[v1.x] build: restrict httpx to <1.0.0

[maxisbey]

Backport of #2345 to the v1.x release branch. Closes #2543.

Motivation and Context

httpx publishes 1.0.dev1/1.0.dev2/1.0.dev3 pre-releases on PyPI. These are a ground-up rewrite with an incompatible public API — no AsyncClient, Auth, Timeout, BasicAuth, codes, or the TransportError/StreamError exception hierarchy.

The current v1.x constraint is unbounded (httpx>=0.27.1), so when a downstream package is installed with pip install --pre (common for alpha/beta libraries built on mcp), pip resolves httpx 1.0.dev3 and import mcp fails immediately:

File ".../httpx_sse/_exceptions.py", line 4, in <module>
  class SSEError(httpx.TransportError):
                 ^^^^^^^^^^^^^^^^^^^^
AttributeError: module 'httpx' has no attribute 'TransportError'

This was already fixed on main in #2345 but never backported, so all published 1.x releases (including 1.27.0) are affected.

How Has This Been Tested?

Reproduced in a fresh venv:

python -m venv /tmp/repro && /tmp/repro/bin/pip install --pre 'mcp==1.27.0'
/tmp/repro/bin/python -c 'import mcp'
# AttributeError: module 'httpx' has no attribute 'TransportError'

Confirmed that constraining to httpx<1.0 (resolves 0.28.1) restores all of import mcp, stdio_client, sse_client, and streamablehttp_client.

Breaking Changes

None. httpx 0.28.1 remains the latest stable; this only excludes the incompatible 1.0 dev pre-releases.

Types of changes

• Bug fix (non-breaking change which fixes an issue)

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

Re the alternatives raised in #2543:

• <2.0 wouldn't help — httpx 1.x is API-incompatible by design, not just pre-release churn.
• Not adding a speculative httpx-sse<1.0 cap; no such release exists and we'd rather not pre-emptively constrain a dep that hasn't broken.

_{AI Disclaimer}

[claude]

LGTM — straightforward backport adding an upper bound on httpx.

Extended reasoning...

Overview

This PR backports #2345 to the v1.x release branch. It changes a single dependency specifier in pyproject.toml from httpx>=0.27.1 to httpx>=0.27.1,<1.0.0, with the corresponding requires-dist metadata line in uv.lock. No source code, tests, or resolved package versions change — the lockfile already resolved httpx 0.28.1, so only the constraint metadata is updated.

Security risks

None. This narrows an existing dependency range to exclude known-incompatible httpx 1.0 dev pre-releases. It does not add new dependencies, loosen any constraints, or touch auth/crypto/permission code paths.

Level of scrutiny

Low. This is a one-line, mechanical version-bound change that has already been reviewed and merged on main (#2345). The motivation is well-documented with a reproducible failure case (AttributeError: module 'httpx' has no attribute 'TransportError' under pip install --pre), and the fix is the standard remedy: cap below the breaking major version. The PR description also explains why <2.0 and a speculative httpx-sse cap were rejected.

Other factors

No bugs were flagged by the bug-hunting system, there are no outstanding reviewer comments, and the change is non-breaking for all users on stable httpx (0.28.x remains the latest stable). Given the trivial scope and that it mirrors an already-landed change on main, this is safe to approve without further human review.