Skip to content

security update: httpoison#150

Open
kp-cat wants to merge 13 commits into
mainfrom
secu-update-202606
Open

security update: httpoison#150
kp-cat wants to merge 13 commits into
mainfrom
secu-update-202606

Conversation

@kp-cat

@kp-cat kp-cat commented Jun 18, 2026

Copy link
Copy Markdown
Member

Describe the purpose of your pull request

  • Security update

Related issues (only if applicable)

Security (only if applicable)

  • mix.exs: bumped the httpoison constraint from ~> 1.7 or ~> 2.0 to ~> 2.0 or ~> 3.0.
  • mix.lock: resolved to httpoison 3.0.0 (was 2.2.3), which pulls in hackney 4.4.3 (was 1.25.0). httpoison's changelog states 3.0.0 "upgrades to hackney 4.0, which fixes several CVEs
    (atom-table exhaustion via URL schemes, HTTP header injection, WebSocket buffer limits and more)" — this is almost certainly the high-severity vuln Snyk flagged.
  • Also picked up minor bumps: certifi, idna, mimerl, parse_trans, plus new transitive deps h2, quic, webtransport (hackney 4.x's HTTP/2 and QUIC support).

Requirement checklist (only if applicable)

  • I have covered the applied changes with automated tests.
  • I have executed the full automated test set against my changes.
  • I have validated my changes against all supported platform versions.
  • I have read and accepted the contribution agreement.

@kp-cat kp-cat requested a review from a team as a code owner June 18, 2026 09:13
@hgg

hgg commented Jun 29, 2026

Copy link
Copy Markdown

Hey folks 👋🏼 Keen on bumping configcat to a version that doesn't rely on the problematic HTTPoison. Any idea when this will land?

@laliconfigcat laliconfigcat left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, for taking so long to respond.
It seems to me that the tests are failing. Could you please check them?

@kp-cat kp-cat force-pushed the secu-update-202606 branch from a268c3c to 53c0d7b Compare July 2, 2026 13:08
@kp-cat kp-cat force-pushed the secu-update-202606 branch from 53c0d7b to 3528ce5 Compare July 2, 2026 13:11
kp-cat and others added 11 commits July 2, 2026 17:51
`preferred_cli_env` was deprecated as of Elixir 1.15, and we've now moved past that version.
This fixes a new compiler warning in Elixir 1.20.
When we generate tests in a `for` loop, it generates individual tests with values hard-coded into the test body. The Elixir 1.20 type-checker  knows the exact type of each value, so gives us warnings when we have conditional code that works for all of the possible values.

The workaround is to put the test values into `@tag`s and then extract them from the test context.

For consistency, we modify all table-driven tests to use the `@tag`/test context pattern.
The newer version of dialyzer caught some type errors that it missed before, so we fix those.

HTTPoison 3.0 also has some type errors of its own which we ignore until [this upstream PR](edgurgel/httpoison#511) is merged and released (or we migrate away from HTTPoison).
Different Elixir versions find different problems, so a filter that's needed in Elixir 1.17 and above may not be needed in Elixir 1.16.
Just commenting out the `true` version didn't appear to be enough.
Some of the message wording has changed from version to version.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants