chore(deps): bump hackney from 1.25.0 to 4.0.0

[dependabot]

Bumps hackney from 1.25.0 to 4.0.0.

Release notes

Sourced from hackney's releases.

hackney 4.0.0

Hackney 4 trims the client down. The HTTP/2 and HTTP/3 stacks are now delegated to erlang_h2 and erlang_quic, so hackney no longer ships its own framing, HPACK / QPACK codecs, control streams or state machines. The HTTP/3 path is fully RFC 9114 compliant via quic_h3, with ALPN negotiation, Alt-Svc discovery (RFC 7838), and the same hackney:request/5 API as HTTP/1.1.

The bundled metrics subsystem is gone. In its place a Go-style middleware chain runs around hackney:request/1..5, configured per request with {middleware, [Fun, ...]} or globally via application:set_env(hackney, middleware, [...]). Users plug in prometheus, telemetry or anything else without hackney owning the policy. See the Middleware Guide and the HTTP/3 Guide.

Breaking

• Removed hackney_metrics, hackney_metrics_backend, hackney_metrics_prometheus, hackney_metrics_dummy. The metrics_backend app env is no longer read. Migration recipes for prometheus and telemetry are in guides/middleware.md. Pool state is still observable through hackney_pool:get_stats/1.
• HTTP/2 and HTTP/3 low-level message tags and modules moved to the new libraries. The user-facing hackney:request/5 API is unchanged.

What's new

• Middleware chain (hackney_middleware): outermost-first composition, request rewrite, response rewrite, short-circuit, per-request or global config.
• HTTP/3 via quic_h3: pure Erlang QUIC stack, no NIFs. ALPN-negotiated, opt-in with {protocols, [http3, http2, http1]} or application:set_env(hackney, default_protocols, [http3, http2, http1]).
• Alt-Svc auto-discovery: server Alt-Svc headers are now parsed and cached on every response (HTTP/1.1, HTTP/2 and HTTP/3), so subsequent requests can upgrade to HTTP/3 transparently. Honors clear and merges multiple Alt-Svc headers per RFC 7230 §3.2.2.
• HTTP/2 connection-pooling stability fixes for sustained concurrent load (#836).

Deps

• h2 0.4.0
• quic 1.0.0

Full changelog: https://github.com/benoitc/hackney/blob/4.0.0/NEWS.md

3.2.1

Bug Fixes

• Fix recv_timeout option being ignored for pooled connections (#832)
• Fix off-by-one error in HPACK decoding (#831)
• Fix invalid match in handle_h2_frame/2 for HTTP/2 window updates (#829)
• Fix binary syntax in EDoc comment to fix XML parsing error

3.2.0

Refactor

• Replace all cowlib modules with hackney-native implementations
• Remove src/libs/ directory (all modules moved to src/)

Performance

• HTTP/2 state machine optimizations:
  • Stream caching for recently accessed streams
  • gb_sets for lingering streams (O(log N) vs O(N) lookups)
  • IOList accumulation for header fragments
• HPACK and QPACK header compression with O(1) static table lookups
• WebSocket: use rand:bytes/1 instead of crypto:strong_rand_bytes/1 for mask keys

Added

• h2spec HTTP/2 compliance testing (95% pass rate - 139/146 tests)

... (truncated)

Changelog

Sourced from hackney's changelog.

4.0.0 - 2026-04-16

Hackney 4 trims the client down. The HTTP/2 and HTTP/3 stacks are now delegated to erlang_h2 and erlang_quic, so hackney no longer ships its own framing, HPACK / QPACK codecs, control streams or state machines. The HTTP/3 path is fully spec-compliant via quic_h3, with ALPN negotiation, Alt-Svc discovery (RFC 7838), and the same hackney:request/5 API as HTTP/1.1. The bundled metrics subsystem is gone too, replaced by a Go-style middleware chain that lets users plug in prometheus, telemetry or anything else without hackney owning the policy. See guides/middleware.md and guides/http3_guide.md.

Breaking

• Removed the built-in metrics subsystem (hackney_metrics, hackney_metrics_backend, hackney_metrics_prometheus, hackney_metrics_dummy). Hackney no longer emits request or pool metrics on its own and the metrics_backend app-env is no longer read. In its place, hackney:request/1..5 runs a chain of user-supplied middleware (Go-style RoundTripper) configured via the {middleware, [Fun, ...]} option or application:set_env(hackney, middleware, [...]). See guides/middleware.md for the API, chain semantics, and worked prometheus / telemetry recipes. Pool state is still observable via hackney_pool:get_stats/1.

Bug Fixes

• Wire hackney_altsvc:parse_and_cache/3 into the response path so server-advertised HTTP/3 endpoints are actually recorded. Previously the cache was only populated by manual cache/4 calls; the HTTP/3 guide claimed automatic discovery but it never fired. Same hook honors RFC 7838 clear (invalidates the cached entry) and merges multiple Alt-Svc headers per RFC 7230 §3.2.2. Fires on every protocol so the cache TTL stays fresh while h3 is in use.
• Fix HTTP/2 pooled connections wedging under sustained concurrent load (#836). The pool checks out a TCP connection first then upgrades to SSL+ALPN; connected(enter) armed the 2s pool idle timer while the protocol was still classified as HTTP/1.1, and the timer then fired on a busy multiplexed HTTP/2 connection, terminating it mid-request. init_h2_connection / init_h2_after_upgrade now explicitly cancel the idle timer. hackney_conn also traps EXIT from the linked h2_connection and stays alive briefly in closed state so late calls that raced the pool checkout get a proper error reply instead of exit:{normal, _}. Pool's checkout_h2 validates the state of the connection process (not just is_process_alive).
• Bump h2 dependency to 0.4.0.

Refactor

... (truncated)

Commits

• 322dd90 Merge pull request #847 from benoitc/release/4.0.0
• db4ef5d release(4.0.0): bump version, declare quic in applications
• 943fa9e Merge pull request #846 from benoitc/feat/altsvc-wiring
• a07a1dc feat(altsvc): wire parse_and_cache into response path
• dae2279 Merge pull request #845 from benoitc/feat/roundtripper-middleware
• cc078da fix(middleware): use #hackney_url{} record instead of unknown type
• 3cda81b feat(middleware): RoundTripper-style chain; drop hackney_metrics
• 73051df Merge pull request #844 from benoitc/docs/readme-refresh-837
• 3d85bfe docs(readme): drop removed stream_body/1 and deprecated with_body (#837)
• 45eeaa8 Merge pull request #843 from benoitc/fix/h2-pool-concurrency-hang
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)