Bump fastmcp from 3.2.0 to 3.2.2

[dependabot]

Bumps fastmcp from 3.2.0 to 3.2.2.

Release notes

Sourced from fastmcp's releases.

v3.2.2: Audience Appreciation

The Azure audience fix in 3.2.1 overcorrected: it switched token validation from client_id to identifier_uri, which fixed custom Application ID URIs but broke the default case where Azure AD v2 tokens set aud to the bare client ID GUID. Both formats are now accepted.

What's Changed

Fixes 🐞

• fix: accept both client_id and identifier_uri as Azure audience by @​jlowin in PrefectHQ/fastmcp#3797

Dependencies 📦

• chore(deps): bump the uv group across 2 directories with 1 update by @​dependabot[bot] in PrefectHQ/fastmcp#3795

Full Changelog: PrefectHQ/fastmcp@v3.2.1...v3.2.2

v3.2.1: Audience Participation

Most of the fixes in this patch are about auth providers getting audience validation wrong. Cognito token verification was checking the aud JWT claim, but Cognito access tokens don't include one; they use client_id instead. Azure was hardcoding the raw client ID as the expected audience, ignoring the identifier_uri parameter even though Entra v2.0 tokens use the Application ID URI as aud. Both now validate correctly without changing the provider API. Consent cookies also had an unbounded growth problem in high-DCR-client environments, eventually blowing past reverse proxy header limits; they're now capped as an LRU.

On the OpenAPI side, nullable: true fields from 3.0 specs were leaking into tool input schemas as-is instead of being converted to JSON Schema's type: ["string", "null"]. Server variable templates in base URLs (like https://{region}.api.example.com) were also being passed through raw instead of substituted with their defaults.

Smaller fixes: form submissions from Prefab UI now correctly handle unchecked boolean checkboxes, the client no longer crashes on error responses with empty or non-text content from third-party servers, and asyncio.iscoroutinefunction no longer emits deprecation warnings on Python 3.14.

What's Changed

Breaking Changes ⚠️

• fix(google): use sub (user ID) for client_id instead of aud (app ID) by @​shigechika in PrefectHQ/fastmcp#3722
• fix: remove CSP from tool metadata, keep on resource only by @​jlowin in PrefectHQ/fastmcp#3754

Enhancements ✨

• [codex] Add FastMCP docs telemetry by @​aaazzam in PrefectHQ/fastmcp#3727
• chore: split SDK navigation into standalone $ref file by @​jlowin in PrefectHQ/fastmcp#3773
• fix: bump ty to >=0.0.29 and suppress new false positives by @​jlowin in PrefectHQ/fastmcp#3790

Fixes 🐞

• fix: use explicit None checks for JWT exp validation by @​jlowin in PrefectHQ/fastmcp#3724
• Unify background task context forwarding, fix concurrent dependency bugs by @​chrisguidry in PrefectHQ/fastmcp#3710
• fix: add proxy timeouts and modernize networking in apps dev by @​mateeaaa in PrefectHQ/fastmcp#3741
• fix: ResponseLimitingMiddleware no longer breaks outputSchema tools by @​jlowin in PrefectHQ/fastmcp#3756
• fix: substitute server variable defaults when building base URL from OpenAPI spec by @​mrishav in PrefectHQ/fastmcp#3770
• fix: FastAPI TestClient compatibility and lifespan re-initialization by @​kvdhanush06 in PrefectHQ/fastmcp#3736
• fix: propagate upstream_claims in load_access_token by @​kvdhanush06 in PrefectHQ/fastmcp#3750
• Remove deprecated asyncio.iscoroutinefunction fallback by @​kaiisfree in PrefectHQ/fastmcp#3767
• fix: changeable allowed_client_redirect_uris on OAuthProxy by @​fengarix in PrefectHQ/fastmcp#3772
• fix: broken link in changelog by @​jlowin in PrefectHQ/fastmcp#3775
• fix(docs): correct FastMCP tool name in welcome docs by @​buyua9 in PrefectHQ/fastmcp#3781
• fix: cap consent cookie size to prevent header overflow by @​jlowin in PrefectHQ/fastmcp#3784
• Fix boolean property schemas in JSON Schema parsing by @​jlowin in PrefectHQ/fastmcp#3785
• Fix OpenAPI 3.0 nullable fields in tool input schemas by @​kvdhanush06 in PrefectHQ/fastmcp#3768
• fix: Cognito token verification checks client_id instead of aud by @​jlowin in PrefectHQ/fastmcp#3786
• fix: use identifier_uri as audience for Azure token validation by @​jlowin in PrefectHQ/fastmcp#3787

... (truncated)

Commits

• 6592aaa fix: accept both client_id and identifier_uri as Azure audience (#3797)
• 9f0d8d3 chore(deps): bump the uv group across 2 directories with 1 update (#3795)
• 556fd8f Harden client tool result error handling (#3778)
• e064ba6 chore: Update SDK documentation (#3791)
• a3c5cc1 chore: Update SDK documentation (#3757)
• f5be772 fix: bump ty to >=0.0.29 and suppress new false positives (#3790)
• f14456d docs: document forward_resource parameter on OAuthProxy (#3788)
• 2b9d3ee fix: use identifier_uri as audience for Azure token validation (#3787)
• e1ea133 fix: Cognito token verification checks client_id instead of aud (#3786)
• 042db1d Fix OpenAPI 3.0 nullable fields in tool input schemas (#3768)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)