Skip to content

docs: pin mkdocs<2 and silence the mkdocs-material advisory banner in CI#3072

Merged
maxisbey merged 1 commit into
mainfrom
docs-pin-mkdocs-1x
Jul 7, 2026
Merged

docs: pin mkdocs<2 and silence the mkdocs-material advisory banner in CI#3072
maxisbey merged 1 commit into
mainfrom
docs-pin-mkdocs-1x

Conversation

@maxisbey

@maxisbey maxisbey commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Hardens the docs toolchain against the upcoming MkDocs 2.0 split and quiets the advisory banner mkdocs-material now prints on every build.

Motivation and Context

MkDocs 1.x is no longer receiving releases (latest is 1.6.1 from Aug 2024), and "MkDocs 2.0" is being developed as a ground-up rewrite (announcement) that removes the plugin system — so it's incompatible with mkdocs-material and every plugin we use (mkdocstrings, gen-files, literate-nav, glightbox). mkdocs-material entered maintenance mode in 9.7.0 and added its own mkdocs<2 pin in 9.7.5; the Material team's analysis is here.

Three changes:

  • mkdocs>=1.6.1,<2 in the docs group. Our locked mkdocs-material (9.7.2) predates the upstream pin, and if 2.0 is ever published to PyPI under the mkdocs name, an unbounded re-lock could pick it up and break the docs build. Mirroring the bound on our direct dependency makes the guard independent of the theme's metadata.
  • mkdocs-material 9.7.2 → 9.7.6 in the lockfile: moves the advisory banner from stdout to stderr, sandboxes the social-cards plugin's template environment, and carries the upstream mkdocs<2 pin.
  • NO_MKDOCS_2_WARNING=1 in the three docs CI jobs, so the red banner stays out of build logs. Local builds still show it, which seems right — it's genuinely useful information for contributors.

This is the "pin and wait" posture most of the ecosystem has taken (e.g. pydantic and the astral repos pin mkdocs 1.6.1 + mkdocs-material 9.7.6). Zensical is the likely eventual destination, but it has no equivalent of gen-files (zensical/zensical#8), literate-nav (zensical/zensical#13), or MkDocs hooks: yet — our entire generated-API-reference and llms.txt pipeline — so migrating now isn't viable. Worth re-evaluating around November 2026 when mkdocs-material's committed maintenance window ends.

Note: deploy-docs.yml also builds the v1.x branch, whose pyproject has an unbounded mkdocs>=1.6.1. It's protected today by its frozen lockfile and by mkdocs-material 9.6.19's own mkdocs~=1.6 requirement, so no urgency, but a [v1.x] backport of the same bound would be reasonable hygiene.

How Has This Been Tested?

Built the docs locally against the updated lock: uv run --frozen mkdocs build --strict passes on 9.7.6; the banner goes to stderr only, and disappears with NO_MKDOCS_2_WARNING=1 set. Verified the generated site is intact (api/ reference pages, llms.txt), that uv lock --check passes with the new specifier, and that the step-level env: propagates through scripts/build-docs.sh to both branch builds. Also confirmed social cards still render on 9.7.6's sandboxed environment when ENABLE_SOCIAL_CARDS is set.

Breaking Changes

None — CI/dependency hygiene only; no API or rendered-docs changes.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

The NO_MKDOCS_2_WARNING env var is mkdocs-material's only supported off-switch — a config-level option was declined upstream, and 9.7.6 already auto-suppresses the banner for non-mkdocs entry points, so wrapper tools like mike are unaffected.

AI Disclaimer

MkDocs 2.0 is a ground-up rewrite that drops the plugin system, so it is
incompatible with mkdocs-material and the rest of our docs plugin stack.
mkdocs-material itself pins mkdocs<2 as of 9.7.5; mirror that bound on our
direct dependency so a future re-lock cannot resolve 2.0, and bump the
locked mkdocs-material from 9.7.2 to 9.7.6 (banner moved to stderr,
sandboxed social plugin, upstream mkdocs<2 pin).

mkdocs-material >=9.7.2 also prints a red advisory banner on every build;
set NO_MKDOCS_2_WARNING=1 in the docs CI jobs to keep it out of build
logs. Local builds still show it.
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

📚 Documentation preview

Preview https://pr-3072.mcp-python-docs.pages.dev
Deployment https://f25642be.mcp-python-docs.pages.dev
Commit 858dc55
Triggered by @maxisbey
Updated 2026-07-07 10:21:54 UTC

@maxisbey maxisbey marked this pull request as ready for review July 7, 2026 12:16

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 5 files

Re-trigger cubic

@claude claude Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — docs/CI dependency hygiene only: an upper bound on a docs-group dependency, a lockfile bump, and a cosmetic env var in three docs CI steps.

Extended reasoning...

Overview

The PR touches only the docs toolchain: adds an upper bound (mkdocs>=1.6.1,<2) to the docs dependency group in pyproject.toml (mirrored in uv.lock's requirements block), bumps mkdocs-material 9.7.2 → 9.7.6 in the lockfile, and sets NO_MKDOCS_2_WARNING=1 on the three docs-build steps in deploy-docs.yml, docs-preview.yml, and shared.yml. No runtime SDK code, tests, or published-package dependencies are affected.

Security risks

None of substance. The workflow edits only add a step-level environment variable to existing steps — no new triggers, permissions, secrets, or third-party actions. The docs-preview workflow's security-sensitive authorization logic is untouched. The lockfile bump is a patch-level upgrade of a docs-only dependency with pinned hashes, and 9.7.6 actually tightens the social-cards template sandboxing per the release notes.

Level of scrutiny

Low. This is dev-tooling/CI hygiene with no effect on the shipped mcp package or its runtime dependencies. The new upper bound is on a dev-group dependency and matches the posture mkdocs-material itself adopted upstream (its own mkdocs<2 pin in 9.7.5), so it is not a controversial design decision. The AGENTS.md guidance about not raising floors for CVEs is not implicated — no floor changes, only a cap on a docs tool.

Other factors

The docs-preview build for this PR completed and deployed successfully, which exercises the new lock and env var end to end. The strict-mode docs job in shared.yml also builds against the updated lock on every PR, so any incompatibility introduced by the material bump would surface immediately in CI. The bug hunting system reported no issues, and there are no outstanding reviewer comments.

@maxisbey maxisbey merged commit 6d2e908 into main Jul 7, 2026
39 checks passed
@maxisbey maxisbey deleted the docs-pin-mkdocs-1x branch July 7, 2026 12:45
@maxisbey maxisbey mentioned this pull request Jul 7, 2026
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant