From 01736b1f5ca6995c5f83315916c27bce61c80134 Mon Sep 17 00:00:00 2001
From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com>
Date: Wed, 3 Dec 2025 17:48:59 +0100
Subject: [PATCH] chore: bump mcp package version (backport #4287) (#4288)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

# What does this PR do?

Address

https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-9h52-p55h-vw2f

<hr>This is an automatic backport of pull request #4287 done by
[Mergify](https://mergify.com).

Signed-off-by: Sébastien Han <seb@redhat.com>
Co-authored-by: Sébastien Han <seb@redhat.com>
---
 llama_stack/providers/registry/agents.py       | 2 +-
 llama_stack/providers/registry/tool_runtime.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/llama_stack/providers/registry/agents.py b/llama_stack/providers/registry/agents.py
index 1845d6f46..19e09cb2e 100644
--- a/llama_stack/providers/registry/agents.py
+++ b/llama_stack/providers/registry/agents.py
@@ -23,7 +23,7 @@ def available_providers() -> list[ProviderSpec]:
                 "pillow",
                 "pandas",
                 "scikit-learn",
-                "mcp>=1.8.1",
+                "mcp>=1.23.0",
             ]
             + kvstore_dependencies(),  # TODO make this dynamic based on the kvstore config
             module="llama_stack.providers.inline.agents.meta_reference",
diff --git a/llama_stack/providers/registry/tool_runtime.py b/llama_stack/providers/registry/tool_runtime.py
index 39dc7fccd..f62c29258 100644
--- a/llama_stack/providers/registry/tool_runtime.py
+++ b/llama_stack/providers/registry/tool_runtime.py
@@ -80,7 +80,7 @@ def available_providers() -> list[ProviderSpec]:
             provider_type="remote::model-context-protocol",
             module="llama_stack.providers.remote.tool_runtime.model_context_protocol",
             config_class="llama_stack.providers.remote.tool_runtime.model_context_protocol.config.MCPProviderConfig",
-            pip_packages=["mcp>=1.8.1"],
+            pip_packages=["mcp>=1.23.0"],
             provider_data_validator="llama_stack.providers.remote.tool_runtime.model_context_protocol.config.MCPProviderDataValidator",
             description="Model Context Protocol (MCP) tool for standardized tool calling and context management.",
         ),