Unpinned MCP dependency in requirements.txt is a silent upgrade risk, dev warns
A developer discovered their MCP server's sole dependency, mcp[cli], had no version pin in requirements.txt, meaning every fresh install would pull the latest release regardless of what was tested. The oversight came to light after reading about a production outage caused by an unpinned fastmcp dependency that silently introduced a breaking change to HTTP transport handling. Although the developer's server runs only locally, limiting immediate impact, the underlying risk pattern was identical to the incident that prompted the review. The fix involved adding a version range — mcp[cli]>=1.28.0,<2.0.0 — to constrain installs to tested versions without requiring a full lockfile setup. The developer noted that MCP servers are often treated as lightweight glue code rather than infrastructure, which can cause standard dependency-pinning discipline to be overlooked.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in