mitigate CVE-2025-62727 for starlette#1552
mitigate CVE-2025-62727 for starlette#1552nagmesh wants to merge 1 commit intomodelcontextprotocol:mainfrom
Conversation
There was a problem hiding this comment.
This CVE doesn't affect this SDK as we don't use the FileResponse object. For now I'm marking this as "Request changes" so we don't add such a strict minimum version and break a downstream applications/services.
Would be keen to hear what others think (especially @Kludex ), but I'm thinking we don't need to update this version as it doesn't affect the MCP Python SDK directly, and leave it up to users of this library to change the Starlette version used in their projects if needed.
maxisbey
added
breaking change
|
This is not necessary. Exact same discussion on bump of vulnerable package versions: Kludex/uvicorn#2643 I've also reached a security expert, and this is not necessary, or wanted. |
|
@Kludex the vulnerable starlette version is pinned in the uv.lock and is causing downstream consumers to pull it in as a transitive dependency. Surely we aren't suggesting that everyone downstream of MCP should explicitly add the updated starlette version to resolve this since we're not willing to update the lock file, right? I agree with the non-pinned update in the pyproject.toml, but not updating the lock seems not ideal |
|
@ColeMurray Which downstream consumers rely on the |
Remove outdated and generic guidance, add project-specific context that
prevents real review churn.
Removed:
- Error Resolution section (generic 'add None checks / test thoroughly')
- Ruff line-wrapping advice (ruff format handles it) and wrong '88 chars'
- Stale pre-commit guidance ('update config rev' - ruff is repo: local)
- Reported-by / Github-Issue commit trailers (unused in practice)
- Duplicate co-authored-by note and generic PR prose
- Generic Code Quality bullets ('focused and small', 'follow patterns')
Added:
- Branching Model: main is the V2 rework, no @deprecated shims, README.md
is frozen (edit README.v2.md), [v1.x] backport prefix
- Dependency floor policy: don't raise floors for CVEs alone (refs
Kludex/uvicorn#2643, #1552)
- __all__ in src/mcp/__init__.py defines the public API surface
- Avoid new pragma/type:ignore/noqa; assert isinstance in tests; audit grep
- filterwarnings=['error'] context for the no-silence-warnings rule
- --frozen on all uv commands; --python <ver> for cross-version testing
- Tests: in-memory > threads > subprocesses; Client(server) for E2E
Restructured numbered-list-in-list into flat H2 sections with a dedicated
Coverage subsection.
4 participants
Motivation and Context
The following dependencies contain High or Critical CVEs:
https://www.cve.org/CVERecord?id=CVE-2025-62727
How Has This Been Tested?
Package bumped to have version higher than 0.49.1
Breaking Changes
Types of changes
Checklist
Additional context