chore(deps): Bump the minor-and-patch group in /mcp/slack_tool with 5 updates

[dependabot]

Bumps the minor-and-patch group in /mcp/slack_tool with 5 updates:

Package	From	To
requests	2.34.1	2.34.2
slack-sdk	3.41.0	3.42.0
python-multipart	0.0.28	0.0.29
fastmcp	3.2.4	3.3.1
starlette	1.0.0	1.2.0

Updates requests from 2.34.1 to 2.34.2

Release notes

Sourced from requests's releases.

v2.34.2

2.34.2 (2026-05-14)

• Moved headers input type back to Mapping to avoid invariance issues with MutableMapping and inferred dict types. Users calling Request.headers.update() may need to narrow typing in their code. (#7441)

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2342-2026-05-14

Changelog

Sourced from requests's changelog.

2.34.2 (2026-05-14)

• Moved headers input type back to Mapping to avoid invariance issues with MutableMapping and inferred dict types. Users calling Request.headers.update() may need to narrow typing in their code. (#7441)

Commits

• 6e83187 v2.34.2
• 84d10f0 Move Request.headers back to Mapping (#7441)
• See full diff in compare view

Updates slack-sdk from 3.41.0 to 3.42.0

Release notes

Sourced from slack-sdk's releases.

v3.42.0

What's Changed

🚀 Enhancements

• feat: add authorship arguments to assistant threads and chat stream by @​zimeg in slackapi/python-slack-sdk#1862
• feat(blocks): add Card, Carousel, and Alert block types by @​srtaalej in slackapi/python-slack-sdk#1865
• feat(models): add BlockChunk type to chat.{start,append,stop}Stream methods by @​srtaalej in slackapi/python-slack-sdk#1872
• feat: add highlight_type to files.completeUploadExternal and files_upload_v2 by @​zimeg in slackapi/python-slack-sdk#1875

🐛 Bug Fixes

• fix: pass default ssl=True to aiohttp to avoid deprecation warning by @​WilliamBergamin in slackapi/python-slack-sdk#1843
• fix: Improve type annotations in SignatureVerifier by @​BHSPitMonkey in slackapi/python-slack-sdk#1845
• Fix typo in SectionBlock field validation by @​Lexicality in slackapi/python-slack-sdk#1848
• fix: improve Socket Mode client stability and correctness by @​WilliamBergamin in slackapi/python-slack-sdk#1854
• fix: pin cryptography<46 for PyPy 3.10 CI builds by @​WilliamBergamin in slackapi/python-slack-sdk#1860
• fix: resolve OAuth installation store bugs and typos by @​WilliamBergamin in slackapi/python-slack-sdk#1864

📚 Documentation

• docs - adds chat_stream helper to python sdk docs (removing from bolt-py) by @​lukegalbraithrussell in slackapi/python-slack-sdk#1846
• docs(maintainers): adding block kit types instructions by @​srtaalej in slackapi/python-slack-sdk#1861

📦 Other changes

• chore: fix formatting based on new black version by @​WilliamBergamin in slackapi/python-slack-sdk#1842
• chore: fix test warnings across test suite by @​WilliamBergamin in slackapi/python-slack-sdk#1844
• chore(deps): bump actions/download-artifact from 8.0.0 to 8.0.1 by @​dependabot[bot] in slackapi/python-slack-sdk#1849
• chore(deps): bump codecov/codecov-action from 5.5.2 to 6.0.0 by @​dependabot[bot] in slackapi/python-slack-sdk#1851
• chore(deps): bump dependabot/fetch-metadata from 2.5.0 to 3.0.0 by @​dependabot[bot] in slackapi/python-slack-sdk#1852
• chore(deps): bump slackapi/slack-github-action from 2.1.1 to 3.0.1 by @​dependabot[bot] in slackapi/python-slack-sdk#1850
• chore(deps): bump slackapi/slack-github-action from 3.0.1 to 3.0.2 by @​dependabot[bot] in slackapi/python-slack-sdk#1869
• chore(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 by @​dependabot[bot] in slackapi/python-slack-sdk#1871
• chore(deps): bump dependabot/fetch-metadata from 3.0.0 to 3.1.0 by @​dependabot[bot] in slackapi/python-slack-sdk#1868
• chore(deps): bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 by @​dependabot[bot] in slackapi/python-slack-sdk#1870
• chore(release): version 3.42.0 by @​zimeg in slackapi/python-slack-sdk#1876

New Contributors

• @​BHSPitMonkey made their first contribution in slackapi/python-slack-sdk#1845
• @​Lexicality made their first contribution in slackapi/python-slack-sdk#1848

Full Changelog: slackapi/python-slack-sdk@v3.41.0...v3.42.0 Milestone: https://github.com/slackapi/python-slack-sdk/milestone/118?closed=1

Commits

• 4f7eeee chore(release): version 3.42.0 (#1876)
• e69ba32 feat: add highlight_type to files.completeUploadExternal and files_upload_v2 ...
• beecde2 feat(models): add BlockChunk type to chat.{start,append,stop}Stream methods (...
• 73d255a feat(blocks): add Card, Carousel, and Alert block types (#1865)
• 60bd43d feat: add authorship arguments to assistant threads and chat stream (#1862)
• 726538c chore(deps): bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 (#1870)
• 5338c2d chore(deps): bump dependabot/fetch-metadata from 3.0.0 to 3.1.0 (#1868)
• 632a205 chore(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 (#1871)
• bec3906 chore(deps): bump slackapi/slack-github-action from 3.0.1 to 3.0.2 (#1869)
• 69163d6 fix: resolve OAuth installation store bugs and typos (#1864)
• Additional commits viewable in compare view

Updates python-multipart from 0.0.28 to 0.0.29

Release notes

Sourced from python-multipart's releases.

Version 0.0.29

What's Changed

• Handle malformed RFC 2231 continuations in parse_options_header by @​manunio in Kludex/python-multipart#270

Full Changelog: Kludex/python-multipart@0.0.28...0.0.29

Changelog

Sourced from python-multipart's changelog.

0.0.29 (2026-05-17)

• Handle malformed RFC 2231 continuations in parse_options_header #270.

Commits

• e3d6853 Version 0.0.29 (#288)
• a60dcdc Handle malformed RFC 2231 continuations in parse_options_header (#270)
• 75c33b2 Add 7-day cooldown for dependency resolution via uv exclude-newer (#286)
• a078b8e Bump urllib3 from 2.6.3 to 2.7.0 (#285)
• See full diff in compare view

Updates fastmcp from 3.2.4 to 3.3.1

Release notes

Sourced from fastmcp's releases.

v3.3.1: Loop There It Is

FastMCP 3.3.1 is a hotfix for the 3.3 packaging split. Clean installs of 3.3.0 could fail on standalone component imports like from fastmcp.tools import tool because component modules reached auth and task primitives through fastmcp.server, pulling in the server/provider stack and exposing a circular import.

Component-level auth and task primitives now live in lightweight utility modules, with the old server import paths preserved as compatibility re-exports. Component imports stay lightweight, existing server-facing imports continue to work, and the release also includes small docs corrections from the 3.3 rollout.

What's Changed

Fixes 🐞

• fix(docs): use valid FA icon on client-only package page by @​jlowin in PrefectHQ/fastmcp#4139
• Decouple component imports from server by @​jlowin in PrefectHQ/fastmcp#4150

Full Changelog: PrefectHQ/fastmcp@v3.3.0...v3.3.1

v3.3.0: Slim Reaper

FastMCP 3.3 ships fastmcp-slim, a new lightweight distribution that separates the client from the server stack. It also closes out a meaningful backlog of security hardening, observability improvements, and auth additions that accumulated through the 3.2 cycle.

fastmcp-slim

The full FastMCP package pulls in Starlette, Uvicorn, and the rest of the server machinery — necessary for running a server, but wasteful if you're writing a client, a script, or an agent that just needs to talk to MCP. fastmcp-slim is a dependency-light distribution that ships the client and transport layer without any of that.

The import namespace is unchanged:

from fastmcp import Client
async with Client("https://example.com/mcp") as client:
result = await client.call_tool("my_tool", {"arg": "value"})

Install fastmcp-slim[client] anywhere you want FastMCP's client without the server footprint — CI environments, lightweight agents, library dependencies that shouldn't force Uvicorn on downstream users.

Security

The OAuth proxy received three hardening upgrades. Silent consent is now guarded against AS-in-the-middle attacks — a malicious authorization server can no longer silently approve a consent it wasn't meant to handle. Redirect URI allowlist matching now rejects dot-segment paths (/../, /./) that could otherwise bypass prefix checks. And ResponseCachingMiddleware partitions its cache by access token, closing a gap where different users could see each other's cached responses.

Auth

AzureB2CProvider adds first-class support for Azure AD B2C user flows. The OCI provider is fixed for 3.x installs. And OAuthProxy gains a public update_scopes() API for updating the proxy's required scopes after initialization — useful for servers that determine scope requirements at runtime.

Observability

OTEL instrumentation is now fully compliant with MCP semantic conventions. List operations (list_tools, list_resources, list_prompts, list_resource_templates) are instrumented, and delegate spans on proxy servers are enriched with backend attributes.

Thread Affinity

Sync tools run in a thread pool by default. If your tool holds thread-local state or is bound to a specific thread (UI frameworks, some database drivers), you can now opt out:

... (truncated)

Commits

• d8dcc27 Decouple component imports from server (#4150)
• 255e3e4 fix(docs): use valid FA icon on client-only package page (#4139)
• 73df4dc chore: Update SDK documentation (#4096)
• ee48a0f Refine fastmcp-slim packaging (#4125)
• bb4894d Add fastmcp-slim for client-only installs (#4122)
• 8209093 fix(http): terminate active streamable-HTTP transports before lifespan shutdo...
• cf59a45 Fix OCI Provider issue in 3.x version. Add OCI auth provider example … (#4116)
• 89b99ec fix(proxy): fall back to live identifier for backend_* span attributes (#4109)
• 310314c fix: cli option --no-banner is NOT passed to cli but server-spec in-correctly...
• 28722f8 fix: drop exc_info for expected tool failures, remove unreachable ValidationE...
• Additional commits viewable in compare view

Updates starlette from 1.0.0 to 1.2.0

Release notes

Sourced from starlette's releases.

Version 1.2.0

What's Changed

• Support httpx2 in the test client by @​Kludex in Kludex/starlette#3291

Full Changelog: Kludex/starlette@1.1.0...1.2.0

Version 1.1.0

What's Changed

• Use "application/octet-stream" as the FileResponse media type fallback by @​ATOM00blue in Kludex/starlette#3283
• Only dispatch standard HTTP verbs in HTTPEndpoint by @​Kludex in Kludex/starlette#3286
• Reject absolute paths in StaticFiles.lookup_path by @​Kludex in Kludex/starlette#3287

New Contributors

• @​ATOM00blue made their first contribution in Kludex/starlette#3283

Full Changelog: Kludex/starlette@1.0.1...1.1.0

Version 1.0.1

What's Changed

• Ignore malformed Host header when constructing request.url by @​Kludex in Kludex/starlette#3279

Full Changelog: Kludex/starlette@1.0.0...1.0.1

Changelog

Sourced from starlette's changelog.

1.2.0 (May 28, 2026)

Added

• Support httpx2 in the test client #3291.

1.1.0 (May 23, 2026)

Added

• Use "application/octet-stream" as the FileResponse media type fallback #3283.

Fixed

• Only dispatch standard HTTP verbs in HTTPEndpoint #3286.
• Reject absolute paths in StaticFiles.lookup_path #3287.

1.0.1 (May 21, 2026)

Fixed

• Ignore malformed Host header when constructing request.url #3279.

Commits

• 4060987 Version 1.2.0 (#3300)
• 1e289ca Migrate docs deploy from Cloudflare Pages to Workers Static Assets (#3282)
• 100f05a Add httpx2 as a dev dependency (#3295)
• 508023b Support httpx2 in the test client (#3291)
• a4ff83b Version 1.1.0 (#3289)
• fd53168 Reject absolute paths in StaticFiles.lookup_path (#3287)
• e3f9722 Only dispatch standard HTTP verbs in HTTPEndpoint (#3286)
• 348f86d Use "application/octet-stream" as the FileResponse media type fallback (#...
• 48f8e33 Version 1.0.1 (#3281)
• f078832 Remove Hugging Face sponsor block from docs (#3280)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions