Skip to content

Bump hackney from 1.25.0 to 4.5.2#496

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/hex/hackney-4.5.2
Closed

Bump hackney from 1.25.0 to 4.5.2#496
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/hex/hackney-4.5.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Bumps hackney from 1.25.0 to 4.5.2.

Release notes

Sourced from hackney's releases.

hackney 4.5.2

Dependency bump release. No API changes.

Changed

  • Bump h2 to 0.10.4. It fixes a regression from 0.10.3 where a blocking send whose data had fully drained received {error, stream_closed} when the stream closed on its END_STREAM chunk. A waiting sender is now settled as ok once the send buffer has drained, and only gets the close-reason error when data is still outstanding.
  • Bump quic to 1.7.0. Relevant to hackney's HTTP/3 client: the connection flow-control window now slides forward with received bytes instead of stalling after 8 MiB, so large HTTP/3 downloads keep flowing; the idle timer restarts on received activity per RFC 9000 §10.1; an invalid peer SETTINGS frame now closes the connection cleanly instead of crashing; and a client recognizes a server stateless reset (RFC 9000 §10.3) and closes promptly instead of waiting for the idle timeout.
  • Bump webtransport to 0.4.3, which aligns its transitive h2 (0.10.4) and quic (1.7.0) dependencies with hackney's own, so the wt_* API runs on the same HTTP/2 and HTTP/3 stack versions.

4.5.1

Changed

  • Bump h2 to 0.10.3. It fixes an HTTP/2 upload hang: a sender blocked on flow control is now released with {error, stream_reset} or {error, stream_closed} when the peer cancels the stream, instead of hanging for the connection's lifetime. This affects hackney's streamed request bodies over HTTP/2 when the server resets the stream mid-backpressure.

4.5.0

Added

  • HTTP QUERY method (RFC 10008) as a first-class method: hackney:query/1..4 helpers and hackney:request(query, ...). QUERY is safe and idempotent and carries a request body like POST. It works over HTTP/1.1, HTTP/2, and HTTP/3 with every request body mode (binary, streamed, async, connection API).

4.4.5

Fixed

  • HTTPS: a connection reused over a resumed TLS 1.3 session is no longer mislabeled as HTTP/1 when it negotiated HTTP/2. ssl:negotiated_protocol/1 reports nothing on a resumed session, so hackney now remembers the protocol learned on the full handshake (per host and advertised ALPN) and offers resumption only once that protocol is known, resolving a resumed session against that snapshot. Reused h2 connections take the h2 path instead of feeding h2 frames to the HTTP/1 parser.
  • HTTP/1.1: a response that cannot begin an HTTP/1 status line (for example an HTTP/2 frame on a mislabeled connection) now fails fast with {error, {bad_response, not_http}} instead of spinning the CPU in the status-line parser.
  • Connection pooling: Connection: close responses are no longer returned to the pool on the sync body path; checkin only pools connections proven keep-alive and socket-ready (unknown defaults to close); and a closed pooled entry is discarded at checkout instead of being redialed inside the pool process (#888).
  • Connection pooling: stopping a pool while requests are in flight no longer leaks the per-host concurrency (load_regulation) slots of the checked-out

... (truncated)

Changelog

Sourced from hackney's changelog.

4.5.2 - 2026-07-06

Changed

  • Bump h2 to 0.10.4. It fixes a regression from 0.10.3 where a blocking send whose data had fully drained received {error, stream_closed} when the stream closed on its END_STREAM chunk. A waiting sender is now settled as ok once the send buffer has drained, and only gets the close-reason error when data is still outstanding.
  • Bump quic to 1.7.0. Relevant to hackney's HTTP/3 client: the connection flow-control window now slides forward with received bytes instead of stalling after 8 MiB, so large HTTP/3 downloads keep flowing; the idle timer restarts on received activity per RFC 9000 §10.1; an invalid peer SETTINGS frame now closes the connection cleanly instead of crashing; and a client recognizes a server stateless reset (RFC 9000 §10.3) and closes promptly instead of waiting for the idle timeout.
  • Bump webtransport to 0.4.3, which aligns its transitive h2 (0.10.4) and quic (1.7.0) dependencies with hackney's own, so the wt_* API runs on the same HTTP/2 and HTTP/3 stack versions.

4.5.1 - 2026-07-04

Changed

  • Bump h2 to 0.10.3. It fixes an HTTP/2 upload hang: a sender blocked on flow control is now released with {error, stream_reset} or {error, stream_closed} when the peer cancels the stream, instead of hanging for the connection's lifetime. This affects hackney's streamed request bodies over HTTP/2 when the server resets the stream mid-backpressure.

4.5.0 - 2026-07-04

Added

  • HTTP QUERY method (RFC 10008) as a first-class method: hackney:query/1..4 helpers and hackney:request(query, ...). QUERY is safe and idempotent and carries a request body like POST. It works over HTTP/1.1, HTTP/2, and HTTP/3 with every request body mode (binary, streamed, async, connection API).

4.4.5 - 2026-06-18

Fixed

  • HTTPS: a connection reused over a resumed TLS 1.3 session is no longer

... (truncated)

Commits
  • d5051db Release 4.5.2: bump h2 0.10.4, quic 1.7.0, webtransport 0.4.3
  • dae00f1 Merge pull request #900 from benoitc/chore/bump-webtransport-0.4.3
  • b1f605e Bump webtransport to 0.4.3
  • 9139c25 Merge pull request #899 from benoitc/chore/bump-quic-1.7.0
  • 2e916c6 Bump quic to 1.7.0
  • 199e3b7 Merge pull request #898 from benoitc/chore/bump-h2-0.10.4
  • 16e9367 Bump h2 to 0.10.4
  • 86993e0 Merge pull request #897 from benoitc/release/4.5.1
  • 7fd57b3 Release 4.5.1: bump h2 to 0.10.3
  • 50b2691 Merge pull request #896 from benoitc/feature/query-method
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies elixir Pull requests that update elixir code labels Jul 6, 2026
@dependabot
dependabot Bot force-pushed the dependabot/hex/hackney-4.5.2 branch 2 times, most recently from 669cabb to 34d3b2f Compare July 8, 2026 15:29
Bumps [hackney](https://github.com/benoitc/hackney) from 1.25.0 to 4.5.2.
- [Release notes](https://github.com/benoitc/hackney/releases)
- [Changelog](https://github.com/benoitc/hackney/blob/master/NEWS.md)
- [Commits](benoitc/hackney@1.25.0...4.5.2)

---
updated-dependencies:
- dependency-name: hackney
  dependency-version: 4.5.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot/hex/hackney-4.5.2 branch from 34d3b2f to cadcb35 Compare July 9, 2026 11:33
@princemaple princemaple closed this Jul 9, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot
dependabot Bot deleted the dependabot/hex/hackney-4.5.2 branch July 9, 2026 11:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies elixir Pull requests that update elixir code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant