4.4.5

Fixed

• HTTPS: a connection reused over a resumed TLS 1.3 session is no longer
  mislabeled as HTTP/1 when it negotiated HTTP/2. ssl:negotiated_protocol/1
  reports nothing on a resumed session, so hackney now remembers the protocol
  learned on the full handshake (per host and advertised ALPN) and offers
  resumption only once that protocol is known, resolving a resumed session
  against that snapshot. Reused h2 connections take the h2 path instead of
  feeding h2 frames to the HTTP/1 parser.
• HTTP/1.1: a response that cannot begin an HTTP/1 status line (for example an
  HTTP/2 frame on a mislabeled connection) now fails fast with
  {error, {bad_response, not_http}} instead of spinning the CPU in the
  status-line parser.
• Connection pooling: Connection: close responses are no longer returned to
  the pool on the sync body path; checkin only pools connections proven
  keep-alive and socket-ready (unknown defaults to close); and a closed pooled
  entry is discarded at checkout instead of being redialed inside the pool
  process (#888).
• Connection pooling: stopping a pool while requests are in flight no longer
  leaks the per-host concurrency (load_regulation) slots of the checked-out
  connections. The pool now traps exits so its shutdown releases those slots and
  stops the in-use connections, instead of orphaning them and starving the host's
  concurrency cap node-wide (#892).

4.4.4

Fixed

• HTTP/2: a connection is no longer reused after the peer sends GOAWAY while keeping the socket open (as AWS ALB does to recycle connections). The connection is retired so the pool dials a fresh one, instead of being handed out again with new streams the peer ignores until recv_timeout.
• HTTP/2: when the per-stream recv_timeout watchdog fires, the stalled stream is cancelled (RST_STREAM) so the peer stops sending and the connection is not reused with an orphaned stream.
• HTTP/1.1: bytes that issue #544's idle {active, once} delivers to the connection mailbox on a reused connection are now buffered and fed to the next request instead of dropping the connection (refines the 4.4.3 behavior), so a reused request no longer blocks to recv_timeout while the response sits stranded as an unread message. The idle buffer is bounded, and a server close still refuses reuse (#544).

4.4.3

Fixed

• HTTP/2: a response that signals end of stream with a trailing HEADERS frame (trailers, or an empty trailing HEADERS as proxies emit for responses without a content-length) no longer hangs the body read until recv_timeout. The trailer event is now treated as end of stream, so reads complete on fresh and reused connections (#884).
• HTTP/2: sync reads run under a per-stream recv_timeout watchdog, so a lost frame fails fast with {error, timeout} instead of blocking until the connection dies.
• HTTP/1.1: a pooled connection that received unsolicited data while idle is dropped at checkout instead of having the bytes discarded, which could strand or corrupt the next read. Healthy idle connections still reuse normally, preserving keep-alive and the issue #544 stale-connection detection.

4.4.2

Fixed

• Apply the pool overflow fix to the opt-in ssl_pooling checkout path. With ssl_pooling enabled and pool_size below max_per_host, a second concurrent HTTPS request could still fail with checkout_timeout; it now opens an overflow connection like the plain checkout path, closed at checkin rather than pooled. HTTP/2 and HTTP/3 are unaffected (they multiplex over shared connections). (#882)

4.4.1

Fixed

• Pool checkout no longer fails with checkout_timeout when a connection from a just-completed request has not yet been checked back in. pool_size / max_connections now bounds the warm (idle) pool kept for reuse; per-host concurrency is capped by max_per_host. A request beyond the warm pool size opens an overflow connection that is closed at checkin instead of being pooled. Set max_per_host to cap concurrent connections to a host.

Dependencies

• webtransport 0.4.0 -> ~> 0.4.1, h2 ~> 0.10.0 -> ~> 0.10.1, quic 1.6.5 -> ~> 1.6.5. The exact webtransport 0.4.0 pin required h2 0.9.0, conflicting with hackney's own h2 ~> 0.10.0 and breaking installation on strict resolvers. webtransport 0.4.1 relaxes that requirement; the ranges now accept any 0.4.x / 0.10.x / 1.6.x patch release without a further bump. (#879)

4.4.0

Added

• HTTP/2 streaming request bodies and streaming response reads, reaching parity with HTTP/1.1 and HTTP/3: pass stream as the body, send chunks with send_body/2 then finish_send_body/1, and read the response with start_response/1 followed by body/1 or stream_body/1. (#875)
• Full-duplex HTTP/2 bidirectional streaming (gRPC-style) via a new h2_* API (h2_open, h2_send, h2_recv, h2_send_trailers, h2_consume, h2_setopts, h2_close), mirroring the ws_* and wt_* APIs. Send and receive interleaved on one stream, with trailers, passive/active delivery, and {flow_control, manual} + h2_consume/2 backpressure. (#876)

Dependencies

• h2 0.9.0 -> ~> 0.10.0, now accepting every patched 0.10 release.

4.3.0

Added

• Opt-in pooling of HTTPS/1.1 connections via {ssl_pooling, true} (request option or application env, default false). Upgraded SSL connections return to the pool keyed by the hash of their effective TLS options and are reused only on an exact match, skipping the handshake on follow-up requests. (#872)
• TLS 1.3 session resumption for the default TLS config. With no ssl_options, connections use {session_tickets, auto}. Disable with the tls_session_resumption env. Custom ssl_options never resume (the OTP ticket store is node-wide and a resumed session skips certificate validation). (#872)

Changed

• Shared HTTP/2 and HTTP/3 connections, and cached 0-RTT tickets, are keyed by the effective TLS options, so requests with different ssl_options no longer share a connection or resume each other's tickets.
• The per-request TLS options hash is memoized in a bounded ETS cache.
• SNI: no server_name_indication is sent for IP-literal hosts (RFC 6066) across HTTP/1.1, HTTP/2 and HTTP/3. A user-supplied server_name_indication is honored consistently as both the wire value and the verification target, and disable suppresses SNI without weakening verification.
• Bump quic to 1.6.5 and webtransport to 0.4.0.

4.2.3

Dependencies

• h2 0.8.0 -> 0.9.0
• webtransport 0.3.2 -> 0.3.3
• parse_trans 3.4.1 -> 3.4.2
• cowboy 2.12.0 -> 2.16.0 (test only); ranch test helper updated for the ranch 2.x protocol callback

4.2.2

Fixed

• Pool no longer crashes when a pooled connection dies during the liveness check. find_available could call hackney_conn:is_ready/1 on a connection that died right after the is_process_alive/1 check, and the resulting noproc exit took down the pool. The dead connection is now skipped. (#869)

4.2.1

Dependencies

• quic 1.6.3 -> 1.6.4.
• webtransport 0.3.1 -> 0.3.2.
• certifi 2.16.0 -> 2.17.0.