build(deps): pin mcp SDK below 2.0 ahead of protocol RC (backport #5953)#5958
build(deps): pin mcp SDK below 2.0 ahead of protocol RC (backport #5953)#5958mergify[bot] wants to merge 1 commit into
Conversation
# What does this PR do? Pins the `mcp` Python SDK dependency to `>=1.23.0,<2.0` across all five declaration sites (pyproject.toml core, type_checking, test-common, and two provider registry specs). This prevents fresh installs from pulling an incompatible SDK version when the MCP 2026-07-28 Release Candidate ships, which introduces breaking changes to the session model, transport layer, and protocol handshake. Partial #5952 (this addresses the immediate dependency pin; the full migration is tracked there) ## Test Plan 1. Verify all `mcp>=` references are pinned with `<2.0` upper bound: ```bash rg '"mcp>=' pyproject.toml src/ogx/providers/registry/ ``` 2. Run pre-commit to confirm no regressions: ```bash uv run pre-commit run --all-files ``` Output: all 40 checks passed. <!-- devin-review-badge-begin --> --- <a href="https://app.devin.ai/review/ogx-ai/ogx/pull/5953" target="_blank"> <picture> <source media="(prefers-color-scheme: dark)" srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1"> <img src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1" alt="Open in Devin Review"> </picture> </a> <!-- devin-review-badge-end --> --------- Signed-off-by: Sébastien Han <[email protected]> Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]> (cherry picked from commit bb63ea6) # Conflicts: # pyproject.toml # uv.lock
mergify
Bot
requested review from
bbrowning,
cdoern,
franciscojavierarceo,
leseb,
mattf and
raghotham
as code owners
|
Cherry-pick of bb63ea6 has failed: To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally |
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
There was a problem hiding this comment.
🔴 Incomplete mcp<2.0 pin: starter optional dependency group still allows mcp 2.x
The PR's intent is to pin mcp below 2.0 across all dependency specifications. The starter optional dependency group at pyproject.toml:100 still specifies "mcp>=1.23.0" without the <2.0 upper bound. Users installing with pip install ogx[starter] could get mcp 2.x, which the PR explicitly aims to prevent.
(Refers to line 100)
Was this helpful? React with 👍 or 👎 to provide feedback.
There was a problem hiding this comment.
🔴 Incomplete mcp<2.0 pin: unit dependency group still allows mcp 2.x
The unit dependency group at pyproject.toml:222 still specifies "mcp>=1.23.0" without the <2.0 upper bound, inconsistent with the PR's goal. Unit tests could install mcp 2.x, causing test failures or masking compatibility issues that the pin was supposed to prevent.
(Refers to line 222)
Was this helpful? React with 👍 or 👎 to provide feedback.
There was a problem hiding this comment.
🔴 Incomplete mcp<2.0 pin: test dependency group still allows mcp 2.x
The test dependency group at pyproject.toml:245 still specifies "mcp>=1.23.0" without the <2.0 upper bound, inconsistent with the PR's goal. Integration tests could install mcp 2.x, causing test failures or allowing incompatible code to pass CI.
(Refers to line 245)
Was this helpful? React with 👍 or 👎 to provide feedback.
| <<<<<<< HEAD | ||
| "ogx-client==1.0.2", | ||
| ======= | ||
| "ogx-client>=1.0.2", | ||
| ] | ||
| test-common = [ | ||
| "aiohttp", | ||
| "aiosqlite", | ||
| "asyncpg>=0.29.0", | ||
| "chardet", | ||
| "mcp>=1.23.0,<2.0", | ||
| "pgvector>=0.3.0", | ||
| "psycopg2-binary>=2.9.0", | ||
| "pypdf>=6.10.2", | ||
| "sqlalchemy[asyncio]>=2.0.41", | ||
| >>>>>>> bb63ea69 (build(deps): pin mcp SDK below 2.0 ahead of protocol RC (#5953)) |
There was a problem hiding this comment.
🔴 Unresolved git merge conflict markers in pyproject.toml break TOML parsing
Lines 194–209 of pyproject.toml contain literal <<<<<<< HEAD, =======, and >>>>>>> bb63ea69 merge conflict markers. These are invalid TOML syntax and will cause any TOML parser (pip, uv, setuptools, etc.) to fail when reading the file, completely breaking dependency resolution, installation, and builds.
Prompt for agents
The pyproject.toml file contains unresolved git merge conflict markers at lines 194-209 within the type_checking dependency group. The conflict is between HEAD (which has `ogx-client==1.0.2` and no test-common group) and the bb63ea69 commit (which has `ogx-client>=1.0.2` and introduces a new test-common dependency group). You need to resolve this merge conflict by deciding:
1. Which version spec to use for ogx-client (==1.0.2 vs >=1.0.2)
2. Whether to include the new test-common dependency group
Remove all three conflict marker lines (<<<<<<< HEAD, =======, >>>>>>> bb63ea69) and keep the intended content. Given the PR is about pinning mcp<2.0, you likely want to keep both the ogx-client entry (closing the type_checking group) and the new test-common group with its mcp pin.
Was this helpful? React with 👍 or 👎 to provide feedback.
1 participant
What does this PR do?
Pins the
mcpPython SDK dependency to>=1.23.0,<2.0across all five declaration sites (pyproject.toml core, type_checking, test-common, and two provider registry specs). This prevents fresh installs from pulling an incompatible SDK version when the MCP 2026-07-28 Release Candidate ships, which introduces breaking changes to the session model, transport layer, and protocol handshake.Partial #5952 (this addresses the immediate dependency pin; the full migration is tracked there)
Test Plan
mcp>=references are pinned with<2.0upper bound:rg '"mcp>=' pyproject.toml src/ogx/providers/registry/Output: all 40 checks passed.
This is an automatic backport of pull request #5953 done by [Mergify](https://mergify.com).