Skip to content

chore(deps): bump hackney from 1.25.0 to 4.4.3#25

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/hex/hackney-4.4.3
Closed

chore(deps): bump hackney from 1.25.0 to 4.4.3#25
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/hex/hackney-4.4.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 18, 2026

Copy link
Copy Markdown
Contributor

Bumps hackney from 1.25.0 to 4.4.3.

Release notes

Sourced from hackney's releases.

4.4.3

Fixed

  • HTTP/2: a response that signals end of stream with a trailing HEADERS frame (trailers, or an empty trailing HEADERS as proxies emit for responses without a content-length) no longer hangs the body read until recv_timeout. The trailer event is now treated as end of stream, so reads complete on fresh and reused connections (#884).
  • HTTP/2: sync reads run under a per-stream recv_timeout watchdog, so a lost frame fails fast with {error, timeout} instead of blocking until the connection dies.
  • HTTP/1.1: a pooled connection that received unsolicited data while idle is dropped at checkout instead of having the bytes discarded, which could strand or corrupt the next read. Healthy idle connections still reuse normally, preserving keep-alive and the issue #544 stale-connection detection.

4.4.2

Fixed

  • Apply the pool overflow fix to the opt-in ssl_pooling checkout path. With ssl_pooling enabled and pool_size below max_per_host, a second concurrent HTTPS request could still fail with checkout_timeout; it now opens an overflow connection like the plain checkout path, closed at checkin rather than pooled. HTTP/2 and HTTP/3 are unaffected (they multiplex over shared connections). (#882)

4.4.1

Fixed

  • Pool checkout no longer fails with checkout_timeout when a connection from a just-completed request has not yet been checked back in. pool_size / max_connections now bounds the warm (idle) pool kept for reuse; per-host concurrency is capped by max_per_host. A request beyond the warm pool size opens an overflow connection that is closed at checkin instead of being pooled. Set max_per_host to cap concurrent connections to a host.

Dependencies

  • webtransport 0.4.0 -> ~> 0.4.1, h2 ~> 0.10.0 -> ~> 0.10.1, quic 1.6.5 -> ~> 1.6.5. The exact webtransport 0.4.0 pin required h2 0.9.0, conflicting with hackney's own h2 ~> 0.10.0 and breaking installation on strict resolvers. webtransport 0.4.1 relaxes that requirement; the ranges now accept any 0.4.x / 0.10.x / 1.6.x patch release without a further bump. (#879)

4.4.0

Added

  • HTTP/2 streaming request bodies and streaming response reads, reaching parity with HTTP/1.1 and HTTP/3: pass stream as the body, send chunks with send_body/2 then finish_send_body/1, and read the response with start_response/1 followed by body/1 or stream_body/1. (#875)
  • Full-duplex HTTP/2 bidirectional streaming (gRPC-style) via a new h2_* API (h2_open, h2_send, h2_recv, h2_send_trailers, h2_consume, h2_setopts, h2_close), mirroring the ws_* and wt_* APIs. Send and receive interleaved on one stream, with trailers, passive/active delivery, and {flow_control, manual} + h2_consume/2 backpressure. (#876)

Dependencies

  • h2 0.9.0 -> ~> 0.10.0, now accepting every patched 0.10 release.

4.3.0

Added

  • Opt-in pooling of HTTPS/1.1 connections via {ssl_pooling, true} (request option or application env, default false). Upgraded SSL connections return to the pool keyed by the hash of their effective TLS options and are reused only on an exact match, skipping the handshake on follow-up requests. (#872)
  • TLS 1.3 session resumption for the default TLS config. With no ssl_options, connections use {session_tickets, auto}. Disable with the tls_session_resumption env. Custom ssl_options never resume (the OTP ticket store is node-wide and a resumed session skips certificate validation). (#872)

Changed

  • Shared HTTP/2 and HTTP/3 connections, and cached 0-RTT tickets, are keyed by the effective TLS options, so requests with different ssl_options no longer share a connection or resume each other's tickets.
  • The per-request TLS options hash is memoized in a bounded ETS cache.
  • SNI: no server_name_indication is sent for IP-literal hosts (RFC 6066) across HTTP/1.1, HTTP/2 and HTTP/3. A user-supplied server_name_indication is honored consistently as both the wire value and the verification target, and disable suppresses SNI without weakening verification.
  • Bump quic to 1.6.5 and webtransport to 0.4.0.

4.2.3

Dependencies

  • h2 0.8.0 -> 0.9.0
  • webtransport 0.3.2 -> 0.3.3
  • parse_trans 3.4.1 -> 3.4.2

... (truncated)

Changelog

Sourced from hackney's changelog.

4.4.3 - 2026-06-17

Fixed

  • HTTP/2: a response that signals end of stream with a trailing HEADERS frame (trailers, or an empty trailing HEADERS as proxies emit for responses without a content-length) no longer hangs the body read until recv_timeout. The trailer event is now treated as end of stream, so reads complete on fresh and reused connections.
  • HTTP/2: sync reads run under a per-stream recv_timeout watchdog, so a lost frame fails fast with {error, timeout} instead of blocking until the connection dies.
  • HTTP/1.1: a pooled connection that received unsolicited data while idle is dropped at checkout instead of having the bytes discarded, which could strand or corrupt the next read. Healthy idle connections still reuse normally, preserving keep-alive and the issue #544 stale-connection detection.

4.4.2 - 2026-06-16

Fixed

  • Apply the pool overflow fix to the opt-in ssl_pooling checkout path. With ssl_pooling enabled and pool_size below max_per_host, a second concurrent HTTPS request could still fail with checkout_timeout; it now opens an overflow connection like the plain checkout path, closed at checkin rather than pooled. HTTP/2 and HTTP/3 are unaffected (they multiplex over shared connections).

4.4.1 - 2026-06-16

Fixed

  • Pool checkout no longer fails with checkout_timeout when a connection from a just-completed request has not yet been checked back in. pool_size / max_connections now bounds the warm (idle) pool kept for reuse; per-host concurrency is capped by max_per_host. A request beyond the warm pool size opens an overflow connection that is closed at checkin instead of being pooled. Set max_per_host to cap concurrent connections to a host.

Dependencies

  • webtransport 0.4.0 -> ~> 0.4.1, h2 ~> 0.10.0 -> ~> 0.10.1, quic 1.6.5 -> ~> 1.6.5. The exact webtransport 0.4.0 pin required h2 0.9.0, conflicting with hackney's own h2 ~> 0.10.0 and breaking installation on strict resolvers. webtransport 0.4.1 relaxes that requirement; the ranges now accept any 0.4.x / 0.10.x / 1.6.x patch release without a further bump. (#879)

... (truncated)

Commits
  • a868eeb Merge pull request #885 from benoitc/release/4.4.3
  • a149f4d Release 4.4.3
  • fd13f1f Merge pull request #884 from benoitc/fix/pooled-read-hangs
  • 9b0f2a3 Fix intermittent read hangs on reused HTTP/2 and pooled HTTP/1.1 connections
  • e1566e6 Merge pull request #883 from benoitc/release/4.4.2
  • fbe17b9 Release 4.4.2
  • 9d3cdaf Merge pull request #882 from benoitc/fix/ssl-pool-overflow
  • 64ae9b0 Apply pool overflow to the ssl_pooling checkout path
  • 3acc10e Merge pull request #881 from benoitc/release/4.4.1
  • f06a7c1 Fix spurious checkout_timeout via pool overflow connections
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): bump hackney from 1.25.0 to 4.4.3
8694fbe 
Bumps [hackney](https://github.com/benoitc/hackney) from 1.25.0 to 4.4.3.
- [Release notes](https://github.com/benoitc/hackney/releases)
- [Changelog](https://github.com/benoitc/hackney/blob/master/NEWS.md)
- [Commits](benoitc/hackney@1.25.0...4.4.3)

---
updated-dependencies:
- dependency-name: hackney
  dependency-version: 4.4.3
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file elixir Pull requests that update elixir code labels Jun 18, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #27.

@dependabot dependabot Bot closed this Jun 22, 2026
@dependabot dependabot Bot deleted the dependabot/hex/hackney-4.4.3 branch June 22, 2026 07:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@rhblind Rolf Håvard Blindheim (rhblind)

Labels

dependencies Pull requests that update a dependency file elixir Pull requests that update elixir code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rhblind