SpaceAge/space_age_api
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore(deps): update dependency hackney to v4.2.0 #40

Merged
Doridian merged 1 commit from renovate/hackney-4.x-lockfile into main 2026-06-04 17:37:10 -07:00
Conversation 0 Commits 1 Files changed 2 +5 -4
MaidFox commented 2026-06-04 17:26:09 -07:00
Member
Copy link

This PR contains the following updates:

Package Type Update Change
hackney (source) prod minor 4.0.04.2.0

Release Notes

benoitc/hackney (hackney)

v4.2.0

Compare Source

Added
  • IPv6 for HTTP/3. The family connect option (inet | inet6) is forwarded to QUIC, which resolves DNS and races addresses with Happy Eyeballs (RFC 8305). IPv6 literals such as https://[::1]/ work too.
  • 0-RTT and session resumption for HTTP/3. Session tickets are cached per {host, port, transport} and replayed on the next connection; a bodyless one-shot request is then sent as 0-RTT, otherwise the ticket gives a resumed handshake. Controlled by the zero_rtt option, with an explicit session_ticket taking precedence. New hackney_h3 helpers: early_data_accepted/1, get_session_ticket/1, wait_session_ticket/2.
Fixed
  • Recover from an expired cross-signed root instead of failing the handshake (e.g. Let's Encrypt's ISRG Root X2 cross-signed by the expired ISRG Root X1), across HTTP/1.1, HTTP/2, HTTP/3 and WebTransport. A genuinely expired leaf or intermediate still fails, and partial chains keep working.
  • HTTP/3 connections from the pool now apply ssl_options (cacerts, insecure) that previously did not reach the QUIC layer.
  • A pooled connection that stops between checkout and the request call no longer leaks exit:{normal, _} / exit:noproc to the caller; request, body and streaming calls return {error, closed} instead (#​861).
  • A proxy host given as an atom (e.g. localhost) or a binary is accepted again for the plain, connect and socks5 proxy tuples instead of being silently ignored (#​858).
Dependencies
  • quic 1.4.5 -> 1.6.3.
  • h2 0.6.1 -> 0.8.0.
  • webtransport 0.2.6 -> 0.3.1.

v4.1.0: hackney 4.1.0

Compare Source

WebTransport client. Drop-in addition alongside the WebSocket API, no breaking changes.

Added

  • WebTransport client API (hackney:wt_connect/1,2, wt_send/2, wt_recv/1,2, wt_setopts/2, wt_close/1,2), mirroring the WebSocket ws_* API so code switches by swapping the ws_ prefix for wt_. Runs over HTTP/3 (default) or HTTP/2. One session multiplexes many streams (wt_open_stream/2, wt_stream_send/3,4, wt_stream_recv/2,3, wt_close_stream/2, wt_reset_stream/3, wt_stop_sending/3) plus unreliable datagrams (wt_send_datagram/2) and wt_session_info/1. No custom wire framing, so it interoperates with any WebTransport server. Caller path and headers are checked for CR/LF/NUL and a buffer cap bounds unread data. See the WebTransport Guide.

Dependencies

  • Add webtransport 0.2.6.

Full changelog: https://github.com/benoitc/hackney/blob/master/NEWS.md

v4.0.3: hackney 4.0.3

Compare Source

OTP 29 support and HTTP/3 server-certificate verification. Drop-in upgrade from 4.0.2, no API changes.

Security

  • HTTP/3 now verifies the server certificate. quic 1.4.4 authenticates the server by default; hackney passes the request's insecure option and any configured CA (cacerts/cacertfile in ssl_options) through to the QUIC connection, so verification can be disabled or pointed at a custom trust store. Without a configured CA, quic uses its default trust store.

Changed

  • Replace the deprecated catch Expr form with try ... catch so hackney compiles cleanly on OTP 29.

Dependencies

  • Bump quic to 1.4.5 (fixes server-cert chain validation when the server sends an extra cross-sign above the anchored intermediate).
  • Bump h2 to 0.6.1 (OTP 29 deprecated-catch fix).

Full changelog: https://github.com/benoitc/hackney/blob/master/NEWS.md

v4.0.2: hackney 4.0.2

Compare Source

Bug-fix release. Drop-in upgrade from 4.0.1, no API changes.

Bug Fixes

  • Fix an intermittent pool crash when a server closes a pooled keep-alive connection during checkout (#​850). The checkout now tolerates the set_owner race and falls through to a fresh connection instead of crashing on a bad match, and an async ownership handoff to an already-closed pooled connection stops it promptly so the pool drops it from rotation.
  • Expose hackney:body/1,2 and hackney:stream_body/1 again so the response body can be read after start_response/1 in streaming body mode (#​849). The migration guide and examples referenced these but they were not exported. The getting-started guide and README were corrected as well.

Full changelog: https://github.com/benoitc/hackney/blob/master/NEWS.md

v4.0.1: hackney 4.0.1

Compare Source

Security release. Fixes 9 reported vulnerabilities (4 high, 4 medium, 1 low) plus one hardening change across the HTTP/1.1, HTTP/2, HTTP/3, WebSocket, cookie and URL handling code. No API changes, so it is a drop-in upgrade from 4.0.0.

If you use hackney directly or through a library (HTTPoison, Tesla's hackney adapter, ExAws, and others), please upgrade.

Security

High
  • CVE-2026-47066 (GHSA-6cp8): infinite loop in the Alt-Svc response parser.
  • CVE-2026-47073 (GHSA-q8jg): unbounded WebSocket frame, message and handshake buffers.
  • CVE-2026-47074 (GHSA-jq4m): slow-drip OOM on buffered HTTP/3 responses.
  • CVE-2026-47071 (GHSA-gp9c): missing timeout on a proxy TLS upgrade.
Medium
  • CVE-2026-47076 (GHSA-pj7v): SSRF allowlist bypass via percent-encoded host.
  • CVE-2026-47072 (GHSA-f9vr): CR/LF injection in the WebSocket upgrade request.
  • CVE-2026-47075 (GHSA-j9wq): CR/LF injection in the request target.
  • CVE-2026-47070 (GHSA-h73q): cross-origin HTTP/3 redirect leaked Authorization and Cookie.
Low
  • CVE-2026-47069 (GHSA-mp55): CR/LF injection via cookie domain and path options.
Hardening
  • to_atom/1 no longer falls back to list_to_atom/1, removing an atom-leak path (GHSA-6rmf, no CVE assigned).

Dependencies

  • Bump quic to 1.4.3.
  • Bump h2 to 0.6.0.

Credits

Thanks to PJUllrich, Ganbagana and tepel-chen for the reports, and to maennchen for coordinating disclosure.

Full changelog: https://github.com/benoitc/hackney/blob/master/NEWS.md

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [hackney](https://hex.pm/packages/hackney) ([source](https://github.com/benoitc/hackney)) | prod | minor | `4.0.0` → `4.2.0` | --- ### Release Notes <details> <summary>benoitc/hackney (hackney)</summary> ### [`v4.2.0`](https://github.com/benoitc/hackney/releases/tag/4.2.0) [Compare Source](https://github.com/benoitc/hackney/compare/4.1.0...4.2.0) ##### Added - IPv6 for HTTP/3. The `family` connect option (`inet` | `inet6`) is forwarded to QUIC, which resolves DNS and races addresses with Happy Eyeballs (RFC 8305). IPv6 literals such as `https://[::1]/` work too. - 0-RTT and session resumption for HTTP/3. Session tickets are cached per `{host, port, transport}` and replayed on the next connection; a bodyless one-shot request is then sent as 0-RTT, otherwise the ticket gives a resumed handshake. Controlled by the `zero_rtt` option, with an explicit `session_ticket` taking precedence. New `hackney_h3` helpers: `early_data_accepted/1`, `get_session_ticket/1`, `wait_session_ticket/2`. ##### Fixed - Recover from an expired cross-signed root instead of failing the handshake (e.g. Let's Encrypt's ISRG Root X2 cross-signed by the expired ISRG Root X1), across HTTP/1.1, HTTP/2, HTTP/3 and WebTransport. A genuinely expired leaf or intermediate still fails, and partial chains keep working. - HTTP/3 connections from the pool now apply `ssl_options` (`cacerts`, `insecure`) that previously did not reach the QUIC layer. - A pooled connection that stops between checkout and the request call no longer leaks `exit:{normal, _}` / `exit:noproc` to the caller; request, body and streaming calls return `{error, closed}` instead ([#&#8203;861](https://github.com/benoitc/hackney/issues/861)). - A proxy host given as an atom (e.g. `localhost`) or a binary is accepted again for the plain, connect and socks5 proxy tuples instead of being silently ignored ([#&#8203;858](https://github.com/benoitc/hackney/issues/858)). ##### Dependencies - quic 1.4.5 -> 1.6.3. - h2 0.6.1 -> 0.8.0. - webtransport 0.2.6 -> 0.3.1. ### [`v4.1.0`](https://github.com/benoitc/hackney/releases/tag/4.1.0): hackney 4.1.0 [Compare Source](https://github.com/benoitc/hackney/compare/4.0.3...4.1.0) WebTransport client. Drop-in addition alongside the WebSocket API, no breaking changes. #### Added - WebTransport client API (`hackney:wt_connect/1,2`, `wt_send/2`, `wt_recv/1,2`, `wt_setopts/2`, `wt_close/1,2`), mirroring the WebSocket `ws_*` API so code switches by swapping the `ws_` prefix for `wt_`. Runs over HTTP/3 (default) or HTTP/2. One session multiplexes many streams (`wt_open_stream/2`, `wt_stream_send/3,4`, `wt_stream_recv/2,3`, `wt_close_stream/2`, `wt_reset_stream/3`, `wt_stop_sending/3`) plus unreliable datagrams (`wt_send_datagram/2`) and `wt_session_info/1`. No custom wire framing, so it interoperates with any WebTransport server. Caller path and headers are checked for CR/LF/NUL and a buffer cap bounds unread data. See the WebTransport Guide. #### Dependencies - Add `webtransport` 0.2.6. Full changelog: <https://github.com/benoitc/hackney/blob/master/NEWS.md> ### [`v4.0.3`](https://github.com/benoitc/hackney/releases/tag/4.0.3): hackney 4.0.3 [Compare Source](https://github.com/benoitc/hackney/compare/4.0.2...4.0.3) OTP 29 support and HTTP/3 server-certificate verification. Drop-in upgrade from 4.0.2, no API changes. #### Security - HTTP/3 now verifies the server certificate. quic 1.4.4 authenticates the server by default; hackney passes the request's `insecure` option and any configured CA (`cacerts`/`cacertfile` in `ssl_options`) through to the QUIC connection, so verification can be disabled or pointed at a custom trust store. Without a configured CA, quic uses its default trust store. #### Changed - Replace the deprecated `catch Expr` form with `try ... catch` so hackney compiles cleanly on OTP 29. #### Dependencies - Bump quic to 1.4.5 (fixes server-cert chain validation when the server sends an extra cross-sign above the anchored intermediate). - Bump h2 to 0.6.1 (OTP 29 deprecated-catch fix). Full changelog: <https://github.com/benoitc/hackney/blob/master/NEWS.md> ### [`v4.0.2`](https://github.com/benoitc/hackney/releases/tag/4.0.2): hackney 4.0.2 [Compare Source](https://github.com/benoitc/hackney/compare/4.0.1...4.0.2) Bug-fix release. Drop-in upgrade from 4.0.1, no API changes. #### Bug Fixes - Fix an intermittent pool crash when a server closes a pooled keep-alive connection during checkout ([#&#8203;850](https://github.com/benoitc/hackney/issues/850)). The checkout now tolerates the `set_owner` race and falls through to a fresh connection instead of crashing on a bad match, and an async ownership handoff to an already-closed pooled connection stops it promptly so the pool drops it from rotation. - Expose `hackney:body/1,2` and `hackney:stream_body/1` again so the response body can be read after `start_response/1` in streaming body mode ([#&#8203;849](https://github.com/benoitc/hackney/issues/849)). The migration guide and examples referenced these but they were not exported. The getting-started guide and README were corrected as well. Full changelog: <https://github.com/benoitc/hackney/blob/master/NEWS.md> ### [`v4.0.1`](https://github.com/benoitc/hackney/releases/tag/4.0.1): hackney 4.0.1 [Compare Source](https://github.com/benoitc/hackney/compare/4.0.0...4.0.1) Security release. Fixes 9 reported vulnerabilities (4 high, 4 medium, 1 low) plus one hardening change across the HTTP/1.1, HTTP/2, HTTP/3, WebSocket, cookie and URL handling code. No API changes, so it is a drop-in upgrade from 4.0.0. If you use hackney directly or through a library (HTTPoison, Tesla's hackney adapter, ExAws, and others), please upgrade. #### Security ##### High - **CVE-2026-47066** ([GHSA-6cp8](https://github.com/benoitc/hackney/security/advisories/GHSA-6cp8-v795-jr2j)): infinite loop in the Alt-Svc response parser. - **CVE-2026-47073** ([GHSA-q8jg](https://github.com/benoitc/hackney/security/advisories/GHSA-q8jg-fgj4-fphf)): unbounded WebSocket frame, message and handshake buffers. - **CVE-2026-47074** ([GHSA-jq4m](https://github.com/benoitc/hackney/security/advisories/GHSA-jq4m-q6p2-8gwc)): slow-drip OOM on buffered HTTP/3 responses. - **CVE-2026-47071** ([GHSA-gp9c](https://github.com/benoitc/hackney/security/advisories/GHSA-gp9c-pm5m-5cxr)): missing timeout on a proxy TLS upgrade. ##### Medium - **CVE-2026-47076** ([GHSA-pj7v](https://github.com/benoitc/hackney/security/advisories/GHSA-pj7v-xfvx-wmjq)): SSRF allowlist bypass via percent-encoded host. - **CVE-2026-47072** ([GHSA-f9vr](https://github.com/benoitc/hackney/security/advisories/GHSA-f9vr-g2g2-x9fg)): CR/LF injection in the WebSocket upgrade request. - **CVE-2026-47075** ([GHSA-j9wq](https://github.com/benoitc/hackney/security/advisories/GHSA-j9wq-vxxc-94wf)): CR/LF injection in the request target. - **CVE-2026-47070** ([GHSA-h73q](https://github.com/benoitc/hackney/security/advisories/GHSA-h73q-4w9q-82h4)): cross-origin HTTP/3 redirect leaked Authorization and Cookie. ##### Low - **CVE-2026-47069** ([GHSA-mp55](https://github.com/benoitc/hackney/security/advisories/GHSA-mp55-p8c9-rfw2)): CR/LF injection via cookie domain and path options. ##### Hardening - `to_atom/1` no longer falls back to `list_to_atom/1`, removing an atom-leak path (GHSA-6rmf, no CVE assigned). #### Dependencies - Bump quic to 1.4.3. - Bump h2 to 0.6.0. #### Credits Thanks to PJUllrich, Ganbagana and tepel-chen for the reports, and to maennchen for coordinating disclosure. Full changelog: <https://github.com/benoitc/hackney/blob/master/NEWS.md> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTAuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE1MC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
chore(deps): update dependency hackney to v4.2.0
All checks were successful
Lint / Lint (pull_request) Successful in 2m4s
Details
Nix check / check-nix (pull_request) Successful in 3m9s
Details
aa7a61bf7c
Doridian deleted branch renovate/hackney-4.x-lockfile 2026-06-04 17:37:10 -07:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
SpaceAge/space_age_api!40
No description provided.