build(deps): bump the mix-production-dependencies group across 1 directory with 5 updates

[dependabot]

Bumps the mix-production-dependencies group with 5 updates in the /src/flagd-ui directory:

Package	From	To
bandit	1.10.3	1.11.0
jason	1.4.4	1.4.5
phoenix	1.8.5	1.8.6
phoenix_live_view	1.1.26	1.1.30
swoosh	1.23.0	1.25.1

Updates bandit from 1.10.3 to 1.11.0

Changelog

Sourced from bandit's changelog.

1.11.0 (1 May 2026)

Fixes

• Fix WebSocket inflate vulnerability (CVE-2026-39804, commit 8156921, thanks @​PJUllrich & @​maennchen!)
• Fix WebSocket continuation frame handling vulnerability (CVE-2026-42786, commit 21612c7, thanks @​PJUllrich & @​maennchen!)
• Fix HTTP/2 frame size parsing vulnerability (CVE-2026-42788, commit 1e8e559, thanks @​PJUllrich & @​maennchen!)
• Improve handling of zero/negative length & offset parameters to send_file (#580, thanks @​PJUllrich & @​maennchen!)

Enhancements

• Define a new max_inflate_ratio WebSocket configuration option that defines a maximum allowable decompression ratio to help mitigate inflate bombing. Defaults to 25:1
• Define a new max_fragmented_message_size WebSocket configuration option which defines the maximum allowed WebSocket frame size (inclusive of continuation frames). Defaults to 8MB

Changes

• The default value of the max_frame_size WebSocket option has changed from :infinity to 8MB
• Zero length non-fin continuation frames are now disallowed (we now skip Autobahn 6.1.2 as a result)
• Multiple content-length fields in an HTTP/1 request are now disallowed (CVE-2026-39805, commit f2ca636, thanks @​PJUllrich & @​maennchen!)
• We now only use the underlying transport when determining scheme (CVE-2026-39807, commit 45feea2, thanks @​PJUllrich & @​maennchen!)

1.10.4 (25 Mar 2026)

Enhancements

• Support {:shutdown, :disconnected} as a normal WebSocket result code (#576, thanks @​wwitek-whatnot!)

Commits

• e626198 Version bump to 1.11.0
• 014c157 Tweaks to Autobahn test suite
• 1e8e559 Merge commit from fork
• 45feea2 Merge commit from fork
• f2ca636 Merge commit from fork
• 21612c7 Merge commit from fork
• 8156921 Merge commit from fork
• fc3cf61 Improve handling of edge cases in send_file (#580)
• 1085ad0 Bump machete from 0.3.11 to 0.3.12 (#579)
• c70e175 Bump credo from 1.7.17 to 1.7.18 (#578)
• Additional commits viewable in compare view

Updates jason from 1.4.4 to 1.4.5

Changelog

Sourced from jason's changelog.

1.4.5 (05.05.2026)

• Add support for Decimal 3.0

Commits

• 4ede428 Bump v1.4.5
• b8c2185 Fix dialyzer job
• a363975 Modernise CI to currently supported versions
• 243c8a8 Allow decimal 3.0
• c8e8d05 Revert the experimental 1.5 branch and jason_native experiment
• 0e7a3e2 Add example/doctest for Jason.OrderedObject.new/1
• 984bc07 fix broken link
• f775592 Raise if trying to decode decimals without decimal
• 79d59df Remove unneeded workarounds for xref warnings
• baac78e Fix warnings by conditionally compiling Decimal support
• Additional commits viewable in compare view

Updates phoenix from 1.8.5 to 1.8.6

Changelog

Sourced from phoenix's changelog.

1.8.6 (2026-05-05)

Security fixes

• CVE-2026-32689: Fix Phoenix.Socket Longpoll transport memory exhaustion in nd-JSON body splitting

Commits

• ddcdadb Release v1.8.6
• 1a67c61 prevent unexpected memory usage on nd-json body splitting
• 8ca76a2 fix a couple of typos (#6672)
• 6214d83 Bump postcss from 8.5.6 to 8.5.13 (#6671)
• 247ae7c Bump actions/cache from 5.0.4 to 5.0.5 (#6668)
• 297e850 Bump the minor-and-patch group with 4 updates (#6670)
• afd0239 Bump actions/setup-node from 6.3.0 to 6.4.0 (#6669)
• 7dc2de3 Fix live_title having line breaks (#6667)
• d8f2670 Update security support information for Phoenix versions
• 6ceade4 fix: only process vsn parameter when it is a binary (#6662)
• Additional commits viewable in compare view

Updates phoenix_live_view from 1.1.26 to 1.1.30

Release notes

Sourced from phoenix_live_view's releases.

v1.1.30

Bug fixes

• Ensure internal phx-viewport hook does not crash on update if no scroll container is used (#4214), introduced in v1.1.29.

v1.1.29

Bug fixes

• Prevent JS crash when hook has a duplicate ID (#4196)
• Recompute scroll container for phx-viewport bindings if it is no longer available (#4169)
• Fix phx-viewport events not firing when container has horizontal overflow (#3897)
• Handle locks on skipped nodes (#4209)
• Use moveBefore if available when reordering stream elements (#4212)

v1.1.28

Bug fixes

• Fix race condition that could lead to a JS exception when nested LiveView is removed while it is joining (#4177)

Enhancements

• A bunch of small performance and documentation improvements (thank you @​preciz!)

v1.1.27

Bug fixes

• Workaround Chrome bug when patching \<template> elements (#4163)
• Fix more type warnings on Elixir 1.20

Changelog

Sourced from phoenix_live_view's changelog.

v1.1.30 (2026-05-05)

Bug fixes

• Ensure internal phx-viewport hook does not crash on update if no scroll container is used (#4214), introduced in v1.1.29.

v1.1.29 (2026-05-04)

Bug fixes

• Prevent JS crash when hook has a duplicate ID (#4196)
• Recompute scroll container for phx-viewport bindings if it is no longer available (#4169)
• Fix phx-viewport events not firing when container has horizontal overflow (#3897)
• Handle locks on skipped nodes (#4209)
• Use moveBefore if available when reordering stream elements (#4212)

v1.1.28 (2026-03-27)

Bug fixes

• Fix race condition that could lead to a JS exception when nested LiveView is removed while it is joining (#4177)

Enhancements

• A bunch of small performance and documentation improvements (thank you @​preciz!)

v1.1.27 (2026-03-10)

Bug fixes

• Workaround Chrome bug when patching \<template> elements (#4163)
• Fix more type warnings on Elixir 1.20

Commits

• fdbbe52 Release v1.1.30
• 970932b Update assets
• ff31d01 Ensure phx-viewport hook does not fail if there's no scrollContainer
• 24090b5 Release v1.1.29
• cc83643 Update assets
• 8deb3e5 Use moveBefore if supported when reordering stream items (#4213)
• 174dad5 DOM patching: Fall back to PHX_MAGIC_ID if node ID was touched by client hook...
• 4e18a20 handle locks on skipped nodes (#4210)
• 031f00c Remove unreachable error clause in UploadTmpFileWriter.write_chunk/2
• 0b4005b Optimize traverse_dynamic for nil and binary entries
• Additional commits viewable in compare view

Updates swoosh from 1.23.0 to 1.25.1

Release notes

Sourced from swoosh's releases.

v1.25.1 🚀

✨ Features

• fix: assert_no_email_sent and refute_email_sent now catch deliver_many @​donleandro (#1123)
• Escape email content in mailbox preview UI @​mogest (#1124)

⛓️ Dependency

• Bump plug_cowboy from 2.8.0 to 2.8.1 @​dependabot (#1126)

New Contributors

• @​donleandro made their first contribution in swoosh/swoosh#1123
• @​mogest made their first contribution in swoosh/swoosh#1124

Full Changelog: swoosh/swoosh@v1.25.0...v1.25.1

v1.25.0 🚀

• Prepare minor release 1.25.0 @​copilot-swe-agent (#1122)

✨ Features

• feat: Add Swoosh.Adapters.Sandbox @​aidalgol (#1120)

📝 Documentation

• Improve discoverability and HexDocs coverage for Swoosh.Adapters.Sandbox @​copilot-swe-agent (#1121)

🧰 Maintenance

• Add release-published workflow to comment on released PRs @​copilot-swe-agent (#1118)

⛓️ Dependency

• Bump bandit from 1.10.3 to 1.10.4 @​dependabot (#1119)

v1.24.0 🚀

✨ Features

• feat: Add AzureCommunicationServices adapter @​jamilbk (#1116)

New Contributors

• @​jamilbk made their first contribution in swoosh/swoosh#1116

Full Changelog: swoosh/swoosh@v1.23.1...v1.24.0

v1.23.1 🚀

✨ Features

• Add tracking options to the mailjet adapter @​wkirschbaum (#1114)

... (truncated)

Changelog

Sourced from swoosh's changelog.

1.25.1

🐛 Bug Fixes

• Escape email content in mailbox preview UI @​mogest (#1124)
• fix: assert_no_email_sent and refute_email_sent now catch deliver_many @​donleandro (#1123)

1.25.0

✨ Features

• Add Swoosh.Adapters.Sandbox @​aidalgol (#1120)

📝 Documentation

• Improve discoverability and HexDocs coverage for Swoosh.Adapters.Sandbox @​copilot-swe-agent (#1121)

🧰 Maintenance

• Add release-published workflow to comment on released PRs @​copilot-swe-agent (#1118)

1.24.0

✨ Features

• Add Azure Communication Services adapter @​jamilbk (#1116)

1.23.1

✨ Features

• Add tracking options to the mailjet adapter @​wkirschbaum (#1114)

🧰 Maintenance

• Remove unused require Logger compilation warning @​wkirschbaum (#1115)

Commits

• 2aa9af4 Bump version to 1.25.1 (#1127)
• df97f1c Bump plug_cowboy from 2.8.0 to 2.8.1 (#1126)
• 397562e Regenerate styles with Tailwind CSS
• 3e4ff5f fix: use github.ref_name instead of github.ref for tailwind branch name
• f0b12c0 Escape email content in mailbox preview UI (#1124)
• 0b5c091 fix: assert_no_email_sent and refute_email_sent now catch deliver_many (#1123)
• 422d062 Bump release comment action to v0.5.1
• 3bd1c43 Prepare minor release 1.25.0 metadata (#1122)
• 60601c3 Bump bandit from 1.10.3 to 1.10.4 (#1119)
• a5ebfff Improve discoverability and HexDocs coverage for Swoosh.Adapters.Sandbox (#...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions