fix(deps): upgrade cryptography and fastmcp for security alerts + bumps

[doronkopit5]

Summary

• Upgrades cryptography from 46.0.3 → 46.0.5 to fix Dependabot alert feat: Initial commit of OpenTelemetry MCP Server #2 (HIGH severity — subgroup attack due to missing SECT curve validation)
• Upgrades fastmcp from 2.14.3 → 2.14.5 to keep the transitive dependency chain current for alert Welcome to opentelemetry-mcp-server Discussions! #3 (diskcache — no patched version available yet)

Details

Neither package is directly imported by this project — both are transitive dependencies of fastmcp. Only uv.lock is modified.

Alert	Package	Severity	Fix
#2	cryptography	HIGH	46.0.3 → 46.0.5
#3	diskcache	MEDIUM	No fix available (latest is 5.6.3)

Test plan

• uv run pytest — 75 passed, 2 skipped
• uv run mypy src/ — no issues
• uv run ruff check . — all checks passed
• Verify Dependabot alert feat: Initial commit of OpenTelemetry MCP Server #2 auto-closes after merge

🤖 Generated with Claude Code

---

Important

Upgrade cryptography and fastmcp in uv.lock to address security alerts and maintain current dependencies.

• Dependencies:
  • Upgrade cryptography from 46.0.3 to 46.0.5 in uv.lock to address high-severity security alert feat: Initial commit of OpenTelemetry MCP Server #2.
  • Upgrade fastmcp from 2.14.3 to 2.14.5 in uv.lock to maintain current transitive dependencies for alert Welcome to opentelemetry-mcp-server Discussions! #3.
• Misc:
  • uv.lock is the only modified file.
  • No direct imports of cryptography or fastmcp in the project.

^{This description was created by for 23ae691. You can customize this summary. It will automatically update as commits are pushed.}

Summary by CodeRabbit

• Chores

  • Updated GitHub Actions workflow versions across CI and release pipelines for improved compatibility
  • Upgraded development dependencies to latest compatible versions

• Refactor

  • Improved enum implementation consistency with standard Python typing conventions

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated GitHub Actions workflow versions (checkout to v6, setup-uv to v7, setup-python to v6), bumped ruff dependency from ~0.14.0 to ~0.15.0, and refactored FilterOperator and FilterType enums to inherit from StrEnum instead of (str, Enum).

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Versions .github/workflows/ci.yml, .github/workflows/release.yml	Upgraded action versions: actions/checkout v4→v6, astral-sh/setup-uv v3→v7, actions/setup-python v5→v6. No control flow changes; only dependency version pins updated.
Development Dependencies pyproject.toml	Bumped ruff from ~0.14.0 to ~0.15.0 in dev group; no other configuration changes.
Enum Refactoring src/opentelemetry_mcp/models.py	Refactored FilterOperator and FilterType to inherit from StrEnum instead of (str, Enum). String values and member names preserved; validation logic unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 With actions upgraded and ruff brushed bright,
Our enums now string-ified—what a delight!
From v3 to v7, we leap and we bound,
Dependencies refreshed, improvements abound! 🐇✨

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title mentions upgrading cryptography and fastmcp, but the changeset includes multiple unrelated updates: GitHub Actions versions, ruff version bump, and Enum-to-StrEnum migration that are not referenced in the title.	Revise the title to accurately reflect all material changes, or split into focused PRs. For example: 'chore: upgrade dependencies, tooling, and migrate Enum to StrEnum' or break into separate PRs for security fixes vs. tooling/code improvements.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch dk/cve_16_02_26

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed everything up to 23ae691 in 9 seconds. Click for details.

• Reviewed 324 lines of code in 1 files
• Skipped 0 files when reviewing.
• Skipped posting 0 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

Workflow ID: wflow_OiqJ3ziHvVqxBJPi

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[github-actions]

Container Security Scan (opentelemetry-mcp-server-amd64)

Click to expand results

For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/v0.65/docs/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


opentelemetry-mcp-server:ea73c0fb786a85e9f6dda1cf7bf00bf98b2e8724-amd64 (debian 13.3)
=====================================================================================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌──────────┬───────────────┬──────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library  │ Vulnerability │ Severity │  Status  │ Installed Version │ Fixed Version │                            Title                             │
├──────────┼───────────────┼──────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libc-bin │ CVE-2026-0861 │ HIGH     │ affected │ 2.41-12+deb13u1   │               │ glibc: Integer overflow in memalign leads to heap corruption │
│          │               │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2026-0861                    │
├──────────┤               │          │          │                   ├───────────────┤                                                              │
│ libc6    │               │          │          │                   │               │                                                              │
│          │               │          │          │                   │               │                                                              │
└──────────┴───────────────┴──────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

[github-actions]

Container Security Scan (opentelemetry-mcp-server-arm64)

Click to expand results

For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/v0.65/docs/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


opentelemetry-mcp-server:ea73c0fb786a85e9f6dda1cf7bf00bf98b2e8724-arm64 (debian 13.3)
=====================================================================================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌──────────┬───────────────┬──────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library  │ Vulnerability │ Severity │  Status  │ Installed Version │ Fixed Version │                            Title                             │
├──────────┼───────────────┼──────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libc-bin │ CVE-2026-0861 │ HIGH     │ affected │ 2.41-12+deb13u1   │               │ glibc: Integer overflow in memalign leads to heap corruption │
│          │               │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2026-0861                    │
├──────────┤               │          │          │                   ├───────────────┤                                                              │
│ libc6    │               │          │          │                   │               │                                                              │
│          │               │          │          │                   │               │                                                              │
└──────────┴───────────────┴──────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

[galkleinman]

LGTM