Skip to content

chore(deps): bump req from 0.5.17 to 0.6.2#1065

Merged
cloedu87 merged 3 commits into
developfrom
dependabot/hex/req-0.6.2
Jul 8, 2026
Merged

chore(deps): bump req from 0.5.17 to 0.6.2#1065
cloedu87 merged 3 commits into
developfrom
dependabot/hex/req-0.6.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 8, 2026

Copy link
Copy Markdown
Contributor

Bumps req from 0.5.17 to 0.6.2.

Release notes

Sourced from req's releases.

v0.6.1

v0.6.0

  • encode_body: Security fix for :form_multipart header injection (GHSA-px9f-whj3-246m).

    The multipart encoder interpolated the per-part name, filename, and content_type into the part headers without escaping, so an attacker-controlled value could inject extra headers or smuggle additional parts into the request. These values are now escaped per RFC 7578 / WHATWG form-data (", CR, and LF are percent-encoded).

    Thanks to @​PJUllrich for reporting it.

  • decode_body: Drop automatic zip/tar/tgz/gz/zst/csv decoding, (GHSA-655f-mp8p-96gv).

    Req previously auto-decoded archive and compressed response bodies (zip, tar, tgz, gz, zst, and csv) based on the server-supplied content-type, materialising the full decompressed contents in memory with no size cap. An attacker-controlled (or redirect-reachable) endpoint could return a tiny "decompression bomb" that expanded to gigabytes and exhausted the node's memory.

    Now only JSON is decoded by default. Other formats are opt-in via the new :decoders option, which defaults to [:json, :json_api]. Setting it replaces the default (include :json to keep JSON decoding), and false disables all decoding:

    # opt into archives (only for endpoints you trust):
    Req.get!(url, decoders: [:json, :zip])
    

    Note: The decoded zip/tar is still list of {filename :: charlist(), contents :: binary} tuples. In the future release, this will be list of {filename :: binary(), contents :: binary()} tuples.

    While automatic CSV decoding wasn't a security issue, the behaviour based on presence/absence of nimble_csv dependency was suprising. CSV support is still built-in but need to be enabled with decoders: [:csv].

... (truncated)

Changelog

Sourced from req's changelog.

v0.6.2 (2026-06-19)

  • Use finch ~> 0.21.

v0.6.1 (2026-06-08)

  • [compressed], [decompress_body]: Disable automatic decompression

    Decompression is now opt-in by setting compressed: true.

v0.6.0 (2026-06-08)

  • [encode_body]: Security fix for :form_multipart header injection (GHSA-px9f-whj3-246m).

    The multipart encoder interpolated the per-part name, filename, and content_type into the part headers without escaping, so an attacker-controlled value could inject extra headers or smuggle additional parts into the request. These values are now escaped per RFC 7578 / WHATWG form-data (", CR, and LF are percent-encoded).

    Thanks to @​PJUllrich for reporting it.

  • [decode_body]: Drop automatic zip/tar/tgz/gz/zst/csv decoding, (GHSA-655f-mp8p-96gv).

    Req previously auto-decoded archive and compressed response bodies (zip, tar, tgz, gz, zst, and csv) based on the server-supplied content-type, materialising the full decompressed contents in memory with no size cap. An attacker-controlled (or redirect-reachable) endpoint could return a tiny "decompression bomb" that expanded to gigabytes and exhausted the node's memory.

    Now only JSON is decoded by default. Other formats are opt-in via the new :decoders option, which defaults to [:json, :json_api]. Setting it replaces the default (include :json to keep JSON decoding), and false disables all decoding:

    # opt into archives (only for endpoints you trust):
    Req.get!(url, decoders: [:json, :zip])
    

    Note: The decoded zip/tar is still list of {filename :: charlist(), contents :: binary} tuples. In the future release, this will be list of {filename :: binary(), contents :: binary()} tuples.

    While automatic CSV decoding wasn't a security issue, the behaviour based on presence/absence of nimble_csv dependency was suprising. CSV support is still built-in but need to be enabled with decoders: [:csv].

... (truncated)

Commits
  • f2c833c Release v0.6.2
  • f082be9 Use finch ~> 0.21
  • 36a8252 Release v0.6.1
  • ea5506f compressed, decompress_body: Disable automatic decompression
  • 8e7425f Release v0.6.0
  • 584a490 decode_body: Drop automatic zip/tar/tgz/gz/zst/csv decoding
  • 2d77dbe encode_body: Security fix for :form_multipart header injection
  • 53c3b99 Release v0.5.18
  • dc1f3be Update ex_doc
  • dbd145c Update CHANGELOG.md
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file elixir Pull requests that update Elixir code labels Jul 8, 2026
@dependabot
dependabot Bot force-pushed the dependabot/hex/req-0.6.2 branch from 3fc2405 to 129b558 Compare July 8, 2026 10:35
Bumps [req](https://github.com/wojtekmach/req) from 0.5.17 to 0.6.2.
- [Release notes](https://github.com/wojtekmach/req/releases)
- [Changelog](https://github.com/wojtekmach/req/blob/main/CHANGELOG.md)
- [Commits](wojtekmach/req@v0.5.17...v0.6.2)

---
updated-dependencies:
- dependency-name: req
  dependency-version: 0.6.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot/hex/req-0.6.2 branch from 129b558 to ca59671 Compare July 8, 2026 10:38
cloedu87
cloedu87 previously approved these changes Jul 8, 2026
…ng globally to prevent .get calls from failing.
@cloedu87
cloedu87 enabled auto-merge (squash) July 8, 2026 13:20
@cloedu87
cloedu87 disabled auto-merge July 8, 2026 13:48
@cloedu87
cloedu87 merged commit 2dc1ceb into develop Jul 8, 2026
8 checks passed
@cloedu87
cloedu87 deleted the dependabot/hex/req-0.6.2 branch July 8, 2026 13:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file elixir Pull requests that update Elixir code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant