrade guide provides migration paths for each.

What's Changed

... (truncated)

Changelog

Sourced from fastmcp's changelog.

---

title: "Changelog" icon: "list-check" rss: true tag: NEW

v3.0.0: Three at Last

FastMCP 3.0 is stable. Two betas, two release candidates, 21 new contributors, and more than 100,000 daily pre-release installs later — the architecture held up, the upgrade path was smooth, and we're shipping it.

The surface API is largely unchanged — @mcp.tool() still works exactly as before. What changed is everything underneath: a provider/transform architecture that makes FastMCP extensible, observable, and composable in ways v2 couldn't support. If we did our jobs right, you'll barely notice the redesign. You'll just notice that more is possible.

This is also the release where FastMCP moves from jlowin/fastmcp to PrefectHQ/fastmcp. GitHub forwards all links, PyPI is the same, imports are the same. A major version felt like the right moment to make it official.

Build servers from anything

🔌 Components no longer have to live in one file with one server. FileSystemProvider discovers tools from directories with hot-reload. OpenAPIProvider wraps REST APIs. ProxyProvider proxies remote MCP servers. SkillsProvider delivers agent skills as resources. Write your own provider for whatever source makes sense. Compose multiple providers into one server, share one across many, or chain them with transforms that rename, namespace, filter, version, and secure components as they flow to clients. ResourcesAsTools and PromptsAsTools expose non-tool components to tool-only clients.

Ship to production

🔐 Component versioning: serve @tool(version="2.0") alongside older versions from one codebase. Granular authorization on individual components with async auth checks, server-wide policies via AuthMiddleware, and scope-based access control. OAuth gets CIMD, Static Client Registration, Azure OBO via dependency injection, JWT audience validation, and confused-deputy protections. OpenTelemetry tracing with MCP semantic conventions. Response size limiting. Background tasks with distributed Redis notification and ctx.elicit() relay. Security fixes include dropping diskcache (CVE-2025-69872) and upgrading python-multipart and protobuf for additional CVEs.

Adapt per session

💾 Session state persists across requests via ctx.set_state() / ctx.get_state(). ctx.enable_components() and ctx.disable_components() let servers adapt dynamically per client — show admin tools after authentication, progressively reveal capabilities, or scope access by role.

Develop faster

⚡ --reload auto-restarts on file changes. Standalone decorators return the original function, so decorated tools stay callable in tests and non-MCP contexts. Sync functions auto-dispatch to a threadpool. Tool timeouts, MCP-compliant pagination, composable lifespans, PingMiddleware for keepalive, and concurrent tool execution when the LLM returns multiple calls in one response.

Use FastMCP as a CLI

🖥️ fastmcp list and fastmcp call query and invoke tools on any server from a terminal. fastmcp discover scans your editor configs (Claude Desktop, Cursor, Goose, Gemini CLI) and finds configured servers by name. fastmcp generate-cli writes a standalone typed CLI where every tool is a subcommand. fastmcp install registers your server with Claude Desktop, Cursor, or Goose in one command.

Build apps (3.1 preview)

📱 Spec-level support for MCP Apps is in: ui:// resource scheme, typed UI metadata via AppConfig, extension negotiation, and runtime detection. The full Apps experience lands in 3.1.

---

If you hit 3.0 because you didn't pin your dependencies and something breaks — the upgrade guides will get you sorted. We minimized breaking changes, but a major version is a major version.

pip install fastmcp -U

📖 Documentation

... (truncated)

Commits

• 3d6fd46 chore: remove tests/test_examples.py (#2593)
• 03b62d2 feat: handle error from the initialize middleware (#2531)
• 95e58e8 fix: preserve exception propagation through transport cleanup (#2591)
• 855e01e chore: Update SDK documentation (#2588)
• d56f55a Add smart fallback for missing access token expiry (#2587)
• d35b867 chore: Update SDK documentation (#2517)
• 080ffa5 Fix nested server mount routing for 3+ levels deep (#2586)
• 0bcd69c Remove overly restrictive MIME type validation from Resource (#2585)
• 9b41d16 Remove deprecated mount/import argument order and separator params (#2582)
• 95fb8b4 Fix proxy tool result meta attribute forwarding (#2526)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[kevinbackhouse]

smoke test

[github-actions]

Deployment Triggered 🚀

kevinbackhouse, started a branch deployment to smoketest (branch: dependabot/pip/fastmcp-2.14.0)

You can watch the progress here 🔗

Details

{
  "type": "branch",
  "environment": {
    "name": "smoketest",
    "url": null
  },
  "deployment": {
    "timestamp": "2026-02-19T10:53:38.467Z",
    "logs": "https://github.com/GitHubSecurityLab/seclab-taskflow-agent/actions/runs/22178824282"
  },
  "git": {
    "branch": "dependabot/pip/fastmcp-2.14.0",
    "commit": "c558790176e90c8b09f50f3756ca4a305ff0d50b",
    "verified": false,
    "committer": "kevinbackhouse",
    "html_url": "https://github.com/GitHubSecurityLab/seclab-taskflow-agent/commit/c558790176e90c8b09f50f3756ca4a305ff0d50b"
  },
  "context": {
    "actor": "kevinbackhouse",
    "noop": false,
    "fork": false,
    "comment": {
      "created_at": "2026-02-19T10:53:24Z",
      "updated_at": "2026-02-19T10:53:24Z",
      "body": "smoke test",
      "html_url": "https://github.com/GitHubSecurityLab/seclab-taskflow-agent/pull/154#issuecomment-3926450156"
    }
  },
  "parameters": {
    "raw": null,
    "parsed": null
  }
}