chore(deps): update dependency mcp to v1.23.0 [security]

[renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
mcp	1.9.1 -> 1.23.0

---

MCP Python SDK vulnerability in the FastMCP Server causes validation error, leading to DoS

CVE-2025-53366 / GHSA-3qhf-m339-9g5v

More information

Details

A validation error in the MCP SDK can cause an unhandled exception when processing malformed requests, resulting in service unavailability (500 errors) until manually restarted. Impact may vary depending on the deployment conditions, and presence of infrastructure-level resilience measures.

Thank you to Rich Harang for reporting this issue.

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-3qhf-m339-9g5v
• https://nvd.nist.gov/vuln/detail/CVE-2025-53366
• https://github.com/modelcontextprotocol/python-sdk/pull/822
• https://github.com/modelcontextprotocol/python-sdk/commit/29c69e6a47d0104d0afcea6ac35e7ab02fde809a
• https://github.com/modelcontextprotocol/python-sdk
• https://github.com/modelcontextprotocol/python-sdk/releases/tag/v1.9.4

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

MCP Python SDK has Unhandled Exception in Streamable HTTP Transport, Leading to Denial of Service

CVE-2025-53365 / GHSA-j975-95f5-7wqh

More information

Details

If a client deliberately triggers an exception after establishing a streamable HTTP session, this can lead to an uncaught ClosedResourceError on the server side, causing the server to crash and requiring a restart to restore service. Impact may vary depending on the deployment conditions, and presence of infrastructure-level resilience measures.

Thank you to Rich Harang for reporting this issue.

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-j975-95f5-7wqh
• https://nvd.nist.gov/vuln/detail/CVE-2025-53365
• https://github.com/modelcontextprotocol/python-sdk/pull/967
• https://github.com/modelcontextprotocol/python-sdk/commit/7b420656de48cfdb90b39eb582e60b6d55c2f891
• https://github.com/modelcontextprotocol/python-sdk
• https://github.com/modelcontextprotocol/python-sdk/releases/tag/v1.10.0

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default

CVE-2025-66416 / GHSA-9h52-p55h-vw2f

More information

Details

Description

The Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication using FastMCP with streamable HTTP or SSE transport, and has not configured TransportSecuritySettings, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances.

Note that running HTTP-based MCP servers locally without authentication is not recommended per MCP security best practices. This issue does not affect servers using stdio transport.

Servers created via FastMCP() now have DNS rebinding protection enabled by default when the host parameter is 127.0.0.1 or localhost. Users are advised to update to version 1.23.0 to receive this automatic protection. Users with custom low-level server configurations using StreamableHTTPSessionManager or SseServerTransport directly should explicitly configure TransportSecuritySettings when running an unauthenticated server on localhost.

Severity

• CVSS Score: 7.6 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-9h52-p55h-vw2f
• https://nvd.nist.gov/vuln/detail/CVE-2025-66416
• https://github.com/modelcontextprotocol/python-sdk/commit/d3a184119e4479ea6a63590bc41f01dc06e3fa99
• https://github.com/modelcontextprotocol/python-sdk

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

modelcontextprotocol/python-sdk (mcp)

v1.23.0

Compare Source

Summary

This release brings us up to speed with the latest MCP spec 2025-11-25. Take a look at the latest spec as well as the release blog post.

What's Changed

• Add tests for JSON Schema 2020-12 field preservation (SEP-1613) by @​felixweinberger in #​1649
• Add client_secret_basic authentication support by @​jonshea in #​1334
• Implement SEP-1577 - Sampling With Tools by @​ochafik in #​1594
• SEP-1330: Elicitation Enum Schema Improvements and Standards Compliance by @​chughtapan in #​1246
• [auth][conformance] add conformance auth client by @​pcarleton in #​1640
• Implement SEP-986: Tool name validation by @​felixweinberger in #​1655
• fix: url for spec by @​felixweinberger in #​1659
• feat: implement SEP-991 URL-based client ID (CIMD) support by @​pcarleton in #​1652
• Update doc string on custom_route by @​pcarleton in #​1660
• Implement SEP-1036: URL mode elicitation for secure out-of-band interactions by @​cbcoutinho in #​1580
• Skip empty SSE data to avoid parsing errors by @​felixweinberger in #​1670
• SEP-1686: Tasks by @​maxisbey in #​1645
• Add on_session_created callback option by @​crondinini-ant in #​1710
• Add SSE polling support (SEP-1699) by @​felixweinberger in #​1654
• Support client_credentials flow with JWT and Basic auth by @​pcarleton in #​1663
• feat: backwards-compatible create_message overloads for SEP-1577 by @​felixweinberger in #​1713
• Auto-enable DNS rebinding protection for localhost servers by @​pcarleton (d3a1841)

New Contributors

• @​ochafik made their first contribution in #​1594

Full Changelog: modelcontextprotocol/python-sdk@v1.22.0...v1.23.0

v1.22.0

Compare Source

What's Changed

• feat: Pass through and expose additional parameters in ClientSessionGroup.call_tool and .connect_to_server by @​inaku-Gyan in #​1576
• chore: Lazy import jsonschema library by @​wuliang229 in #​1596
• docs: Update examples to use stateless HTTP with JSON responses by @​domdomegg in #​1499

New Contributors

• @​wuliang229 made their first contribution in #​1596

Full Changelog: modelcontextprotocol/python-sdk@v1.21.1...v1.22.0

v1.21.2

Compare Source

Hotfix Release

This is a hotfix release to address a critical bug in OAuth scope handling that caused failures on 401 responses.

Related:

• #​1630
• #​1632

What's Changed

• fix get_client_metadata_scopes on 401 by @​abliznyuk in #​1631

New Contributors

• @​abliznyuk made their first contribution in #​1631

Full Changelog: modelcontextprotocol/python-sdk@v1.21.1...v1.21.2

v1.21.1

Compare Source

What's Changed

• Add everything-server for comprehensive MCP conformance testing by @​felixweinberger in #​1587
• Get baseline 100% clean coverage by @​maxisbey in #​1553
• Add end-of-file-fixer pre-commit hook by @​maxisbey in #​1610
• Add coverage baseline commit to git-blame-ignore by @​maxisbey in #​1613
• Add SEP-1034 conformance test support to everything-server by @​felixweinberger in #​1604
• refactor: extract OAuth helper functions and simplify provider state by @​maxisbey in #​1586
• Add client_id_metadata_document_supported to OAuthMetadata by @​maxisbey in #​1603
• Fix OAuth discovery fallback and URL ordering by @​maxisbey in #​1624
• Refactor func_metadata() implementation by @​Viicos in #​1496
• Fix CI highest resolution test to actually test highest versions by @​maxisbey in #​1609

New Contributors

• @​Viicos made their first contribution in #​1496

Full Changelog: modelcontextprotocol/python-sdk@v1.21.0...v1.21.1

v1.21.0

Compare Source

What's Changed

• docs: use article "an" before "MCP" instead of "a" by @​koic in #​1558
• Update Starlette to 0.49.1 in uv.lock by @​ColeMurray in #​1559
• Fix typo in ClientSessionGroup doc string by @​inaku-Gyan in #​1572
• Implement SEP-985: OAuth Protected Resource Metadata discovery fallback by @​cbcoutinho in #​1548
• Add --frozen flag to uv run commands in Claude config by @​maxisbey in #​1583
• Add get_server_capabilities() to ClientSession by @​crondinini-ant in #​1588

New Contributors

• @​koic made their first contribution in #​1558
• @​ColeMurray made their first contribution in #​1559
• @​inaku-Gyan made their first contribution in #​1572
• @​cbcoutinho made their first contribution in #​1548
• @​crondinini-ant made their first contribution in #​1588

Full Changelog: modelcontextprotocol/python-sdk@v1.20.0...v1.21.0

v1.20.0

Compare Source

What's Changed

• Relax Accept header requirement for JSON-only responses by @​domdomegg in #​1500
• fix: replace deprecated dev-dependencies in examples/clients by @​yukuanj in #​1518
• fix: Update spec links to new modelcontextprotocol.io location by @​maxisbey in #​1491
• fix: Replace fixed sleep with active server readiness check in SSE tests by @​maxisbey in #​1526
• fix: Replace arbitrary sleeps with active server readiness checks in tests by @​maxisbey in #​1527
• Fix flaky timeout test in test_88_random_error by @​maxisbey in #​1525
• fix: Replace remaining manual server polling with wait_for_server helper by @​maxisbey in #​1529
• Implement RFC 7523 JWT flows by @​LucaButBoring in #​1247
• Fix pyright error and replace wildcard import with explicit imports by @​maxisbey in #​1532
• Fix auth client example URL handling for oauth provider by @​pcarleton in #​1549

New Contributors

• @​domdomegg made their first contribution in #​1500
• @​pcarleton made their first contribution in #​1549

Full Changelog: modelcontextprotocol/python-sdk@v1.19.0...v1.20.0

v1.19.0

Compare Source

What's Changed

• feat: add tool metadata in FastMCP.tool decorator by @​mat-octave in #​1463
• Make client examples workspaces to reflect package code by @​LucaButBoring in #​1466
• Expose RequestParams._meta in ClientSession.call_tool by @​samchenatti in #​1231
• Allow CallToolResult to be returned directly to support _meta field for OpenAI Apps by @​BrandonShar in #​1459
• fix: uv CVE-2025-62518 astral-tokio-tar issue GHSA-j5gw-2vrg-8fgx by @​cclauss in #​1505
• fix: use proper dependency resolution in CI by @​felixweinberger in #​1507
• Upgrade GitHub Actions by @​cclauss in #​1473
• test: use errno.ENOENT for command not found assertion by @​mingo1996 in #​1498
• Replace deprecated dev-dependencies with dependency-groups by @​yukuanj in #​1488
• update uv to 0.9.5 by @​maxisbey in #​1510

New Contributors

• @​mat-octave made their first contribution in #​1463
• @​samchenatti made their first contribution in #​1231
• @​BrandonShar made their first contribution in #​1459
• @​mingo1996 made their first contribution in #​1498

Full Changelog: modelcontextprotocol/python-sdk@v1.18.0...v1.19.0

v1.18.0

Compare Source

What's Changed

• [client] Implement MCP OAuth scope selection and step-up authorization by @​dogacancolak in #​1324
• Handles message type Exception in lowlevel/server.py _handle_message function. Mentioned as TODO on line 528. by @​AishwaryaKalloli in #​786
• Fix workspace configuration error with structured_output_lowlevel.py by @​felixweinberger in #​1471
• fix: Remove unnecessary constructor from ResourceServerSettings by @​rocky-d in #​1424
• feat: add resource annotations support to FastMCP by @​fennb in #​1468
• fix: send params as empty object for list methods without cursor by @​felixweinberger in #​1453
• fix: Set the Server session initialization state immediately after respond… by @​daamitt in #​1478

New Contributors

• @​dogacancolak made their first contribution in #​1324
• @​rocky-d made their first contribution in #​1424
• @​fennb made their first contribution in #​1468
• @​daamitt made their first contribution in #​1478

Full Changelog: modelcontextprotocol/python-sdk@v1.17.0...v1.18.0

v1.17.0

Compare Source

What's Changed

• Add documentation structure by @​Kludex in #​1425
• Add documentation about testing by @​Kludex in #​1426
• Improve OAuth protected resource metadata URL construction per RFC 9728 by @​shulkx in #​1407
• feat: add ability to remove tools by @​brandonspark in #​1322
• Update README to link to Python SDK documentation by @​felixweinberger in #​1430
• fix: update CLAUDE.md to remove auto-addition of reviewers. by @​felixweinberger in #​1431

New Contributors

• @​shulkx made their first contribution in #​1407
• @​brandonspark made their first contribution in #​1322

Full Changelog: modelcontextprotocol/python-sdk@v1.16.0...v1.17.0

v1.16.0

Compare Source

What's Changed

• Add error log for client stdio by @​pengwa in #​924
• Accept additional response_types values from OAuth servers by @​jonshea in #​1323
• Issue 1379 patch - Fix MCP server OAuth not working with Visual Studio Code and others with extra grant_types by @​automaton82 in #​1380
• Add comprehensive Unicode tests for streamable HTTP transport by @​pja-ant in #​1381
• Update Icon.sizes to use string array format by @​pja-ant in #​1411
• Delete CODEOWNERS to eliminate notification overload by @​felixweinberger in #​1413
• fix: fix the system message in simple-chatbot example by @​yukuanj in #​1394
• fix: improve misleading warning for progress callback exceptions by @​lorenzocesconetto in #​775
• fix: catch and rethrow SSEError during SSE connection establishment by @​zhangch-ss in #​975
• Add icons support for ResourceTemplate by @​pja-ant in #​1412

New Contributors 🙏

• @​pengwa made their first contribution in #​924
• @​jonshea made their first contribution in #​1323
• @​automaton82 made their first contribution in #​1380
• @​yukuanj made their first contribution in #​1394
• @​zhangch-ss made their first contribution in #​975

Full Changelog: modelcontextprotocol/python-sdk@1.15.0...v1.16.0

v1.15.0

Compare Source

What's Changed

• Return HTTP 403 for invalid Origin headers by @​pja-ant in #​1353
• Add test for ProtectedResourceMetadataParsing by @​yannj-fr in #​1236
• Fastmcp logging progress example by @​stevebillings in #​1270
• feat: add paginated list decorators for prompts, resources, and tools by @​maxisbey in #​1286
• Remove "unconditionally" from conditional description by @​mssalvatore in #​1289
• Use streamable-http consistently in examples by @​maxisbey in #​1389
• feat: Add SDK support for SEP-1034 default values in elicitation schemas by @​chughtapan in #​1337
• Implementation of SEP 973 - Additional metadata + icons support by @​pja-ant in #​1357

New Contributors

• @​stevebillings made their first contribution in #​1270
• @​mssalvatore made their first contribution in #​1289

Full Changelog: modelcontextprotocol/python-sdk@v1.14.1...v1.15.0

v1.14.1

Compare Source

What's Changed

• fix(fastmcp): propagate mimeType in resource template list by @​pchoudhury22 in #​1186
• fix: allow elicitations accepted without content by @​owengo in #​1285
• Use --frozen in pre-commit config by @​pja-ant in #​1375

New Contributors

• @​pchoudhury22 made their first contribution in #​1186
• @​owengo made their first contribution in #​1285

Full Changelog: modelcontextprotocol/python-sdk@v1.14.0...v1.14.1

v1.14.0

Compare Source

What's Changed

• Added Audio to FastMCP by @​dragonier23 in #​1130
• Fix: avoid uncessary retries in OAuth authenticated requests by @​keurcien in #​1206
• Add PATHEXT to default STDIO env vars in windows by @​timesler in #​1256
• fix: error too many values to unpack (expected 2) by @​sandangel in #​1279
• SDK Parity: Avoid Parsing Server Response for non-JsonRPCMessage Requests by @​justin-yi-wang in #​1290
• types: Setting default value for method: Literal by @​sreenaths in #​1292
• changes structured temperature to not deadly by @​monkeywithacupcake in #​1328
• Update simple-resource example to use non-deprecated read_resource return type by @​pja-ant in #​1331
• docs: Update README to include link to API docs for #​1329 by @​reidg44 in #​1330
• Allow ping requests before initialization by @​eleftherias in #​1312
• Python lint: Ruff rules for pylint and code complexity by @​cclauss in #​525
• Fix context injection for resources and prompts by @​dsp-ant in #​1336

New Contributors 🙏

• @​dragonier23 made their first contribution in #​1130
• @​keurcien made their first contribution in #​1206
• @​timesler made their first contribution in #​1256
• @​sandangel made their first contribution in #​1279
• @​justin-yi-wang made their first contribution in #​1290
• @​monkeywithacupcake made their first contribution in #​1328
• @​pja-ant made their first contribution in #​1331
• @​reidg44 made their first contribution in #​1330
• @​eleftherias made their first contribution in #​1312

Full Changelog: modelcontextprotocol/python-sdk@v1.13.1...v1.14.0

v1.13.1

Compare Source

What's Changed

• chore: uncomment .idea/ in .gitignore by @​maxisbey in #​1287
• docs: clarify streamable_http_path configuration when mounting servers by @​felixweinberger in #​1172
• feat: Add CORS configuration for browser-based MCP clients by @​jerome3o-anthropic in #​1059

New Contributors

• @​maxisbey made their first contribution in #​1287

Full Changelog: modelcontextprotocol/python-sdk@v1.13.0...v1.13.1

v1.13.0

Compare Source

What's Changed

• Add pyright strict mode on the whole project by @​Kludex in #​1254
• Consistent casing for default headers Accept and Content-Type by @​glinf in #​1263
• Update dependencies and fix type issues by @​dsp-ant in #​1268
• fix: prevent async generator cleanup errors in StreamableHTTP transport by @​mous222 in #​1271

New Contributors

• @​glinf made their first contribution in #​1263
• @​mous222 made their first contribution in #​1271

Full Changelog: modelcontextprotocol/python-sdk@v1.12.4...v1.13.0

v1.12.4

Compare Source

What's Changed

• chore: Remove unused prompt_manager.py file by @​chughtapan in #​1229
• Improved supported for ProtectedResourceMetadata by @​yannj-fr in #​1235
• chore: Remove unused variable notification_options by @​sreenaths in #​1238
• Improve README around the Context object by @​jbkkd in #​1203
• Fix : token_endpoint_auth_signing_alg_values_supported is a json array by @​yannj-fr in #​1226
• Remove strict validation on response_modes_supported member of OAuthMetadata by @​joesavage-silabs in #​1243

New Contributors

• @​chughtapan made their first contribution in #​1229
• @​yannj-fr made their first contribution in #​1235
• @​sreenaths made their first contribution in #​1238
• @​jbkkd made their first contribution in #​1203
• @​joesavage-silabs made their first contribution in #​1243

Full Changelog: modelcontextprotocol/python-sdk@v1.12.3...v1.12.4

v1.12.3

Compare Source

What's Changed

• server: skip duplicate response on CancelledError by @​lukacf in #​1153
• Unpack settings in FastMCP by @​Kludex in #​1198

New Contributors

• @​lukacf made their first contribution in #​1153

Full Changelog: modelcontextprotocol/python-sdk@v1.12.2...v1.12.3

v1.12.2

Compare Source

What's Changed

• update codeowners group by @​ihrpr in #​1191
• fix: perform auth server metadata discovery fallbacks on any 4xx by @​LucaButBoring in #​1193

Full Changelog: modelcontextprotocol/python-sdk@v1.12.1...v1.13.0

v1.12.1

Compare Source

What's Changed

• Add CODEOWNERS file for sdk by @​ihrpr in #​1169
• fix flaky test test_88_random_error by @​ihrpr in #​1171
• Make sure RequestId is not coerced as int by @​Kludex in #​1178
• Fix: Replace threading.Lock with anyio.Lock for Ray deployment compatibility by @​only-weng in #​1151
• fix: fix OAuth flow request object handling by @​clareliguori in #​1174

New Contributors

• @​only-weng made their first contribution in #​1151

Full Changelog: modelcontextprotocol/python-sdk@v1.12.0...v1.12.1

v1.12.0

Compare Source

What's Changed

• Ensure failed oauth registration response is read before accessing response.text by @​jlowin in #​1118
• Avoiding to parse string arguments containing valid JSON if the argument annotation is str by @​cjg in #​1113
• Update routing for streamable HTTP to avoid 307 redirect by @​yurikunash in #​1115
• add regression tests for #​1113 by @​bhosmer-ant in #​1122
• Fix BaseModel method name conflicts in func_metadata by @​bhosmer-ant in #​1123
• README - replace code snippets with examples by @​ihrpr in #​1136
• README - replace code snippets with examples - direct execution and display utilities by @​ihrpr in #​1137
• Close server session after handle stateless request by @​hopeful0 in #​1116
• tests: use inline_snapshot.Is on parametrized test by @​Kludex in #​945
• Add regression test for stateless request memory cleanup by @​felixweinberger in #​1140
• Implement RFC9728 - Support WWW-Authenticate header by MCP client by @​yurikunash in #​1071
• Add streamable HTTP starlette example to Python SDK docs by @​pamelafox in #​1111
• fix markdown error in README in main by @​ihrpr in #​1147
• README - replace code snippets with examples - add lowlevel to snippets by @​ihrpr in #​1150
• README - replace code snippets with examples - streamable http by @​ihrpr in #​1155
• chore: don't allow users to create issues outside the templates by @​Kludex in #​1163
• Tests(cli): Add coverage for helper functions by @​davenpi in #​635
• Docs: Update CallToolResult parsing in README by @​functicons in #​812
• docs: add pre-commit install guide on CONTRIBUTING.md by @​dingo4dev in #​995
• fix flaky fix-test_streamablehttp_client_resumption test by @​ihrpr in #​1166
• README - replace code snippets with examples -- auth examples by @​ihrpr in #​1164
• Support falling back to OIDC metadata for auth by @​LucaButBoring in #​1061

New Contributors 🙏

• @​cjg made their first contribution in #​1113
• @​yurikunash made their first contribution in #​1115
• @​hopeful0 made their first contribution in #​1116
• @​pamelafox made their first contribution in #​1111
• @​davenpi made their first contribution in #​635
• @​functicons made their first contribution in #​812

Full Changelog: modelcontextprotocol/python-sdk@v1.11.0...v1.12.0

v1.11.0

Compare Source

What's Changed

• Update MCP to use Pydantic>=2.11 by @​medaminezghal in #​1041
• Flaky test fix by @​AishwaryaKalloli in #​1050
• chore: bump ruff by @​Kludex in #​1085
• docs: fix dev server command in README (#​848) by @​Lasdw6 in #​859
• fix: support "form_post" to be one of response modes in authorization server metadata validation by @​ke-yu in #​1046
• Embed code snippets for README from executable examples by @​ihrpr in #​1055
• tests: add lowest dependency tests by @​Kludex in [#​1067](https://redirect.github.com/modelcontextprotocol/python-sdk/p

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pywin32@​311
	mcp@​1.9.1 ⏵ 1.13.1
	attrs@​25.3.0
	rpds-py@​0.27.1

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		pywin32@311 has Native code. Location: Package overview From: uv.lock → pypi/pywin32@311 ℹ Read more on: This package | This alert | Why is native code a concern? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/pywin32@311. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] has Native code. Location: Package overview From: ? → pypi/[email protected] ℹ Read more on: This package | This alert | Why is native code a concern? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report