Skip to content

build(deps): bump hackney from 4.2.3 to 4.3.0 in /copi.owasp.org#3115

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/hex/copi.owasp.org/hackney-4.3.0
Open

build(deps): bump hackney from 4.2.3 to 4.3.0 in /copi.owasp.org#3115
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/hex/copi.owasp.org/hackney-4.3.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 15, 2026

Copy link
Copy Markdown
Contributor

Bumps hackney from 4.2.3 to 4.3.0.

Release notes

Sourced from hackney's releases.

4.3.0

Added

  • Opt-in pooling of HTTPS/1.1 connections via {ssl_pooling, true} (request option or application env, default false). Upgraded SSL connections return to the pool keyed by the hash of their effective TLS options and are reused only on an exact match, skipping the handshake on follow-up requests. (#872)
  • TLS 1.3 session resumption for the default TLS config. With no ssl_options, connections use {session_tickets, auto}. Disable with the tls_session_resumption env. Custom ssl_options never resume (the OTP ticket store is node-wide and a resumed session skips certificate validation). (#872)

Changed

  • Shared HTTP/2 and HTTP/3 connections, and cached 0-RTT tickets, are keyed by the effective TLS options, so requests with different ssl_options no longer share a connection or resume each other's tickets.
  • The per-request TLS options hash is memoized in a bounded ETS cache.
  • SNI: no server_name_indication is sent for IP-literal hosts (RFC 6066) across HTTP/1.1, HTTP/2 and HTTP/3. A user-supplied server_name_indication is honored consistently as both the wire value and the verification target, and disable suppresses SNI without weakening verification.
  • Bump quic to 1.6.5 and webtransport to 0.4.0.
Changelog

Sourced from hackney's changelog.

4.3.0 - 2026-06-12

Added

  • Opt-in pooling of HTTPS/1.1 connections. With {ssl_pooling, true} (request option, or the ssl_pooling application env; default false) an upgraded SSL connection returns to the pool keyed by the hash of its effective TLS options and is reused only on an exact match, skipping the TLS handshake on follow-up requests. The default is unchanged: SSL connections are closed at checkin. (#872)
  • TLS 1.3 session resumption for requests using hackney's default TLS config. When no ssl_options are passed, connections are opened with {session_tickets, auto} so fresh connections to the same server resume the session instead of paying a full handshake. Disable with the tls_session_resumption application env (default true). Requests with custom ssl_options deliberately get no resumption: OTP's ticket store is node-global and a resumed handshake skips certificate validation, so only the shared default trust config may use it (trust isolation). (#872)

Changed

  • Shared HTTP/2 connections are keyed by the effective TLS options, and shared HTTP/3 connections plus cached 0-RTT session tickets by the QUIC trust options. Requests with different ssl_options no longer share a multiplexed connection or resume each other's tickets.
  • The TLS options hash computed for every pooled HTTPS request is memoized in a bounded ETS cache keyed by the pre-merge inputs and the relevant application envs, skipping a sha256 over the full CA bundle on cache hits.
  • SNI handling. No server_name_indication is sent when the host is an IP literal (RFC 6066), on HTTP/1.1, HTTP/2 and HTTP/3. A user-supplied server_name_indication in ssl_options is now honored consistently as both the wire value and the hostname-verification target, works on the HTTP/3 path too, and disable suppresses SNI without weakening verification.
  • Bump quic to 1.6.5 and webtransport to 0.4.0.
Commits
  • 7cc30cc Release 4.3.0
  • ce45e6c Merge pull request #874 from benoitc/feature/sni-and-dep-bumps
  • ec5ac8f Apply SNI fixes to the proxy leg and unify ssl option building
  • cddb839 Improve client-side SNI handling
  • 442c980 Bump quic to 1.6.5 and webtransport to 0.4.0
  • 48094e7 Merge pull request #873 from benoitc/feature/872-ssl-pooling
  • d3a44ed Memoize the TLS options hash in a bounded ETS cache
  • 0ae01e1 Enable TLS 1.3 session resumption for default TLS config
  • a62d2e5 Pool HTTPS/1.1 connections behind the ssl_pooling option
  • de151bd Key shared HTTP/3 connections and 0-RTT tickets by TLS trust options
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
build(deps): bump hackney from 4.2.3 to 4.3.0 in /copi.owasp.org
1707b10 
Bumps [hackney](https://github.com/benoitc/hackney) from 4.2.3 to 4.3.0.
- [Release notes](https://github.com/benoitc/hackney/releases)
- [Changelog](https://github.com/benoitc/hackney/blob/master/NEWS.md)
- [Commits](benoitc/hackney@4.2.3...4.3.0)

---
updated-dependencies:
- dependency-name: hackney
  dependency-version: 4.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file elixir Pull requests that update elixir code labels Jun 15, 2026
@dependabot dependabot Bot requested review from cw-owasp, rewtd and sydseter as code owners June 15, 2026 06:54
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file elixir Pull requests that update elixir code labels Jun 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rewtd rewtd Awaiting requested review from rewtd rewtd is a code owner

@sydseter sydseter Awaiting requested review from sydseter sydseter is a code owner

@cw-owasp cw-owasp Awaiting requested review from cw-owasp cw-owasp is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file elixir Pull requests that update elixir code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants