chore(deps): bump fastmcp from 2.12.3 to 3.2.0 in /02-use-cases/customer-support-assistant-vpc/mcp_dynamodb

[dependabot]

Bumps fastmcp from 2.12.3 to 3.2.0.

Release notes

Sourced from fastmcp's releases.

v3.2.0: Show Don't Tool

FastMCP 3.2 is the Apps release. The 3.0 architecture gave you providers and transforms; 3.1 shipped Code Mode for tool discovery. 3.2 puts a face on it: your tools can now return interactive UIs — charts, dashboards, forms, maps — rendered right inside the conversation.

FastMCPApp

FastMCPApp is a new provider class for building interactive applications inside MCP. It separates the tools the LLM sees (@app.ui()) from the backend tools the UI calls (@app.tool()), manages visibility automatically, and gives tool references stable identifiers that survive namespace transforms and server composition — without requiring host cooperation.

from fastmcp import FastMCP, FastMCPApp
from prefab_ui.actions.mcp import CallTool
from prefab_ui.components import Column, Form, Input, Button, ForEach, Text
app = FastMCPApp("Contacts")
@​app.tool()
def save_contact(name: str, email: str) -> list[dict]:
db.append({"name": name, "email": email})
return list(db)
@​app.ui()
def contact_manager() -> PrefabApp:
with PrefabApp(state={"contacts": list(db)}) as view:
with Column(gap=4):
ForEach("contacts", lambda c: Text(c.name))
with Form(on_submit=CallTool("save_contact")):
Input(name="name", required=True)
Input(name="email", required=True)
Button("Save")
return view
mcp = FastMCP("Server", providers=[app])

The UI is built with Prefab, a Python component library that compiles to interactive UIs. You write Python; the user sees charts, tables, forms, and dashboards. FastMCP handles the MCP Apps protocol machinery — renderer resources, CSP configuration, structured content serialization — so you don't have to.

For simpler cases where you just want to visualize data without server interaction, set app=True on any tool and return Prefab components directly:

@mcp.tool(app=True)
def revenue_chart(year: int) -> PrefabApp:
    with PrefabApp() as app:
        BarChart(data=revenue_data, series=[ChartSeries(data_key="revenue")])
    return app

Built-in Providers

Five ready-made providers you add with a single add_provider() call:

• FileUpload — drag-and-drop file upload with session-scoped storage

... (truncated)

Changelog

Sourced from fastmcp's changelog.

---

title: "Changelog" icon: "list-check" rss: true tag: NEW

v3.1.1: 'Tis But a Patch

Pins pydantic-monty below 0.0.8 to fix a breaking change in Monty that affects code mode. Monty 0.0.8 removed the external_functions constructor parameter, causing MontySandboxProvider to fail. This patch caps the version so existing installs work correctly.

Fixes 🐞

• Pin pydantic-monty below 0.0.8 to fix code mode by @​jlowin in #3497

Full Changelog: v3.1.0...v3.1.1

v3.1.0: Code to Joy

FastMCP 3.1 is the Code Mode release. The 3.0 architecture introduced providers and transforms as the extensibility layer — 3.1 puts that architecture to work, shipping the most requested capability since launch: servers that can find and execute code on behalf of agents, without requiring clients to know what tools exist.

New Features 🎉

• feat: Search transforms for tool discovery by @​jlowin in #3154
• Add experimental CodeMode transform by @​aaazzam in #3297
• Add Prefab Apps integration for MCP tool UIs by @​jlowin in #3316

Enhancements 🔧

• Lazy-load heavy imports to reduce import time by @​jlowin in #3295
• Add http_client parameter to all token verifiers for connection pooling by @​jlowin in #3300
• Add in-memory caching for token introspection results by @​jlowin in #3298
• Add SessionStart hook to install gh CLI in cloud sessions by @​jlowin in #3308
• Fix ty 0.0.19 type errors by @​jlowin in #3310
• Code Mode: Add resource limits to MontySandboxProvider by @​jlowin in #3326
• Accept transforms as FastMCP init kwarg by @​jlowin in #3324
• Split large test files to comply with loq line limit by @​jlowin in #3328
• Add -m/--module flag to fastmcp run and dev inspector by @​dgenio in #3331
• Add search_result_serializer hook and serialize_tools_for_output_markdown by @​MagnusS0 in #3337
• Add MultiAuth for composing multiple token verification sources by @​jlowin in #3335
• Adds PropelAuth as an AuthProvider by @​andrew-propelauth in #3358
• Replace vendored DI with uncalled-for by @​chrisguidry in #3301
• Decompose CodeMode into composable discovery tools by @​jlowin in #3354
• feat(contrib): auto-sync MCPMixin decorators with from_function signatures by @​AnkeshThakur in #3323
• Add Google GenAI Sampling Handler by @​strawgate in #2977
• Add ListTools, search limit, and catalog size annotation to CodeMode by @​jlowin in #3359
• Allow configuring FastMCP transport setting in the same way as other configuration by @​jvdmr in #1796
• Add include_unversioned option to VersionFilter by @​yangbaechu in #3349

... (truncated)

Commits

• 665514e Add forward_resource flag to OAuthProxy (#3711)
• f189d1f Bump pydantic-monty to 0.0.9 (#3707)
• 6faa2d6 Remove hardcoded prefab-ui version from pinning warnings (#3708)
• dd8816c chore: Update SDK documentation (#3701)
• d274959 docs: note that custom routes are unauthenticated (#3706)
• 4a54be2 Add examples gallery page (#3705)
• 961dd50 Add interactive map example with geocoding (#3702)
• f01d0c5 Add quiz example app, fix dev server empty string args (#3700)
• 85b7efd chore: Update SDK documentation (#3694)
• 27abe3c Add sales dashboard and live system monitor examples, bump prefab-ui to 0.17 ...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

Latest scan for commit: 3bb7736 | Updated: 2026-03-31 22:31:33 UTC

Security Scan Results

Scan Metadata

• Project: ASH
• Scan executed: 2026-03-31T22:31:19+00:00
• ASH version: 3.0.0

Summary

Scanner Results

The table below shows findings by scanner, with status based on severity thresholds and dependencies:

Column Explanations:

Severity Levels (S/C/H/M/L/I):

• Suppressed (S): Security findings that have been explicitly suppressed/ignored and don't affect the scanner's pass/fail status
• Critical (C): The most severe security vulnerabilities requiring immediate remediation (e.g., SQL injection, remote code execution)
• High (H): Serious security vulnerabilities that should be addressed promptly (e.g., authentication bypasses, privilege escalation)
• Medium (M): Moderate security risks that should be addressed in normal development cycles (e.g., weak encryption, input validation issues)
• Low (L): Minor security concerns with limited impact (e.g., information disclosure, weak recommendations)
• Info (I): Informational findings for awareness with minimal security risk (e.g., code quality suggestions, best practice recommendations)

Other Columns:

• Time: Duration taken by each scanner to complete its analysis
• Action: Total number of actionable findings at or above the configured severity threshold that require attention

Scanner Results:

• PASSED: Scanner found no security issues at or above the configured severity threshold - code is clean for this scanner
• FAILED: Scanner found security vulnerabilities at or above the threshold that require attention and remediation
• MISSING: Scanner could not run because required dependencies/tools are not installed or available
• SKIPPED: Scanner was intentionally disabled or excluded from this scan
• ERROR: Scanner encountered an execution error and could not complete successfully

Severity Thresholds (Thresh Column):

• CRITICAL: Only Critical severity findings cause scanner to fail
• HIGH: High and Critical severity findings cause scanner to fail
• MEDIUM (MED): Medium, High, and Critical severity findings cause scanner to fail
• LOW: Low, Medium, High, and Critical severity findings cause scanner to fail
• ALL: Any finding of any severity level causes scanner to fail

Threshold Source: Values in parentheses indicate where the threshold is configured:

• (g) = global: Set in the global_settings section of ASH configuration
• (c) = config: Set in the individual scanner configuration section
• (s) = scanner: Default threshold built into the scanner itself

Statistics calculation:

• All statistics are calculated from the final aggregated SARIF report
• Suppressed findings are counted separately and do not contribute to actionable findings
• Scanner status is determined by comparing actionable findings to the threshold

Scanner	S	C	H	M	L	I	Time	Action	Result	Thresh
bandit	0	0	0	0	0	0	705ms	0	PASSED	MED (g)
cdk-nag	0	0	0	0	0	0	30.9s	0	PASSED	MED (g)
cfn-nag	0	0	0	0	0	0	8ms	0	PASSED	MED (g)
checkov	0	0	0	0	0	0	5.7s	0	PASSED	MED (g)
detect-secrets	0	0	0	0	0	0	692ms	0	PASSED	MED (g)
grype	0	7	0	2	2	0	33.8s	9	FAILED	MED (g)
npm-audit	0	0	0	0	0	0	188ms	0	PASSED	MED (g)
opengrep	0	0	0	0	0	0	<1ms	0	SKIPPED	MED (g)
semgrep	0	0	0	0	0	0	14.8s	0	PASSED	MED (g)
syft	0	0	0	0	0	0	2.4s	0	PASSED	MED (g)

Detailed Findings

Show 9 actionable findings

Finding 1: GHSA-wvwj-cvrp-7pv5-authlib

• Severity: HIGH
• Scanner: grype
• Rule ID: GHSA-wvwj-cvrp-7pv5-authlib
• Location: 02-use-cases/customer-support-assistant-vpc/mcp_dynamodb/requirements.txt:1

Description:
A critical vulnerability in python package: authlib, version 1.6.5 was found at: /02-use-cases/customer-support-assistant-vpc/mcp_dynamodb/requirements.txt

---

Finding 2: GHSA-wp53-j4wj-2cfg-python-multipart

• Severity: HIGH
• Scanner: grype
• Rule ID: GHSA-wp53-j4wj-2cfg-python-multipart
• Location: 02-use-cases/customer-support-assistant-vpc/mcp_dynamodb/requirements.txt:1

Description:
A high vulnerability in python package: python-multipart, version 0.0.20 was found at: /02-use-cases/customer-support-assistant-vpc/mcp_dynamodb/requirements.txt

---

Finding 3: GHSA-38jv-5279-wg99-urllib3

• Severity: HIGH
• Scanner: grype
• Rule ID: GHSA-38jv-5279-wg99-urllib3
• Location: 02-use-cases/customer-support-assistant-vpc/mcp_dynamodb/requirements.txt:1

Description:
A high vulnerability in python package: urllib3, version 2.6.0 was found at: /02-use-cases/customer-support-assistant-vpc/mcp_dynamodb/requirements.txt

---

Finding 4: GHSA-7wc2-qxgw-g8gg-authlib

• Severity: HIGH
• Scanner: grype
• Rule ID: GHSA-7wc2-qxgw-g8gg-authlib
• Location: 02-use-cases/customer-support-assistant-vpc/mcp_dynamodb/requirements.txt:1

Description:
A high vulnerability in python package: authlib, version 1.6.5 was found at: /02-use-cases/customer-support-assistant-vpc/mcp_dynamodb/requirements.txt

---

Finding 5: GHSA-fg6f-75jq-6523-authlib

• Severity: MEDIUM
• Scanner: grype
• Rule ID: GHSA-fg6f-75jq-6523-authlib
• Location: 02-use-cases/customer-support-assistant-vpc/mcp_dynamodb/requirements.txt:1

Description:
A medium vulnerability in python package: authlib, version 1.6.5 was found at: /02-use-cases/customer-support-assistant-vpc/mcp_dynamodb/requirements.txt

---

Finding 6: GHSA-m344-f55w-2m6j-authlib

• Severity: HIGH
• Scanner: grype
• Rule ID: GHSA-m344-f55w-2m6j-authlib
• Location: 02-use-cases/customer-support-assistant-vpc/mcp_dynamodb/requirements.txt:1

Description:
A high vulnerability in python package: authlib, version 1.6.5 was found at: /02-use-cases/customer-support-assistant-vpc/mcp_dynamodb/requirements.txt

---

Finding 7: GHSA-7432-952r-cw78-authlib

• Severity: HIGH
• Scanner: grype
• Rule ID: GHSA-7432-952r-cw78-authlib
• Location: 02-use-cases/customer-support-assistant-vpc/mcp_dynamodb/requirements.txt:1

Description:
A high vulnerability in python package: authlib, version 1.6.5 was found at: /02-use-cases/customer-support-assistant-vpc/mcp_dynamodb/requirements.txt

---

Finding 8: GHSA-r6ph-v2qm-q3c2-cryptography

• Severity: HIGH
• Scanner: grype
• Rule ID: GHSA-r6ph-v2qm-q3c2-cryptography
• Location: 02-use-cases/customer-support-assistant-vpc/mcp_dynamodb/requirements.txt:1

Description:
A high vulnerability in python package: cryptography, version 46.0.2 was found at: /02-use-cases/customer-support-assistant-vpc/mcp_dynamodb/requirements.txt

---

Finding 9: GHSA-gc5v-m9x4-r6x2-requests

• Severity: MEDIUM
• Scanner: grype
• Rule ID: GHSA-gc5v-m9x4-r6x2-requests
• Location: 02-use-cases/customer-support-assistant-vpc/mcp_dynamodb/requirements.txt:1

Description:
A medium vulnerability in python package: requests, version 2.32.5 was found at: /02-use-cases/customer-support-assistant-vpc/mcp_dynamodb/requirements.txt

---

Report generated by Automated Security Helper (ASH) at 2026-03-31T22:31:14+00:00