chore(deps-dev): bump the dev-dependencies group across 1 directory with 10 updates

[dependabot]

Bumps the dev-dependencies group with 7 updates in the / directory:

Package	From	To
ash_authentication	4.11.0	4.13.7
ash_cloak	0.1.7	0.2.0
ash_phoenix	2.3.16	2.3.19
credo	1.7.12	1.7.16
dialyxir	1.4.6	1.4.7
ex_doc	0.38.4	0.40.1
tidewave	0.5.0	0.5.4

Updates ash_authentication from 4.11.0 to 4.13.7

Release notes

Sourced from ash_authentication's releases.

v4.13.7

Bug Fixes:

• skip remember_me token generation when AAP handles it via redirect (#1119) by James Harton

• error caused by after_action ordering (#1112) by capoccias

v4.13.6

Improvements:

• properly configure remember_me strategy in installer by Zach Daniel

v4.13.5

Bug Fixes:

• check for expr compatibility in hash password changej (#1114) by Zach Daniel

• Add remember_me argument to generated magic link sign in action (#1108) by sevenseacat

• Add remember_me argument to generated magic link sign in action by sevenseacat

• add upgrader to add remember_me to magic link sign-in actions by sevenseacat

• correct assert_has_patch assertion in upgrade test by sevenseacat

• audit_log: invalid magic links log as failure by Robert Graff

• correctly lock out assent 0.3 by James Harton

• lock assent at 0.2 until the next major release by James Harton

• add --accounts flag to add_strategy task (#1096) by James Harton

• fix failing test by Josh Price

• support :null atom from JOSE 1.11.11+ in JWT tenant validation (#1092) by Shahryar Tavakkoli

• support :null atom from JOSE 1.11.12 in JWT tenant validation by Shahryar Tavakkoli

... (truncated)

Changelog

Sourced from ash_authentication's changelog.

v4.13.7 (2026-01-13)

Bug Fixes:

• skip remember_me token generation when AAP handles it via redirect (#1119) by James Harton

• error caused by after_action ordering (#1112) by capoccias

v4.13.6 (2026-01-04)

Improvements:

• properly configure remember_me strategy in installer by Zach Daniel

v4.13.5 (2026-01-04)

Bug Fixes:

• check for expr compatibility in hash password changej (#1114) by Zach Daniel

• Add remember_me argument to generated magic link sign in action (#1108) by sevenseacat

• Add remember_me argument to generated magic link sign in action by sevenseacat

• add upgrader to add remember_me to magic link sign-in actions by sevenseacat

• correct assert_has_patch assertion in upgrade test by sevenseacat

• audit_log: invalid magic links log as failure by Robert Graff

• correctly lock out assent 0.3 by James Harton

• lock assent at 0.2 until the next major release by James Harton

• add --accounts flag to add_strategy task (#1096) by James Harton

• fix failing test by Josh Price

• support :null atom from JOSE 1.11.11+ in JWT tenant validation (#1092) by Shahryar Tavakkoli

• support :null atom from JOSE 1.11.12 in JWT tenant validation by Shahryar Tavakkoli

... (truncated)

Commits

• 8faf35a chore: release version v4.13.7
• 0d2301f fix: skip remember_me token generation when AAP handles it via redirect (#1119)
• 0ad8171 fix: error caused by after_action ordering (#1112)
• c4ed9c9 chore(deps): Bump the production-dependencies group across 1 directory with 5...
• d50658d chore: release version v4.13.6
• efd54e3 chore: update installer tests to handle remember_me addition
• ce42ddd improvement: properly configure remember_me strategy in installer
• 54de190 chore: remove alias for Unknown exception
• eb40cde chore: fix incorrect usage of Unknown.exception
• 15a0e6b chore: release version v4.13.5
• Additional commits viewable in compare view

Updates ash_cloak from 0.1.7 to 0.2.0

Changelog

Sourced from ash_cloak's changelog.

v0.2.0 (2026-01-20)

Breaking Changes:

• don't encrypt attributes not in action accept list by Zach Daniel

Commits

• de34876 chore: release version v0.2.0
• 465e3e5 fix!: don't encrypt attributes not in action accept list
• 20cad13 chore: add test to demonstrate encrypted attributes accepts behavior (#132)
• 202e1ff chore(deps-dev): bump the dev-dependencies group with 2 updates (#130)
• 7772eb4 chore(deps): bump ash in the production-dependencies group (#131)
• f6b1055 chore(deps-dev): bump the dev-dependencies group across 1 directory with 2 up...
• 794375d chore(deps): bump ash in the production-dependencies group (#128)
• aa6bddf chore(deps-dev): bump the dev-dependencies group across 1 directory with 3 up...
• 7156757 chore(deps): bump ash in the production-dependencies group (#125)
• 4299187 chore(deps-dev): bump sobelow in the dev-dependencies group (#121)
• Additional commits viewable in compare view

Updates ash_phoenix from 2.3.16 to 2.3.19

Release notes

Sourced from ash_phoenix's releases.

v2.3.19

Bug Fixes:

• credo issue compare to empty list instead of length() > 0 by diogomrts [(#451)](ash-project/ash_phoenix#451)

• create takes resource instead of resource_singular (#447) by Hemanth Bollamreddi [(#447)](ash-project/ash_phoenix#447)

• Ensure that AshPhoenix.Form.update_params callback always receives a map for nested forms (#445) by sevenseacat [(#445)](ash-project/ash_phoenix#445)

• don't generate license files by @​zachdaniel

v2.3.18

Bug Fixes:

• merge_options function to use correct update method (#438) by A.S. Zwaan

• cast to string before comparison by Minsub Kim

• fix type warnings and compile issues on elixir 1.19 by @​zachdaniel

v2.3.17

Bug Fixes:

• removed to_string because it was causing related entities to be recreated instead of updated (#421) by Abdessabour Moutik [(#421)](ash-project/ash_phoenix#421)

• removed to_string because it was causing related entities to be recreated instead of being updated by Abdessabour Moutik [(#421)](ash-project/ash_phoenix#421)

• AshPhoenix.Inertia.Error argument error when reporting validation errors (#418) by rmaspoch [(#418)](ash-project/ash_phoenix#418)

• bug when creating a form for a union type which has nil as it's value (#417) by Rutgerdj [(#417)](ash-project/ash_phoenix#417)

Improvements:

• add AshPhoenix.AshEnum by sevenseacat [(#413)](ash-project/ash_phoenix#413)

• soft deprecate page_from_params/3 and introduce params_to_page_opts/3 (#422) by hy2k [(#422)](ash-project/ash_phoenix#422)

• add AshPhoenix.AshEnum by Aidan Gauland [(#413)](ash-project/ash_phoenix#413)

Changelog

Sourced from ash_phoenix's changelog.

v2.3.19 (2026-01-19)

Bug Fixes:

• credo issue compare to empty list instead of length() > 0 by diogomrts [(#451)](ash-project/ash_phoenix#451)

• create takes resource instead of resource_singular (#447) by Hemanth Bollamreddi [(#447)](ash-project/ash_phoenix#447)

• Ensure that AshPhoenix.Form.update_params callback always receives a map for nested forms (#445) by sevenseacat [(#445)](ash-project/ash_phoenix#445)

• don't generate license files by @​zachdaniel

v2.3.18 (2025-11-05)

Bug Fixes:

• merge_options function to use correct update method (#438) by A.S. Zwaan

• cast to string before comparison by Minsub Kim

• fix type warnings and compile issues on elixir 1.19 by @​zachdaniel

v2.3.17 (2025-10-16)

Bug Fixes:

• removed to_string because it was causing related entities to be recreated instead of updated (#421) by Abdessabour Moutik [(#421)](ash-project/ash_phoenix#421)

• removed to_string because it was causing related entities to be recreated instead of being updated by Abdessabour Moutik [(#421)](ash-project/ash_phoenix#421)

• AshPhoenix.Inertia.Error argument error when reporting validation errors (#418) by rmaspoch [(#418)](ash-project/ash_phoenix#418)

• bug when creating a form for a union type which has nil as it's value (#417) by Rutgerdj [(#417)](ash-project/ash_phoenix#417)

Improvements:

• add AshPhoenix.AshEnum by sevenseacat [(#413)](ash-project/ash_phoenix#413)

• soft deprecate page_from_params/3 and introduce params_to_page_opts/3 (#422) by hy2k [(#422)](ash-project/ash_phoenix#422)

• add AshPhoenix.AshEnum by Aidan Gauland [(#413)](ash-project/ash_phoenix#413)

Commits

• 587f6b6 chore: release version v2.3.19
• 1466e39 chore: fix deprecated syntax warning (#451)
• 4bd3cdc chore(deps-dev): bump the dev-dependencies group with 2 updates (#448)
• 0588c9b chore(deps): bump the production-dependencies group with 3 updates (#449)
• 6d961bb fix: create takes resource instead of resource_singular (#447)
• 3884596 fix: Ensure that AshPhoenix.Form.update_params callback always receives a m...
• 9e65030 chore(deps): bump the production-dependencies group with 5 updates (#444)
• 469169a chore(deps-dev): bump dialyxir in the dev-dependencies group (#443)
• 2b0dcba fix: don't generate license files
• 62d525d chore: release version v2.3.18
• Additional commits viewable in compare view

Updates bandit from 1.8.0 to 1.10.2

Changelog

Sourced from bandit's changelog.

1.10.2 (22 Jan 2026)

Enhancements

• Distinguish client disconnects from genuine body read timeouts (#564, thanks @​pepicrft!)

1.10.1 (5 Jan 2026)

Changes

• Change default preference order for compression methods to be 'zstd (if present), gzip, deflate' (#562)

Fixes

• Allow :zstd_options key to be set in config (#558, thanks @​Fudoshiki!)
• Fix error where deflate responses weren't always completely sent (#559, thanks @​josevalim!)

1.10.0 (29 Dec 2025)

Enhancements

• Expose response_encodings to allow specifying an explicit preference order to compression encodings (#555)

1.9.0 (12 Dec 2025)

Enhancements

• Skip body draining when Connection: close is set (#546, thanks @​pepicrft!)
• Make deflate options for WebSockets configurable (#540, thanks @​proxima!)
• Mitigate HTTP/2 rapid reset attacks (#533, thanks @​NelsonVides!)
• Implement improved respect for SETTINGS_MAX_CONCURRENT_STREAMS (#524, thanks @​NelsonVides!)
• Support zstd HTTP compression (#514, thanks @​mattmatters!)

Commits

• 5af3c8f Version bump to 1.10.2
• 06c199d fix: distinguish client disconnects from genuine body read timeouts (#564)
• da97c51 Bump req from 0.5.16 to 0.5.17 (#563)
• cd2b7c5 Version bump to 1.10.1
• bdb424b Demote deflate, promote zstd in compression choices (#562)
• 0f51165 Ensure data is fully deflated on compression (#559)
• 0088145 Remove unused requires (#561)
• 798f0be Optimize iodata emptiness checks (#560)
• 49aac49 Add missing :zstd_options key (#558)
• c26756c Bump credo from 1.7.14 to 1.7.15 (#556)
• Additional commits viewable in compare view

Updates credo from 1.7.12 to 1.7.16

Release notes

Sourced from credo's releases.

v1.7.16

Check it out on Hex: https://hex.pm/packages/credo/1.7.16

• Fix compatibility & compiler warnings with Elixir 1.20.0-rc.1
• Credo.Check.Refactor.PassAsyncInTestCases add new param :force_comment_on_explicit_false (defaults to false)
• Credo.Check.Warning.Dbg add new param :allow_captures (defaults to false)
• New Check: Credo.Check.Warning.UnusedMapOperation
• New Check: Credo.Check.Warning.UnusedOperation

v1.7.15

Check it out on Hex: https://hex.pm/packages/credo/1.7.15

• Improve performance on large projects
• Parse token_metadata for source files
• Credo.Check.Warning.ExpensiveEmptyEnumCheck have better issue messages
• Credo.Check.Refactor.MatchInCondition add new param :allow_operators
• Credo.Check.Refactor.MatchInCondition fix false positive
• Credo.Check.Readability.AliasOrder fix false positive
• Credo.Check.Readability.FunctionNames fix false positive
• Credo.Check.Readability.SinglePipe add new param :allow_blocks (defaults to true)
• Credo.Check.Refactor.ModuleDependencies fix false positive

v1.7.14

Check it out on Hex: https://hex.pm/packages/credo/1.7.14

• Fixed regression for DuplicatedCode
• Expanded Credo.Check.Warning.ExpensiveEmptyEnumCheck to cover less obvious cases
• New Check: Credo.Check.Warning.StructFieldAmount

1.7.13

Check it out on Hex: https://hex.pm/packages/credo/1.7.13

• Fix compatibility & compiler warnings with Elixir 1.19
• Credo.Check.Refactor.ABCSize fixed false positive

Changelog

Sourced from credo's changelog.

1.7.16

• Fix compatibility & compiler warnings with Elixir 1.20.0-rc.1
• Credo.Check.Refactor.PassAsyncInTestCases add new param :force_comment_on_explicit_false (defaults to false)
• Credo.Check.Warning.Dbg add new param :allow_captures (defaults to false)
• New Check: Credo.Check.Warning.UnusedMapOperation
• New Check: Credo.Check.Warning.UnusedOperation

1.7.15

• Improve performance on large projects
• Parse token_metadata for source files
• Credo.Check.Warning.ExpensiveEmptyEnumCheck have better issue messages
• Credo.Check.Refactor.MatchInCondition add new param :allow_operators
• Credo.Check.Refactor.MatchInCondition fix false positive
• Credo.Check.Readability.AliasOrder fix false positive
• Credo.Check.Readability.FunctionNames fix false positive
• Credo.Check.Readability.SinglePipe add new param :allow_blocks (defaults to true)
• Credo.Check.Refactor.ModuleDependencies fix false positive

1.7.14

• Fix regression for DuplicatedCode
• Expand Credo.Check.Warning.ExpensiveEmptyEnumCheck to cover less obvious cases
• New Check: Credo.Check.Warning.StructFieldAmount

1.7.13

• Fix compatibility & compiler warnings with Elixir 1.19
• Credo.Check.Refactor.ABCSize fixed false positive

Commits

• df52d23 Bump version to 1.7.16
• 3d7a39d Update CHANGELOG
• 8787f8a Upgrade to Elixir 1.20.0-rc.1
• 27f14b2 Rename param to :allow_captures
• 7b80669 Add :allow_capture param to Credo.Check.Warning.Dbg
• b10673d Merge branch 'fix-dbg-ampeprsand-usage' of github.com:Nezteb/credo into 1158-...
• 2f9a47c Merge pull request #1245 from whatyouhide/andrea-expand-docs
• 23c7dce FIXUP
• 2bd5d14 FIXUP
• 276f0a7 Expand compile-time strings in "use Credo.Check" options
• Additional commits viewable in compare view

Updates dialyxir from 1.4.6 to 1.4.7

Release notes

Sourced from dialyxir's releases.

1.4.7

[1.4.7] - 2025-11-05

Changed

• Bump Erlex to 0.2.8, fixes #574.

Changelog

Sourced from dialyxir's changelog.

Unreleased changes post [1.4.7]

[1.4.7] - 2025-11-05

Changed

• Bump Erlex to 0.2.8, fixes #574.

Commits

• b57d69f Release version 1.4.7
• 608b355 Bump Erlex (#583)
• ab9bd59 Fix issue template.
• 9e73fa8 Fixup changelog.
• See full diff in compare view

Updates ex_doc from 0.38.4 to 0.40.1

Changelog

Sourced from ex_doc's changelog.

v0.40.1 (2026-01-31)

• Enhancements

  • Remove link to source from generated .md files
  • Improve word-breaking of module names and sizing of main page titles
  • Include description in llms.txt

• Bug fixes

  • Fix headers in custom groups

v0.40.0 (2026-01-20)

• Enhancements

  • Introduce Markdown formatter (thanks to Yordis Prietro)
  • Generate a llms.txt document by default and add a "Copy Markdown" button to the top of every page
  • Run retriever only once per formatter
  • Support anchors on redirects

• Bug fixes

  • Copy button on erl and iex snippets now include prompts
  • Fix headers having wrong selectors due to whitespace minification
  • Only include .html links on Swup

• Breaking changes

  • Revamp the ExDoc entrypoint and formatter API. While those have never been made public, others may have relied on it. We have now changed and documented them on the path to standardization
  • The previously deprecated :assets option will raise if given a string, pass a map instead

v0.39.3 (2025-12-09)

• Enhancements
  • Add the option to trim down the footer

v0.39.2 (2025-12-04)

• Bug fixes
  • Do not strip hrefs on summaries
  • Show go to latest for prereleases
  • Prevent fake italic in autocomplete text
  • Rename "Search Hexdocs" link to "Go to package docs"

v0.39.1 (2025-10-23)

• Bug fixes
  • Improve box-shadow around autocompletion
  • Trim search engine selector on small screens
  • Fix admonition titles on small screens

v0.39.0 (2025-10-23)

• Enhancements

... (truncated)

Commits

• 20a355b Release v0.40.1
• 7a71ddf Update assets
• f44f6fe Turn whitespace minification back on
• 3802867 Improve distinction between docstring headings (H2-H4)
• e8a46c6 Change headings' levels to match their context
• 9cd866c Fix Summary Types heading size
• e8e74ee More word break tests
• 21ec71f Update assets
• 8611a16 Improve word-breaking of module names and sizing of main page titles (#2190)
• 1b1fe51 Bump lodash from 4.17.21 to 4.17.23 in /assets (#2187)
• Additional commits viewable in compare view

Updates igniter from 0.6.30 to 0.7.2

Release notes

Sourced from igniter's releases.

v0.7.2

Bug Fixes:

• don't fail on missing .formatter.exs by Zach Daniel

v0.7.1

Improvements:

• Add more context to umbrella error message (#358) by José Valim

v0.7.0

Features:

• Add support for SiteEncrypt.Phoenix.Endpoint detection (#339) by Herman verschooten

Bug Fixes:

• put_in_map/set_map_key not setting keys properly (#348) by Nick Krichevsky

• don't pass --no-git onto installers by Zach Daniel

• modify_config_code twice with keyword values (#332) by grzuy

Changelog

Sourced from igniter's changelog.

v0.7.2 (2026-01-28)

Bug Fixes:

• don't fail on missing .formatter.exs by Zach Daniel

v0.7.1 (2026-01-21)

Improvements:

• Add more context to umbrella error message (#358) by José Valim

v0.7.0 (2025-11-05)

Features:

• Add support for SiteEncrypt.Phoenix.Endpoint detection (#339) by Herman verschooten

Bug Fixes:

• put_in_map/set_map_key not setting keys properly (#348) by Nick Krichevsky

• don't pass --no-git onto installers by Zach Daniel

• modify_config_code twice with keyword values (#332) by grzuy

Commits

• 22aa432 chore: release version v0.7.2
• d64e9a4 fix: don't fail on missing .formatter.exs
• 0d5de8d chore: release version v0.7.1
• 3cd35a2 chore: bump installer version
• a527c28 chore: include change in non-archive as well
• ae7ec10 improvement: Add more context to umbrella error message (#358)
• 94aadda chore: credo
• a845564 chore: Remove unused require statements as picked up by the Elixir 1.20.0-r...
• ae59c7d build(deps-dev): bump the dev-dependencies group with 4 updates (#354)
• 18b1e05 build(deps): bump the production-dependencies group with 2 updates (#355)
• Additional commits viewable in compare view

Updates sourceror from 1.10.0 to 1.10.1

Release notes

Sourced from sourceror's releases.

v1.10.1

What's Changed

• fix: FastZipper empty siblings + new + Enum.reverse optimizations by @​novaugust in doorgan/sourceror#193
• fix: calculate ranges for charlist with concatenation by @​doorgan in doorgan/sourceror#194

Full Changelog: doorgan/sourceror@v1.10.0...v1.10.1

Changelog

Sourced from sourceror's changelog.

v1.10.1 (2026-01-26)

• [Sourceror] Fixed range calculation for charlists with concatenations.

Commits

• 5c6551d chore: v1.10.1 (#195)
• a297c1c fix: calculate ranges for charlist with concatenation (#194)
• ffb1ad3 FastZipper empty siblings + new + Enum.reverse optimizations (#193)
• See full diff in compare view

Updates tidewave from 0.5.0 to 0.5.4

Changelog

Sourced from tidewave's changelog.

v0.5.4 (2026-01-06)

• Bug fixes
  • Add bandit as an optional dependency with >= v1.10.1 to address deflate issue in Claude Code

v0.5.3 (2025-12-23)

• Bug fixes
  • Support flags and trailing spaces in CSP headers

v0.5.2 (2025-11-22)

• Bug fixes
  • Fix logging with Unicode charlists

v0.5.1 (2025-11-01)

• Enhancements

  • Add Tidewave.clear_logs/0
  • Add /tidewave/config endpoint for Tidewave App/CLI

• Bug fixes

  • Fix type of get_logs

Commits

• efdd7ab Release v0.5.4
• ee83437 More SSL docs
• 359b8e8 Require Bandit v1.10.1
• 0cf6fc3 Clarify Caddy example
• 1a1936b Use notation
• f737eae Add a section on using Caddy
• e0fe156 Document TanStack Start
• b65a8f2 Document matching hosts and ports
• 5a36b39 Link to MCP page
• 5329150 Explain what the MCP brings a bit more
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are no longer updatable, so this is no longer needed.