Skip to content

security update: httpoison#150

Open
kp-cat wants to merge 1 commit into
mainfrom
secu-update-202606
Open

security update: httpoison#150
kp-cat wants to merge 1 commit into
mainfrom
secu-update-202606

Conversation

@kp-cat

@kp-cat kp-cat commented Jun 18, 2026

Copy link
Copy Markdown
Member

Describe the purpose of your pull request

  • Security update

Related issues (only if applicable)

Security (only if applicable)

  • mix.exs: bumped the httpoison constraint from ~> 1.7 or ~> 2.0 to ~> 2.0 or ~> 3.0.
  • mix.lock: resolved to httpoison 3.0.0 (was 2.2.3), which pulls in hackney 4.4.3 (was 1.25.0). httpoison's changelog states 3.0.0 "upgrades to hackney 4.0, which fixes several CVEs
    (atom-table exhaustion via URL schemes, HTTP header injection, WebSocket buffer limits and more)" — this is almost certainly the high-severity vuln Snyk flagged.
  • Also picked up minor bumps: certifi, idna, mimerl, parse_trans, plus new transitive deps h2, quic, webtransport (hackney 4.x's HTTP/2 and QUIC support).

Requirement checklist (only if applicable)

  • I have covered the applied changes with automated tests.
  • I have executed the full automated test set against my changes.
  • I have validated my changes against all supported platform versions.
  • I have read and accepted the contribution agreement.

@kp-cat kp-cat requested a review from a team as a code owner June 18, 2026 09:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@laliconfigcat laliconfigcat laliconfigcat approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kp-cat @laliconfigcat