phoenixframework
diff --git a/‎CHANGELOG.md‎
Lines changed: 6 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎mix.exs‎
Lines changed: 1 addition & 1 deletion b/‎mix.exs‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎package-lock.json‎
Lines changed: 2 additions & 2 deletions b/‎package-lock.json‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎package.json‎
Lines changed: 1 addition & 1 deletion b/‎package.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎priv/static/phoenix.cjs.js‎
Lines changed: 10 additions & 3 deletions b/‎priv/static/phoenix.cjs.js‎
Lines changed: 10 additions & 3 deletions
diff --git a/‎priv/static/phoenix.cjs.js.map‎
Lines changed: 2 additions & 2 deletions b/‎priv/static/phoenix.cjs.js.map‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎priv/static/phoenix.js‎
Lines changed: 10 additions & 3 deletions b/‎priv/static/phoenix.js‎
Lines changed: 10 additions & 3 deletions
diff --git a/‎priv/static/phoenix.min.js‎
Lines changed: 2 additions & 2 deletions b/‎priv/static/phoenix.min.js‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎priv/static/phoenix.mjs‎
Lines changed: 10 additions & 3 deletions b/‎priv/static/phoenix.mjs‎
Lines changed: 10 additions & 3 deletions
diff --git a/‎priv/static/phoenix.mjs.map‎
Lines changed: 2 additions & 2 deletions b/‎priv/static/phoenix.mjs.map‎
Lines changed: 2 additions & 2 deletions
@@ -29,6 +29,12 @@ This release introduces deprecation warnings for several features that have been
 
   * The `config` variable is no longer available in `Phoenix.Endpoint`. In the past, it was possible to read your endpoint configuration at compile-time via an injected variable named `config`, which is no longer supported. Use `Application.compile_env/3` instead, which is tracked by the Elixir compiler and lead to a better developer experience. This may also lead to errors on application boot if you were previously incorrectly setting compile time config at runtime.
 
+## 1.8.6 (2026-05-05)
+
+### Security fixes
+
+* [CVE-2026-32689](https://github.com/phoenixframework/phoenix/security/advisories/GHSA-628h-q48j-jr6q): Fix Phoenix.Socket Longpoll transport memory exhaustion in nd-JSON body splitting
+
 ## 1.8.5 (2026-03-05)
 
 ### JavaScript Client Bug Fixes
 
@@ -8,7 +8,7 @@ defmodule Phoenix.MixProject do
     end
   end
 
-  @version "1.8.5"
+  @version "1.8.6"
   @scm_url "https://github.com/phoenixframework/phoenix"
 
   # If the elixir requirement is updated, we need to make the installer
 
@@ -1,6 +1,6 @@
 {
   "name": "phoenix",
-  "version": "1.8.5",
+  "version": "1.8.6",
   "description": "The official JavaScript client for the Phoenix web framework.",
   "license": "MIT",
   "module": "./priv/static/phoenix.mjs",
 
@@ -45,6 +45,7 @@ var Phoenix = (() => {
   var global = globalSelf || phxWindow || globalThis;
   var DEFAULT_VSN = "2.0.0";
   var SOCKET_STATES = { connecting: 0, open: 1, closing: 2, closed: 3 };
+  var MAX_LONGPOLL_BATCH_SIZE = 100;
   var DEFAULT_TIMEOUT = 1e4;
   var WS_CLOSE_NORMAL = 1e3;
   var CHANNEL_STATES = {
@@ -746,16 +747,22 @@ var Phoenix = (() => {
         }, 0);
       }
     }
-    batchSend(messages) {
+    batchSend(messages, offset = 0) {
       this.awaitingBatchAck = true;
-      this.ajax("POST", { "Content-Type": "application/x-ndjson" }, messages.join("\n"), () => this.onerror("timeout"), (resp) => {
-        this.awaitingBatchAck = false;
+      const next = offset + MAX_LONGPOLL_BATCH_SIZE;
+      const batch = messages.slice(offset, next);
+      this.ajax("POST", { "Content-Type": "application/x-ndjson" }, batch.join("\n"), () => this.onerror("timeout"), (resp) => {
         if (!resp || resp.status !== 200) {
+          this.awaitingBatchAck = false;
           this.onerror(resp && resp.status);
           this.closeAndRetry(1011, "internal server error", false);
+        } else if (next < messages.length) {
+          this.batchSend(messages, next);
         } else if (this.batchBuffer.length > 0) {
           this.batchSend(this.batchBuffer);
           this.batchBuffer = [];
+        } else {
+          this.awaitingBatchAck = false;
         }
       });
     }
 
@@ -16,6 +16,7 @@ var phxWindow = typeof window !== "undefined" ? window : null;
 var global = globalSelf || phxWindow || globalThis;
 var DEFAULT_VSN = "2.0.0";
 var SOCKET_STATES = { connecting: 0, open: 1, closing: 2, closed: 3 };
+var MAX_LONGPOLL_BATCH_SIZE = 100;
 var DEFAULT_TIMEOUT = 1e4;
 var WS_CLOSE_NORMAL = 1e3;
 var CHANNEL_STATES = {
@@ -717,16 +718,22 @@ var LongPoll = class {
       }, 0);
     }
   }
-  batchSend(messages) {
+  batchSend(messages, offset = 0) {
     this.awaitingBatchAck = true;
-    this.ajax("POST", { "Content-Type": "application/x-ndjson" }, messages.join("\n"), () => this.onerror("timeout"), (resp) => {
-      this.awaitingBatchAck = false;
+    const next = offset + MAX_LONGPOLL_BATCH_SIZE;
+    const batch = messages.slice(offset, next);
+    this.ajax("POST", { "Content-Type": "application/x-ndjson" }, batch.join("\n"), () => this.onerror("timeout"), (resp) => {
       if (!resp || resp.status !== 200) {
+        this.awaitingBatchAck = false;
         this.onerror(resp && resp.status);
         this.closeAndRetry(1011, "internal server error", false);
+      } else if (next < messages.length) {
+        this.batchSend(messages, next);
       } else if (this.batchBuffer.length > 0) {
         this.batchSend(this.batchBuffer);
         this.batchBuffer = [];
+      } else {
+        this.awaitingBatchAck = false;
       }
     });
   }
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "phoenix",`
`3`		`- "version": "1.8.5",`
	`3`	`+ "version": "1.8.6",`
`4`	`4`	`"description": "The official JavaScript client for the Phoenix web framework.",`
`5`	`5`	`"license": "MIT",`
`6`	`6`	`"module": "./priv/static/phoenix.mjs",`