Skip to content

Bump hackney from 4.0.0 to 4.6.0#1243

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/hex/hackney-4.6.0
Open

Bump hackney from 4.0.0 to 4.6.0#1243
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/hex/hackney-4.6.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 15, 2026

Copy link
Copy Markdown
Contributor

Bumps hackney from 4.0.0 to 4.6.0.

Release notes

Sourced from hackney's releases.

4.6.0

Added

  • set_owner/2 now works while a response body is streaming, in both the synchronous and the async path. It used to return {error, invalid_state} once the body had started. This lets a short lived worker run a request and hand the still streaming response to a longer lived process before it exits, without stopping the connection.
  • connect/4 accepts a binary host, restoring the 1.x behavior. A binary is converted to a string, so callers passing a binary host no longer fail.

Fixed

  • A non-reusable connection (flagged no_reuse for proxy tunnels, SSL upgrades or a disabled pool, or answered with Connection: close) is now closed and its process stopped when a synchronous request completes, instead of parking in connected forever. With a long lived owner nothing stopped it, so one hackney_conn process leaked per request until the node ran out of memory (#902). The sync and async reuse decision now share the same check, which also stops a no_reuse pooled connection on the async path.

hackney 4.5.2

Dependency bump release. No API changes.

Changed

  • Bump h2 to 0.10.4. It fixes a regression from 0.10.3 where a blocking send whose data had fully drained received {error, stream_closed} when the stream closed on its END_STREAM chunk. A waiting sender is now settled as ok once the send buffer has drained, and only gets the close-reason error when data is still outstanding.
  • Bump quic to 1.7.0. Relevant to hackney's HTTP/3 client: the connection flow-control window now slides forward with received bytes instead of stalling after 8 MiB, so large HTTP/3 downloads keep flowing; the idle timer restarts on received activity per RFC 9000 §10.1; an invalid peer SETTINGS frame now closes the connection cleanly instead of crashing; and a client recognizes a server stateless reset (RFC 9000 §10.3) and closes promptly instead of waiting for the idle timeout.
  • Bump webtransport to 0.4.3, which aligns its transitive h2 (0.10.4) and quic (1.7.0) dependencies with hackney's own, so the wt_* API runs on the same HTTP/2 and HTTP/3 stack versions.

4.5.1

Changed

  • Bump h2 to 0.10.3. It fixes an HTTP/2 upload hang: a sender blocked on flow control is now released with {error, stream_reset} or {error, stream_closed} when the peer cancels the stream, instead of hanging for the connection's lifetime. This affects hackney's streamed request bodies over HTTP/2 when the server resets the stream mid-backpressure.

4.5.0

Added

  • HTTP QUERY method (RFC 10008) as a first-class method: hackney:query/1..4 helpers and hackney:request(query, ...). QUERY is safe and idempotent and carries a request body like POST. It works over HTTP/1.1, HTTP/2, and HTTP/3 with every request body mode (binary, streamed, async, connection API).

4.4.5

Fixed

  • HTTPS: a connection reused over a resumed TLS 1.3 session is no longer mislabeled as HTTP/1 when it negotiated HTTP/2. ssl:negotiated_protocol/1 reports nothing on a resumed session, so hackney now remembers the protocol learned on the full handshake (per host and advertised ALPN) and offers resumption only once that protocol is known, resolving a resumed session against that snapshot. Reused h2 connections take the h2 path instead of feeding h2 frames to the HTTP/1 parser.
  • HTTP/1.1: a response that cannot begin an HTTP/1 status line (for example an

... (truncated)

Changelog

Sourced from hackney's changelog.

4.6.0 - 2026-07-15

Added

  • set_owner/2 now works while a response body is streaming, in both the synchronous and the async path. It used to return {error, invalid_state} once the body had started. This lets a short lived worker run a request and hand the still streaming response to a longer lived process before it exits, without stopping the connection.
  • connect/4 accepts a binary host, restoring the 1.x behavior. A binary is converted to a string, so callers passing a binary host no longer fail.

Fixed

  • A non-reusable connection (flagged no_reuse for proxy tunnels, SSL upgrades or a disabled pool, or answered with Connection: close) is now closed and its process stopped when a synchronous request completes, instead of parking in connected forever. With a long lived owner nothing stopped it, so one hackney_conn process leaked per request until the node ran out of memory (#902). The sync and async reuse decision now share the same check, which also stops a no_reuse pooled connection on the async path.

4.5.2 - 2026-07-06

Changed

  • Bump h2 to 0.10.4. It fixes a regression from 0.10.3 where a blocking send whose data had fully drained received {error, stream_closed} when the stream closed on its END_STREAM chunk. A waiting sender is now settled as ok once the send buffer has drained, and only gets the close-reason error when data is still outstanding.
  • Bump quic to 1.7.0. Relevant to hackney's HTTP/3 client: the connection flow-control window now slides forward with received bytes instead of stalling after 8 MiB, so large HTTP/3 downloads keep flowing; the idle timer restarts on received activity per RFC 9000 §10.1; an invalid peer SETTINGS frame now closes the connection cleanly instead of crashing; and a client recognizes a server stateless reset (RFC 9000 §10.3) and closes promptly instead of waiting for the idle timeout.
  • Bump webtransport to 0.4.3, which aligns its transitive h2 (0.10.4) and quic (1.7.0) dependencies with hackney's own, so the wt_* API runs on the same HTTP/2 and HTTP/3 stack versions.

4.5.1 - 2026-07-04

Changed

  • Bump h2 to 0.10.3. It fixes an HTTP/2 upload hang: a sender blocked on

... (truncated)

Commits
  • 42058d1 Release 4.6.0
  • 2f6d15b Merge pull request #908 from benoitc/proto/unified-finish-request
  • 750869c Stop non-reusable connections when a request completes
  • 398edbd Merge pull request #906 from TBK145/patch-1
  • 08a0393 Merge connect/4 clauses under one spec so it compiles
  • 6430334 Merge pull request #904 from benoitc/feature/set-owner-mid-stream
  • 24bbf44 Overload connect function to accept binary host
  • 89eb0f6 Add regression test for set_owner API in unchanged states
  • a0c5e5e Allow set_owner while a response body is streaming
  • d5051db Release 4.5.2: bump h2 0.10.4, quic 1.7.0, webtransport 0.4.3
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [hackney](https://github.com/benoitc/hackney) from 4.0.0 to 4.6.0.
- [Release notes](https://github.com/benoitc/hackney/releases)
- [Changelog](https://github.com/benoitc/hackney/blob/master/NEWS.md)
- [Commits](benoitc/hackney@4.0.0...4.6.0)

---
updated-dependencies:
- dependency-name: hackney
  dependency-version: 4.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file elixir Pull requests that update elixir code labels Jul 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file elixir Pull requests that update elixir code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants