Skip to content

chore(deps): update dependency hackney to v1.25.0 - autoclosed#102

Closed
renovate[bot] wants to merge 1 commit intomainfrom
renovate/hackney-1.x-lockfile
Closed

chore(deps): update dependency hackney to v1.25.0 - autoclosed#102
renovate[bot] wants to merge 1 commit intomainfrom
renovate/hackney-1.x-lockfile

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Sep 16, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
hackney (source) prod minor 1.20.11.25.0

Release Notes

benoitc/hackney (hackney)

v1.25.0: - 2025-07-24

Compare Source

IMPORTANT CHANGE

  • change: insecure_basic_auth now defaults to true instead of false

    This restores backward compatibility with pre-1.24.0 behavior where basic auth
    was allowed over HTTP connections. If you need strict HTTPS-only basic auth:

    • Set globally: application:set_env(hackney, insecure_basic_auth, false)
    • Or per-request: {insecure_basic_auth, false} in options

Hex.pm : https://hex.pm/packages/hackney/1.25.0
Doc: https://hexdocs.pm/hackney/readme.html

v1.24.1: - 2025-05-26

Compare Source

Changes

1.24.1 - 2025-05-26

  • fix: remove unused variable warning in hackney.erl

1.24.0 - 2025-05-26

  • security: fix basic auth credential exposure vulnerability
  • security: add application variable support for insecure_basic_auth
  • fix: NXDOMAIN error in Docker Compose environments (issue #​764)
  • fix: stream_body timeout after first chunk (issue #​762)
  • fix: SSL hostname verification with custom ssl_options and SSL message leak in async streaming
  • fix: pool connections not freed on 307 redirects and multiple pool/timer race conditions
  • fix: socket leaks, process deadlocks, ETS memory leaks, and infinite gen_server calls
  • fix: controlling_process error handling in happy eyeballs and connection pool return
  • improvement: update GitHub Actions to ubuntu-22.04 and bump certifi/mimerl dependencies
Breaking Change

The new insecure_basic_auth application variable defaults to false for security.
If your application relies on insecure basic auth over HTTP, you must explicitly set
application:set_env(hackney, insecure_basic_auth, true) to maintain previous behavior.

Hex.pm : https://hex.pm/packages/hackney/1.24.1
Doc: https://hexdocs.pm/hackney/readme.html

v1.24.0: - 2025-05-26

Compare Source

Changes
  • security: fix basic auth credential exposure vulnerability
  • security: add application variable support for insecure_basic_auth
  • fix: NXDOMAIN error in Docker Compose environments (issue #​764)
  • fix: stream_body timeout after first chunk (issue #​762)
  • fix: SSL hostname verification with custom ssl_options and SSL message leak in async streaming
  • fix: pool connections not freed on 307 redirects and multiple pool/timer race conditions
  • fix: socket leaks, process deadlocks, ETS memory leaks, and infinite gen_server calls
  • fix: controlling_process error handling in happy eyeballs and connection pool return
  • improvement: update GitHub Actions to ubuntu-22.04 and bump certifi/mimerl dependencies

Available on hex.pm

** Breaking Change **

The new insecure_basic_auth application variable defaults to false for security. If your application relies on insecure basic auth over HTTP, you must explicitly set application:set_env(hackney, insecure_basic_auth, true) to maintain previous behavior.

Full Changelog: benoitc/hackney@1.23.0...1.24.0

v1.23.0: - 2025-02-25

Compare Source

Changes:

fix: happy eyeball use correct timeout during connectino
fix: don't wrap conection error
improvement: eyeballonly spawn ipv6 worker when needed

Available on hex.pm https://hexdocs.pm/hackney/1.23.0/

v1.22.0: - 2025-02-20

Compare Source

Changes
  • feature: prefer to connect using IPv6. happy eyeball strategy
  • improvement: fully support no_proxy environment variable
  • doc: migrated to ex_doc

v1.21.0: - 2025-02-20

Compare Source

1.21.0 - 2025-02-20

fix: remove SSL options incompatible with tls 1.3
fix: url parsing handle "/" path correctly
fix: simplify integration test suite
fix: handle chunked response in redirect responses
fix: handle http & https proxies separately
fix: skip junk lines in 1.xx response

** security fixes ***

fix URL parsing to prevent SSRF . (related to CVE-2025-1211)
use latest SSL certificate bundle

Available on hex.pm : https://hex.pm/packages/hackney

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/hackney-1.x-lockfile branch 3 times, most recently from 3d73716 to bd5f2d9 Compare January 8, 2026 19:19
@renovate renovate Bot added deps This dependency needs update hex Elixir libraries labels Jan 8, 2026
@renovate renovate Bot force-pushed the renovate/hackney-1.x-lockfile branch 2 times, most recently from a04b01e to eb5d7a1 Compare January 9, 2026 01:48
@renovate renovate Bot force-pushed the renovate/hackney-1.x-lockfile branch from eb5d7a1 to 0ff70f9 Compare January 9, 2026 01:53
@renovate renovate Bot changed the title chore(deps): update dependency hackney to v1.25.0 chore(deps): update dependency hackney to v1.25.0 - autoclosed Jan 9, 2026
@renovate renovate Bot closed this Jan 9, 2026
@renovate renovate Bot deleted the renovate/hackney-1.x-lockfile branch January 9, 2026 02:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

deps This dependency needs update hex Elixir libraries

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants