fix: remove unused `requests` dependency from simple-chatbot example by maxisbey · Pull Request #1959 · modelcontextprotocol/python-sdk
The simple-chatbot example declared requests>=2.31.0 as a dependency but never imports or uses it — the code uses httpx (via the mcp dependency) instead. This stale dependency pulled urllib3 into the lock file, which triggered three high-severity Dependabot alerts (CVE-2025-66418, CVE-2025-66471, CVE-2026-21441). None of these affect the SDK since it uses httpx/httpcore, not urllib3. Removing requests from the example eliminates urllib3 from the runtime dependency tree. It remains in the lock file only via mkdocs-material (a docs-only dev dependency).
approved these changes Jan 26, 2026
maxisbey
deleted the
fix/remove-unused-requests-dep-v1x
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters