chore(deps): bump fastmcp from 2.13.0.2 to 2.13.3 in /modelcontextprotocol

[dependabot]

Bumps fastmcp from 2.13.0.2 to 2.13.3.

Release notes

Sourced from fastmcp's releases.

v2.13.3: Pin-ish Line

MCP SDK 1.23 introduced some changes related to the 11/25/25 MCP protocol update that break some patches/workarounds that FastMCP had implemented previously. In particular, OAuth changes in the new protocol changed some implementation details that FastMCP patched; as such 1.23 is not necessarily a breaking SDK change but it is "breaking" for certain FastMCP behaviors.

As a precaution, this release pins mcp<1.23. FastMCP 2.14 will introduce 11/25/25 support (and require mcp>=1.23).

v2.13.2: Refreshing Changes

FastMCP 2.13.2 polishes the authentication stack with fixes for token refresh, scope handling, and multi-instance deployments. Discord joins the growing roster of built-in OAuth providers, Azure and Google token handling gets more reliable, and proxy classes now properly forward icons and titles. This release also adds CSP customization for consent screens and fixes an edge case where $defs could mutate during tool transforms.

Welcome to 7 new contributors who made their first FastMCP contributions in this release!

What's Changed

New Features 🎉

• Add Discord OAuth provider and corresponding tests by @​Aisha630 in jlowin/fastmcp#2428

Enhancements 🔧

• Bump actions/checkout from 4 to 5 by @​dependabot[bot] in jlowin/fastmcp#2433
• feat: Made Changes to DescopeProvider to Support New Well Known URLs by @​gaokevin1 in jlowin/fastmcp#2392
• Scalekit provider updates by @​AkshayParihar33 in jlowin/fastmcp#2413
• Add consent_csp_policy parameter for CSP customization by @​jlowin in jlowin/fastmcp#2484
• Add icons support to proxy classes by @​jlowin in jlowin/fastmcp#2502

Fixes 🐞

• Add refresh token support defaults to GoogleProvider by @​jlowin in jlowin/fastmcp#2438
• Fix exclude_args with non-serializable types by @​jlowin in jlowin/fastmcp#2440
• Fix Azure OAuth token refresh with unprefixed scopes by @​Neet-Nestor in jlowin/fastmcp#2462
• fix: prevent $defs mutation in Tool.from_tool transforms by @​jtanningbed in jlowin/fastmcp#2493
• Add title attribute to ProxyTool, ProxyResource, … by @​CNSeniorious000 in jlowin/fastmcp#2497
• Fix OAuth proxy refresh token storage for multi-instance deployments by @​jlowin in jlowin/fastmcp#2483
• Fix get_access_token() returning stale token after OAuth refresh by @​jlowin in jlowin/fastmcp#2505
• Fix version badges for icons and website_url; add Discord example by @​jlowin in jlowin/fastmcp#2509
• Fix Azure provider OIDC scope handling by @​jlowin in jlowin/fastmcp#2506

Docs 📚

• Update http.mdx by @​Shengshenlan in jlowin/fastmcp#2446
• Fix version number in VersionBadge: change 2.14.0 to 2.13.0 by @​ShaikAyesha17 in jlowin/fastmcp#2491
• Add Discord OAuth integration documentation by @​jlowin in jlowin/fastmcp#2508

Dependencies 📦

• Bump actions/setup-python from 5 to 6 by @​dependabot[bot] in jlowin/fastmcp#2432
• Bump py-key-value-aio to 0.3.0 by @​strawgate in jlowin/fastmcp#2437
• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in jlowin/fastmcp#2474

Other Changes 🦾

• Add extra_authorize_params and extra_token_params to OIDCProxy by @​jlowin in jlowin/fastmcp#2439

New Contributors

• @​Neet-Nestor made their first contribution in jlowin/fastmcp#2462
• @​Shengshenlan made their first contribution in jlowin/fastmcp#2446
• @​gaokevin1 made their first contribution in jlowin/fastmcp#2392
• @​ShaikAyesha17 made their first contribution in jlowin/fastmcp#2491
• @​jtanningbed made their first contribution in jlowin/fastmcp#2493
• @​CNSeniorious000 made their first contribution in jlowin/fastmcp#2497
• @​Aisha630 made their first contribution in jlowin/fastmcp#2428

... (truncated)

Commits

• 08d26ee Pin mcp<1.23 to avoid SDK breaking changes
• 9c21754 Fix Azure provider OIDC scope handling (#2506)
• 83085c3 Fix version badges for icons and website_url; add Discord example (#2509)
• aa53bdf Add Discord OAuth integration documentation (#2508)
• e1d41f5 Add Discord OAuth provider and corresponding tests (#2428)
• 246a0ad Fix get_access_token() returning stale token after OAuth refresh (#2505)
• 01ecc91 Fix OAuth proxy refresh token storage for multi-instance deployments (#2483)
• 3341c0c Add icons support to proxy classes (#2502)
• adbb7d6 Add title attribute to ProxyTool, ProxyResource, … (#2497)
• ba69fba Add consent_csp_policy parameter for CSP customization (#2484)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)