Skip to content

Releases: benoitc/hackney

1.25.0 - 2025-07-24

24 Jul 11:39
@benoitc benoitc
1.25.0
8c00789
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
1.25.0 - 2025-07-24 Latest
Latest

IMPORTANT CHANGE

  • change: insecure_basic_auth now defaults to true instead of false

    This restores backward compatibility with pre-1.24.0 behavior where basic auth
    was allowed over HTTP connections. If you need strict HTTPS-only basic auth:

    • Set globally: application:set_env(hackney, insecure_basic_auth, false)
    • Or per-request: {insecure_basic_auth, false} in options

Hex.pm : https://hex.pm/packages/hackney/1.25.0
Doc: https://hexdocs.pm/hackney/readme.html

Assets 2
Loading

1.24.1 - 2025-05-26

26 May 11:45
@benoitc benoitc
1.24.1
d59b422
Compare
Choose a tag to compare
1.24.1 - 2025-05-26

Changes

1.24.1 - 2025-05-26

  • fix: remove unused variable warning in hackney.erl

1.24.0 - 2025-05-26

  • security: fix basic auth credential exposure vulnerability
  • security: add application variable support for insecure_basic_auth
  • fix: NXDOMAIN error in Docker Compose environments (issue #764)
  • fix: stream_body timeout after first chunk (issue #762)
  • fix: SSL hostname verification with custom ssl_options and SSL message leak in async streaming
  • fix: pool connections not freed on 307 redirects and multiple pool/timer race conditions
  • fix: socket leaks, process deadlocks, ETS memory leaks, and infinite gen_server calls
  • fix: controlling_process error handling in happy eyeballs and connection pool return
  • improvement: update GitHub Actions to ubuntu-22.04 and bump certifi/mimerl dependencies

Breaking Change

The new insecure_basic_auth application variable defaults to false for security.
If your application relies on insecure basic auth over HTTP, you must explicitly set
application:set_env(hackney, insecure_basic_auth, true) to maintain previous behavior.

Hex.pm : https://hex.pm/packages/hackney/1.24.1
Doc: https://hexdocs.pm/hackney/readme.html

Loading

1.24.0 - 2025-05-26

26 May 03:17
@benoitc benoitc
1.24.0
1239ec6
Compare
Choose a tag to compare
1.24.0 - 2025-05-26

Changes

  • security: fix basic auth credential exposure vulnerability
  • security: add application variable support for insecure_basic_auth
  • fix: NXDOMAIN error in Docker Compose environments (issue #764)
  • fix: stream_body timeout after first chunk (issue #762)
  • fix: SSL hostname verification with custom ssl_options and SSL message leak in async streaming
  • fix: pool connections not freed on 307 redirects and multiple pool/timer race conditions
  • fix: socket leaks, process deadlocks, ETS memory leaks, and infinite gen_server calls
  • fix: controlling_process error handling in happy eyeballs and connection pool return
  • improvement: update GitHub Actions to ubuntu-22.04 and bump certifi/mimerl dependencies

Available on hex.pm

** Breaking Change **

The new insecure_basic_auth application variable defaults to false for security. If your application relies on insecure basic auth over HTTP, you must explicitly set application:set_env(hackney, insecure_basic_auth, true) to maintain previous behavior.

Full Changelog: 1.23.0...1.24.0

Loading

1.23.0 - 2025-02-25

25 Feb 11:37
@benoitc benoitc
1.23.0
befe2df
Compare
Choose a tag to compare
1.23.0 - 2025-02-25

Changes:

fix: happy eyeball use correct timeout during connectino
fix: don't wrap conection error
improvement: eyeballonly spawn ipv6 worker when needed

Available on hex.pm https://hexdocs.pm/hackney/1.23.0/

Loading

1.22.0 - 2025-02-20

20 Feb 22:04
@benoitc benoitc
1.22.0
e61da0b
Compare
Choose a tag to compare
1.22.0 - 2025-02-20

Changes

  • feature: prefer to connect using IPv6. happy eyeball strategy
  • improvement: fully support no_proxy environment variable
  • doc: migrated to ex_doc
Loading

1.21.0 - 2025-02-20

20 Feb 15:07
@benoitc benoitc
1.21.0
6eaca56
Compare
Choose a tag to compare
1.21.0 - 2025-02-20

1.21.0 - 2025-02-20

fix: remove SSL options incompatible with tls 1.3
fix: url parsing handle "/" path correctly
fix: simplify integration test suite
fix: handle chunked response in redirect responses
fix: handle http & https proxies separately
fix: skip junk lines in 1.xx response

** security fixes ***

fix URL parsing to prevent SSRF . (related to CVE-2025-1211)
use latest SSL certificate bundle

Available on hex.pm : https://hex.pm/packages/hackney

Loading

1.20.1

11 Oct 00:59
@benoitc benoitc
1.20.1
f190daf
Compare
Choose a tag to compare
1.20.1

Changes

  • fix multipart: handle case where Length is undefined

Config

  • rebar.config : {hackney, "1.20.1"}
  • erlang.mk: dep_hackney = hex 1.20.1
  • mix.exs= {:hackney, "~> 1.21"}

Hex.pm: https://hex.pm/packages/hackney

Loading

1.20.0

10 Oct 00:38
@benoitc benoitc
1.20.0
aa95d66
Compare
Choose a tag to compare
1.20.0

Changes

  • handle * in path encoding
  • Support LF separators: since rfc7230-3.5 allows for LF-only
  • fix recv stream fix fetching trailers during streaming
  • fix CI
  • Improve documentation

Config

  • rebar.config : {hackney, "1.20.0"}
  • erlang.mk: dep_hackney = hex 1.20.0
  • mix.exs= {:hackney, "~> 1.20"}

Hex.pm: https://hex.pm/packages/hackney

Loading

1.19.0

20 Sep 21:13
@benoitc benoitc
1.19.0
47f56b6
Compare
Choose a tag to compare
1.19.0

Changes:

  • fix: recv: if expected size < BufSize fallback to old behaviour. Fix issue with negative length
  • feature: add support for proxy environment setting
Loading

1.18.0

28 Sep 16:03
@benoitc benoitc
1.18.0
c8f3a6c
Compare
Choose a tag to compare
1.18.0

1.18.0 - 2021-09-28

  • security: update default CA bundle
  • fix pool: make checkout synchrounous (remove unwanted messages)
Loading