Skip to content

build(deps): bump hackney from 1.20.1 to 3.0.1#133

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/hex/master/hackney-3.0.1
Closed

build(deps): bump hackney from 1.20.1 to 3.0.1#133
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/hex/master/hackney-3.0.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jan 28, 2026

Copy link
Copy Markdown
Contributor

Bumps hackney from 1.20.1 to 3.0.1.

Release notes

Sourced from hackney's releases.

1.25.0 - 2025-07-24

IMPORTANT CHANGE

  • change: insecure_basic_auth now defaults to true instead of false

    This restores backward compatibility with pre-1.24.0 behavior where basic auth was allowed over HTTP connections. If you need strict HTTPS-only basic auth:

    • Set globally: application:set_env(hackney, insecure_basic_auth, false)
    • Or per-request: {insecure_basic_auth, false} in options

Hex.pm : https://hex.pm/packages/hackney/1.25.0 Doc: https://hexdocs.pm/hackney/readme.html

1.24.1 - 2025-05-26

Changes

1.24.1 - 2025-05-26

  • fix: remove unused variable warning in hackney.erl

1.24.0 - 2025-05-26

  • security: fix basic auth credential exposure vulnerability
  • security: add application variable support for insecure_basic_auth
  • fix: NXDOMAIN error in Docker Compose environments (issue #764)
  • fix: stream_body timeout after first chunk (issue #762)
  • fix: SSL hostname verification with custom ssl_options and SSL message leak in async streaming
  • fix: pool connections not freed on 307 redirects and multiple pool/timer race conditions
  • fix: socket leaks, process deadlocks, ETS memory leaks, and infinite gen_server calls
  • fix: controlling_process error handling in happy eyeballs and connection pool return
  • improvement: update GitHub Actions to ubuntu-22.04 and bump certifi/mimerl dependencies

Breaking Change

The new insecure_basic_auth application variable defaults to false for security. If your application relies on insecure basic auth over HTTP, you must explicitly set application:set_env(hackney, insecure_basic_auth, true) to maintain previous behavior.

Hex.pm : https://hex.pm/packages/hackney/1.24.1 Doc: https://hexdocs.pm/hackney/readme.html

1.24.0 - 2025-05-26

Changes

  • security: fix basic auth credential exposure vulnerability

... (truncated)

Changelog

Sourced from hackney's changelog.

3.0.1 - 2026-01-28

Bug Fixes

  • Fix dialyzer warning in follow_redirect by removing dead code branch that checked is_pid() on a value that was always binary
  • Store final redirect location in connection process state so it can be retrieved via hackney:location/1
  • Clean up request_ret() type spec to accurately reflect return values

3.0.0 - 2026-01-27

BREAKING CHANGES

This is a major release with breaking changes to the high-level API. See Migration Guide for detailed upgrade instructions.

Response Format Change

The high-level API now returns the response body directly in the tuple, consistent across all protocols (HTTP/1.1, HTTP/2, HTTP/3):

%% Before (2.x) - HTTP/1.1
{ok, 200, Headers, ConnPid} = hackney:get(URL),
{ok, Body} = hackney:body(ConnPid).
%% After (3.x) - All protocols
{ok, 200, Headers, Body} = hackney:get(URL).

Removed Functions

The following deprecated functions have been removed:

Function Replacement
hackney:body/1 Body returned directly in response tuple
hackney:body/2 Body returned directly in response tuple
hackney:stream_body/1 Use async mode with [async] or [{async, once}]
hackney:skip_body/1 Not needed - body always consumed

Security: Cross-Host Redirect Behavior (CVE-2018-1000007)

Authorization headers and credentials are no longer forwarded when following redirects to a different host. This prevents credential leakage when a server redirects to an untrusted host.

To restore the previous behavior (not recommended), use the location_trusted option:

hackney:get(URL, [], <<>>, [{location_trusted, true}]).

... (truncated)

Commits
  • 6c8046d release: version 3.0.1
  • 515745f fix: store final redirect location in connection process
  • bee5ae0 fix: resolve dialyzer warning in follow_redirect
  • 38d8baa Merge pull request #822 from benoitc/fix/consistent-response-format
  • 491faa3 fix(docs): use edoc quote syntax for inline code
  • b4436d3 docs: update version references to 3.0.0
  • 854d57a docs: add manual connection management documentation
  • 64412e6 release: version 3.0.0
  • badebc6 feat(http3): add setopts/2 support for HTTP/3 connections
  • ac4ebb0 feat(http3): add peercert/1 support for HTTP/3 connections
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [hackney](https://github.com/benoitc/hackney) from 1.20.1 to 3.0.1.
- [Release notes](https://github.com/benoitc/hackney/releases)
- [Changelog](https://github.com/benoitc/hackney/blob/master/NEWS.md)
- [Commits](benoitc/hackney@1.20.1...3.0.1)

---
updated-dependencies:
- dependency-name: hackney
  dependency-version: 3.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file elixir Pull requests that update Elixir code labels Jan 28, 2026
@dependabot @github

dependabot Bot commented on behalf of github Feb 3, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #135.

@dependabot dependabot Bot closed this Feb 3, 2026
@dependabot dependabot Bot deleted the dependabot/hex/master/hackney-3.0.1 branch February 3, 2026 08:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file elixir Pull requests that update Elixir code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants