Skip to content

chore(deps): update elixir dependencies (minor & patch)#31

Open
NexPB wants to merge 1 commit into
mainfrom
renovate/elixir-dependencies-(minor-and-patch)
Open

chore(deps): update elixir dependencies (minor & patch)#31
NexPB wants to merge 1 commit into
mainfrom
renovate/elixir-dependencies-(minor-and-patch)

Conversation

@NexPB

@NexPB NexPB commented Jul 4, 2026

Copy link
Copy Markdown
Owner

This PR contains the following updates:

Package Type Update Change
phoenix_live_view (source) prod minor ~> 1.1.0~> 1.2.0
req (source) prod minor ~> 0.5~> 0.6

Release Notes

phoenixframework/phoenix_live_view (phoenix_live_view)

v1.2.5

Compare Source

Enhancements
  • Ensure Phoenix.LiveView.TagEngine's EEx.Engine deprecation warning includes file and line information
  • Ensure a failing custom UploadWriter does not crash the LiveView process (#​4320)

v1.2.4

Compare Source

Bug fixes
  • Only warn about missing form ID when recovery actually applies (#​4315)
  • Add common img attributes to live_img_preview/1 that were missing after cleaning the global attribute list in 1.2.0 (#​4316)
  • Fix colocated CSS attributes being dropped if using colocated JS in the same component (#​4319)

v1.2.3

Compare Source

This is a followup release to v1.2.2 that fixes the TypeScript declaration files being in the wrong subfolder.
Again, it does not contain any changes to the Elixir or JavaScript code itself.

v1.2.2

Compare Source

This release fixes the npm package missing the TypeScript declaration files.
It does not contain any changes to the Elixir or JavaScript code itself, except small documentation improvements.

v1.2.1

Compare Source

Bug fixes
  • Fix stale events from the previous LiveView being sent to the new LiveView after a live redirect (#​4291)

v1.2.0

Compare Source

Bug fixes
  • Only warn about missing form ID when recovery actually applies (#​4315)
  • Add common img attributes to live_img_preview/1 that were missing after cleaning the global attribute list in 1.2.0 (#​4316)
  • Fix colocated CSS attributes being dropped if using colocated JS in the same component (#​4319)

v1.1.32

Compare Source

Bug fixes
  • Fix stale events from the previous LiveView being sent to the new LiveView after a live redirect (#​4291)

v1.1.31

Compare Source

Enhancements
  • Validate URL scheme in push_patch / push_navigate, JS.patch / JS.navigate, and clientside js().patch / js().navigate (#​4250)
Bug fixes
  • Fix nested assign change tracking (#​4225)
  • Ensure Phoenix.LiveViewTest.live_redirect/2 properly passes the URI as a string in handle_params (#​4247)

v1.1.30

Compare Source

Bug fixes
  • Ensure internal phx-viewport hook does not crash on update if no scroll container is used (#​4214), introduced in v1.1.29.

v1.1.29

Compare Source

Bug fixes
  • Prevent JS crash when hook has a duplicate ID (#​4196)
  • Recompute scroll container for phx-viewport bindings if it is no longer available (#​4169)
  • Fix phx-viewport events not firing when container has horizontal overflow (#​3897)
  • Handle locks on skipped nodes (#​4209)
  • Use moveBefore if available when reordering stream elements (#​4212)

v1.1.28

Compare Source

Bug fixes
  • Fix race condition that could lead to a JS exception when nested LiveView is removed while it is joining (#​4177)
Enhancements
  • A bunch of small performance and documentation improvements (thank you @​preciz!)

v1.1.27

Compare Source

Bug fixes
  • Workaround Chrome bug when patching <template> elements (#​4163)
  • Fix more type warnings on Elixir 1.20
wojtekmach/req (req)

v0.6.2

Compare Source

  • Use finch ~> 0.21.

v0.6.1

Compare Source

  • [compressed], [decompress_body]: Disable automatic decompression

    Decompression is now opt-in by setting compressed: true.

v0.6.0

Compare Source

  • [encode_body]: Security fix for :form_multipart header injection
    (GHSA-px9f-whj3-246m).

    The multipart encoder interpolated the per-part name, filename, and
    content_type into the part headers without escaping, so an
    attacker-controlled value could inject extra headers or smuggle additional
    parts into the request. These values are now escaped per RFC 7578 / WHATWG
    form-data (", CR, and LF are percent-encoded).

    Thanks to @​PJUllrich for reporting it.

    • [decode_body]: Drop automatic zip/tar/tgz/gz/zst/csv decoding,
      (GHSA-655f-mp8p-96gv).

      Req previously auto-decoded archive and compressed response bodies (zip,
      tar, tgz, gz, zst, and csv) based on the server-supplied
      content-type, materialising the full decompressed contents in memory with
      no size cap. An attacker-controlled (or redirect-reachable) endpoint could
      return a tiny "decompression bomb" that expanded to gigabytes and exhausted
      the node's memory.

      Now only JSON is decoded by default. Other formats are opt-in via the new
      :decoders option, which defaults to [:json, :json_api]. Setting it
      replaces the default (include :json to keep JSON decoding), and false
      disables all decoding:

opt into archives (only for endpoints you trust):

    Req.get!(url, decoders: [:json, :zip])

**Note**: The decoded zip/tar is still list of
`{filename :: charlist(), contents :: binary}` tuples.
In the future release, this will be list of
`{filename :: binary(), contents :: binary()}` tuples.

While automatic CSV decoding wasn't a security issue, the behaviour based
on presence/absence of `nimble_csv` dependency was suprising. CSV support
is still built-in but need to be enabled with `decoders: [:csv]`.

Custom decoders are supported via `{format, codec}` tuples, where `codec` is
a module exporting `decode/1` or a 1-arity function returning an `:ok`/`:error`
tuple, for example:

    Req.get!(url, decoders: [:json, ics: &{:ok, ICal.from_ics(&1)}])

Thanks to @&#8203;PJUllrich for reporting it.

v0.5.18

Compare Source

  • [run_finch]: Allow :finch option with IPv6 URLs.

    • [run_finch]: Normalize Finch.TransportError and Finch.HTTPError
      (introduced in Finch v0.22.0) into Req.TransportError and Req.HTTPError.

    • [retry]: Automatically retry on :pool_not_available.

    • Require Finch ~> 0.21.0 or ~> 0.22.0.


Configuration

📅 Schedule: (in timezone Asia/Tokyo)

  • Branch creation
    • "before 9am on Monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@NexPB NexPB added the dependencies Pull requests that update a dependency file label Jul 4, 2026
@NexPB

NexPB commented Jul 4, 2026

Copy link
Copy Markdown
Owner Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: mix.lock
Command failed: install-tool elixir v1.20.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant