Skip to content

chore(deps): bump hackney from 1.25.0 to 4.4.5#27

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/hex/hackney-4.4.5
Open

chore(deps): bump hackney from 1.25.0 to 4.4.5#27
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/hex/hackney-4.4.5

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor

Bumps hackney from 1.25.0 to 4.4.5.

Release notes

Sourced from hackney's releases.

4.4.5

Fixed

  • HTTPS: a connection reused over a resumed TLS 1.3 session is no longer mislabeled as HTTP/1 when it negotiated HTTP/2. ssl:negotiated_protocol/1 reports nothing on a resumed session, so hackney now remembers the protocol learned on the full handshake (per host and advertised ALPN) and offers resumption only once that protocol is known, resolving a resumed session against that snapshot. Reused h2 connections take the h2 path instead of feeding h2 frames to the HTTP/1 parser.
  • HTTP/1.1: a response that cannot begin an HTTP/1 status line (for example an HTTP/2 frame on a mislabeled connection) now fails fast with {error, {bad_response, not_http}} instead of spinning the CPU in the status-line parser.
  • Connection pooling: Connection: close responses are no longer returned to the pool on the sync body path; checkin only pools connections proven keep-alive and socket-ready (unknown defaults to close); and a closed pooled entry is discarded at checkout instead of being redialed inside the pool process (#888).
  • Connection pooling: stopping a pool while requests are in flight no longer leaks the per-host concurrency (load_regulation) slots of the checked-out connections. The pool now traps exits so its shutdown releases those slots and stops the in-use connections, instead of orphaning them and starving the host's concurrency cap node-wide (#892).

4.4.4

Fixed

  • HTTP/2: a connection is no longer reused after the peer sends GOAWAY while keeping the socket open (as AWS ALB does to recycle connections). The connection is retired so the pool dials a fresh one, instead of being handed out again with new streams the peer ignores until recv_timeout.
  • HTTP/2: when the per-stream recv_timeout watchdog fires, the stalled stream is cancelled (RST_STREAM) so the peer stops sending and the connection is not reused with an orphaned stream.
  • HTTP/1.1: bytes that issue #544's idle {active, once} delivers to the connection mailbox on a reused connection are now buffered and fed to the next request instead of dropping the connection (refines the 4.4.3 behavior), so a reused request no longer blocks to recv_timeout while the response sits stranded as an unread message. The idle buffer is bounded, and a server close still refuses reuse (#544).

4.4.3

Fixed

  • HTTP/2: a response that signals end of stream with a trailing HEADERS frame (trailers, or an empty trailing HEADERS as proxies emit for responses without a content-length) no longer hangs the body read until recv_timeout. The trailer event is now treated as end of stream, so reads complete on fresh and reused connections (#884).
  • HTTP/2: sync reads run under a per-stream recv_timeout watchdog, so a lost frame fails fast with {error, timeout} instead of blocking until the connection dies.
  • HTTP/1.1: a pooled connection that received unsolicited data while idle is dropped at checkout instead of having the bytes discarded, which could strand or corrupt the next read. Healthy idle connections still reuse normally, preserving keep-alive and the issue #544 stale-connection detection.

4.4.2

Fixed

  • Apply the pool overflow fix to the opt-in ssl_pooling checkout path. With ssl_pooling enabled and pool_size below max_per_host, a second concurrent HTTPS request could still fail with checkout_timeout; it now opens an overflow connection like the plain checkout path, closed at checkin rather than pooled. HTTP/2 and HTTP/3 are unaffected (they multiplex over shared connections). (#882)

4.4.1

Fixed

  • Pool checkout no longer fails with checkout_timeout when a connection from a just-completed request has not yet been checked back in. pool_size / max_connections now bounds the warm (idle) pool kept for reuse; per-host concurrency is capped by max_per_host. A request beyond the warm pool size opens an overflow connection that is closed at checkin instead of being pooled. Set max_per_host to cap concurrent connections to a host.

... (truncated)

Changelog

Sourced from hackney's changelog.

4.4.5 - 2026-06-18

Fixed

  • HTTPS: a connection reused over a resumed TLS 1.3 session is no longer mislabeled as HTTP/1 when it negotiated HTTP/2. ssl:negotiated_protocol/1 reports nothing on a resumed session, so hackney now remembers the protocol learned on the full handshake (per host and advertised ALPN) and offers resumption only once that protocol is known, resolving a resumed session against that snapshot. Reused h2 connections take the h2 path instead of feeding h2 frames to the HTTP/1 parser.
  • HTTP/1.1: a response that cannot begin an HTTP/1 status line (for example an HTTP/2 frame on a mislabeled connection) now fails fast with {error, {bad_response, not_http}} instead of spinning the CPU in the status-line parser.
  • Connection pooling: Connection: close responses are no longer returned to the pool on the sync body path; checkin only pools connections proven keep-alive and socket-ready (unknown defaults to close); and a closed pooled entry is discarded at checkout instead of being redialed inside the pool process (#888).
  • Connection pooling: stopping a pool while requests are in flight no longer leaks the per-host concurrency (load_regulation) slots of the checked-out connections. The pool now traps exits so its shutdown releases those slots and stops the in-use connections, instead of orphaning them and starving the host's concurrency cap node-wide (#892).

4.4.4 - 2026-06-17

Fixed

  • HTTP/2: a connection is no longer reused after the peer sends GOAWAY while keeping the socket open (as AWS ALB does to recycle connections). The connection is retired so the pool dials a fresh one, instead of being handed out again with new streams the peer ignores until recv_timeout.
  • HTTP/2: when the per-stream recv_timeout watchdog fires, the stalled stream is cancelled (RST_STREAM) so the peer stops sending and the connection is not reused with an orphaned stream.
  • HTTP/1.1: bytes that issue #544's idle {active, once} delivers to the connection mailbox on a reused connection are now buffered and fed to the next request instead of dropping the connection (refines the 4.4.3 behavior below), so a reused request no longer blocks to recv_timeout while the response sits stranded as an unread message. The idle buffer is bounded, and a server close still refuses reuse (#544).

4.4.3 - 2026-06-17

Fixed

... (truncated)

Commits
  • 71a547e Add #892 in_use slot-leak fix to 4.4.5 changelog
  • bd84fbc Merge pull request #890 from benoitc/release/4.4.5
  • f44cb4c Merge branch 'master' into release/4.4.5
  • 9d5c302 Merge pull request #892 from benoitc/fix/pool-stop-releases-inuse-slots
  • f18df86 Release load_regulation slots of in_use conns when a pool stops
  • 11339ea Release 4.4.5
  • 73570d4 Merge pull request #889 from benoitc/fix/h2-alpn-resumption-mislabel
  • 072c5da Only automatic tickets make a conn ALPN-memo-eligible
  • a1fbeea Scope ALPN memo to the resumable ticket source
  • ffb5a36 Add 4.4.5 changelog entry
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [hackney](https://github.com/benoitc/hackney) from 1.25.0 to 4.4.5.
- [Release notes](https://github.com/benoitc/hackney/releases)
- [Changelog](https://github.com/benoitc/hackney/blob/master/NEWS.md)
- [Commits](benoitc/hackney@1.25.0...4.4.5)

---
updated-dependencies:
- dependency-name: hackney
  dependency-version: 4.4.5
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file elixir Pull requests that update elixir code labels Jun 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file elixir Pull requests that update elixir code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant