build(deps): bump the mix-production-dependencies group across 1 directory with 7 updates

[dependabot]

Bumps the mix-production-dependencies group with 7 updates in the /src/flagd-ui directory:

Package	From	To
bandit	1.8.0	1.11.0
gettext	1.0.0	1.0.2
jason	1.4.4	1.4.5
phoenix	1.8.1	1.8.7
phoenix_live_view	1.1.16	1.1.30
req	0.5.15	0.5.17
swoosh	1.19.8	1.25.1

Updates bandit from 1.8.0 to 1.11.0

Changelog

Sourced from bandit's changelog.

1.11.0 (1 May 2026)

Fixes

• Fix WebSocket inflate vulnerability (CVE-2026-39804, commit 8156921, thanks @​PJUllrich & @​maennchen!)
• Fix WebSocket continuation frame handling vulnerability (CVE-2026-42786, commit 21612c7, thanks @​PJUllrich & @​maennchen!)
• Fix HTTP/2 frame size parsing vulnerability (CVE-2026-42788, commit 1e8e559, thanks @​PJUllrich & @​maennchen!)
• Improve handling of zero/negative length & offset parameters to send_file (#580, thanks @​PJUllrich & @​maennchen!)

Enhancements

• Define a new max_inflate_ratio WebSocket configuration option that defines a maximum allowable decompression ratio to help mitigate inflate bombing. Defaults to 25:1
• Define a new max_fragmented_message_size WebSocket configuration option which defines the maximum allowed WebSocket frame size (inclusive of continuation frames). Defaults to 8MB

Changes

• The default value of the max_frame_size WebSocket option has changed from :infinity to 8MB
• Zero length non-fin continuation frames are now disallowed (we now skip Autobahn 6.1.2 as a result)
• Multiple content-length fields in an HTTP/1 request are now disallowed (CVE-2026-39805, commit f2ca636, thanks @​PJUllrich & @​maennchen!)
• We now only use the underlying transport when determining scheme (CVE-2026-39807, commit 45feea2, thanks @​PJUllrich & @​maennchen!)

1.10.4 (25 Mar 2026)

Enhancements

• Support {:shutdown, :disconnected} as a normal WebSocket result code (#576, thanks @​wwitek-whatnot!)

1.10.3 (22 Feb 2026)

Enhancements

• Support authority form requests for CONNECT requests (#571)
• Narrow acceptance of asterisk form requests to OPTIONS requests (#571)
• Detect client disconnect on timeout in ensure_completed (#566, thanks @​pepicrft!)
• Improve http2 sendfile streaming (#565, thanks @​elibosley!)

1.10.2 (22 Jan 2026)

Enhancements

• Distinguish client disconnects from genuine body read timeouts (#564, thanks @​pepicrft!)

1.10.1 (5 Jan 2026)

Changes

• Change default preference order for compression methods to be 'zstd (if present), gzip, deflate' (#562)

... (truncated)

Commits

• e626198 Version bump to 1.11.0
• 014c157 Tweaks to Autobahn test suite
• 1e8e559 Merge commit from fork
• 45feea2 Merge commit from fork
• f2ca636 Merge commit from fork
• 21612c7 Merge commit from fork
• 8156921 Merge commit from fork
• fc3cf61 Improve handling of edge cases in send_file (#580)
• 1085ad0 Bump machete from 0.3.11 to 0.3.12 (#579)
• c70e175 Bump credo from 1.7.17 to 1.7.18 (#578)
• Additional commits viewable in compare view

Updates gettext from 1.0.0 to 1.0.2

Changelog

Sourced from gettext's changelog.

v1.0.2

• Only skip manifest removal on Elixir v1.19.3+

v1.0.1 (retired)

• Remove unnecessary cleaning of Elixir manifests

Commits

• e3180f1 Release v1.0.2
• ec2f9c1 Erase manifest unless on upcoming Elixir (#425)
• 4960e49 Revert "Removed unnecessary cleaning of Elixir manifests (#423)"
• 8844a32 Trim CHANGELOG
• 7fe2dc7 Release v1.0.1
• 30bf87d Removed unnecessary cleaning of Elixir manifests (#423)
• d33d745 Bump actions/checkout from 4.2.2 to 5.0.0 (#422)
• 7443953 Use ubuntu-latest in the publish-to-hex.yml workflow
• See full diff in compare view

Updates jason from 1.4.4 to 1.4.5

Changelog

Sourced from jason's changelog.

1.4.5 (05.05.2026)

• Add support for Decimal 3.0

Commits

• 4ede428 Bump v1.4.5
• b8c2185 Fix dialyzer job
• a363975 Modernise CI to currently supported versions
• 243c8a8 Allow decimal 3.0
• c8e8d05 Revert the experimental 1.5 branch and jason_native experiment
• 0e7a3e2 Add example/doctest for Jason.OrderedObject.new/1
• 984bc07 fix broken link
• f775592 Raise if trying to decode decimals without decimal
• 79d59df Remove unneeded workarounds for xref warnings
• baac78e Fix warnings by conditionally compiling Decimal support
• Additional commits viewable in compare view

Updates phoenix from 1.8.1 to 1.8.7

Changelog

Sourced from phoenix's changelog.

1.8.7 (2026-05-06)

Bug fixes

• Fix invalid status when longpoll request times out

Enhancements

• Mask token parameter in logs by default (in addition to "password")

JavaScript Client Bug Fixes

• Fix encoding of non-ASCII metadata in binary channel messages

1.8.6 (2026-05-05)

Security fixes

• CVE-2026-32689: Fix Phoenix.Socket Longpoll transport memory exhaustion in nd-JSON body splitting

1.8.5 (2026-03-05)

JavaScript Client Bug Fixes

• Fix socket connecting on visibility change when never established

Enhancements

• Fix warnings on Elixir 1.20

1.8.4 (2026-02-23)

JavaScript Client Bug Fixes

• Fix bug reconnecting connections when close was gracefully initiated by server
• Fix LongPoll transport name in sessionStorage and logs

Enhancements

• Adds guards support in assert_push, assert_broadcast, and assert_reply
• Enable purging in Phoenix code server for Elixir 1.20

1.8.3 (2025-12-08)

Enhancements

• Add top-level phoenix config: sort_verified_routes_query_params to enable sorting query params in verified routes during tests

Bug fixes

• Fix endpoint port config in an umbrella application. (#6549)
• Drop incoming channel messages with stale join refs

1.8.2 (2025-11-26)

Bug fixes

• [phoenix.js] fix issue where LongPoll can cause "unmatched topic" errors (observed on iOS only) (#6538)
• [phx.gen.live] fix tests when schema and table names are equal (#6477)
• [Verified Routes] do not add path prefixes for static routes
• [Phoenix.Endpoint] fix LongPoll being active by default since 1.8.0 (#6487)

... (truncated)

Commits

• ba3a131 Release v1.8.7
• e74eacc fix invalid status on longpoll window timeout
• 035fde9 Update assets
• eb5f52f Correctly serialize non ASCII metadata (#6664)
• a99c5e8 Filter token parameters by default (#6665)
• 2190111 update installer version
• ddcdadb Release v1.8.6
• 1a67c61 prevent unexpected memory usage on nd-json body splitting
• 8ca76a2 fix a couple of typos (#6672)
• 6214d83 Bump postcss from 8.5.6 to 8.5.13 (#6671)
• Additional commits viewable in compare view

Updates phoenix_live_view from 1.1.16 to 1.1.30

Release notes

Sourced from phoenix_live_view's releases.

v1.1.30

Bug fixes

• Ensure internal phx-viewport hook does not crash on update if no scroll container is used (#4214), introduced in v1.1.29.

v1.1.29

Bug fixes

• Prevent JS crash when hook has a duplicate ID (#4196)
• Recompute scroll container for phx-viewport bindings if it is no longer available (#4169)
• Fix phx-viewport events not firing when container has horizontal overflow (#3897)
• Handle locks on skipped nodes (#4209)
• Use moveBefore if available when reordering stream elements (#4212)

v1.1.28

Bug fixes

• Fix race condition that could lead to a JS exception when nested LiveView is removed while it is joining (#4177)

Enhancements

• A bunch of small performance and documentation improvements (thank you @​preciz!)

v1.1.27

Bug fixes

• Workaround Chrome bug when patching \<template> elements (#4163)
• Fix more type warnings on Elixir 1.20

v1.1.26

Bug fixes

• Fix phx-click-away for nested portals
• Fix type warnings on Elixir 1.20

v1.1.25

Bug fixes

• Fix phx-click-away when clicked element is teleported (#4141)
• Handle phx-hook outside of LiveViews when reconnecting (#4147)

Changelog

Sourced from phoenix_live_view's changelog.

v1.1.30 (2026-05-05)

Bug fixes

• Ensure internal phx-viewport hook does not crash on update if no scroll container is used (#4214), introduced in v1.1.29.

v1.1.29 (2026-05-04)

Bug fixes

• Prevent JS crash when hook has a duplicate ID (#4196)
• Recompute scroll container for phx-viewport bindings if it is no longer available (#4169)
• Fix phx-viewport events not firing when container has horizontal overflow (#3897)
• Handle locks on skipped nodes (#4209)
• Use moveBefore if available when reordering stream elements (#4212)

v1.1.28 (2026-03-27)

Bug fixes

• Fix race condition that could lead to a JS exception when nested LiveView is removed while it is joining (#4177)

Enhancements

• A bunch of small performance and documentation improvements (thank you @​preciz!)

v1.1.27 (2026-03-10)

Bug fixes

• Workaround Chrome bug when patching \<template> elements (#4163)
• Fix more type warnings on Elixir 1.20

v1.1.26 (2026-03-04)

Bug fixes

• Fix phx-click-away for nested portals
• Fix type warnings on Elixir 1.20

v1.1.25 (2026-02-26)

Bug fixes

• Fix phx-click-away when clicked element is teleported (#4141)
• Handle phx-hook outside of LiveViews when reconnecting (#4147)

v1.1.24 (2026-02-16)

Bug fixes

... (truncated)

Commits

• fdbbe52 Release v1.1.30
• 970932b Update assets
• ff31d01 Ensure phx-viewport hook does not fail if there's no scrollContainer
• 24090b5 Release v1.1.29
• cc83643 Update assets
• 8deb3e5 Use moveBefore if supported when reordering stream items (#4213)
• 174dad5 DOM patching: Fall back to PHX_MAGIC_ID if node ID was touched by client hook...
• 4e18a20 handle locks on skipped nodes (#4210)
• 031f00c Remove unreachable error clause in UploadTmpFileWriter.write_chunk/2
• 0b4005b Optimize traverse_dynamic for nil and binary entries
• Additional commits viewable in compare view

Updates req from 0.5.15 to 0.5.17

Release notes

Sourced from req's releases.

v0.5.16

• Req.Test: Fix verify_on_exit! accidentally using Mox name
• auth: Support MFArgs
• auth: Support digest auth
• put_aws_sigv4: Support MFArgs
• put_path_params: Encode :path_params even with reserved characters
• put_path_params: Set :path_params_template on empty params
• run_plug: Handle compressed request body

Changelog

Sourced from req's changelog.

v0.5.17 (2026-01-22)

• [retry]: Use default delay if retry-after is "negative"

  Previously, we were only handling "negative" retry-after in "http date" format and slept for zero seconds. We were crashing on retry-after with negative seconds.

  Now, we're using the default delay (1s, 2s, 4s, ...) in either format.

v0.5.16 (2025-11-10)

• [Req.Test]: Fix verify_on_exit! accidentally using Mox name
• [auth]: Support MFArgs
• [auth]: Support digest auth
• [put_aws_sigv4]: Support MFArgs
• [put_path_params]: Encode :path_params even with reserved characters
• [put_path_params]: Set :path_params_template on empty params
• [run_plug]: Handle compressed request body

Commits

• dce1009 Release v0.5.17
• 2fbb092 retry: Use default delay if retry-after is "negative"
• 28cb697 Refactor http digest handling
• 4e251c2 Link to related package req_proxy (#524)
• 6153730 fix(proxy): schema -> scheme (#520)
• 3671064 Fix docs
• de1992a Release v0.5.16
• f0225a7 run_plug: Handle compressed request body (#496)
• 2a365ac Fix tests
• 3cb0a53 Update ex_doc
• Additional commits viewable in compare view

Updates swoosh from 1.19.8 to 1.25.1

Release notes

Sourced from swoosh's releases.

v1.25.1 🚀

✨ Features

• fix: assert_no_email_sent and refute_email_sent now catch deliver_many @​donleandro (#1123)
• Escape email content in mailbox preview UI @​mogest (#1124)

⛓️ Dependency

• Bump plug_cowboy from 2.8.0 to 2.8.1 @​dependabot (#1126)

New Contributors

• @​donleandro made their first contribution in swoosh/swoosh#1123
• @​mogest made their first contribution in swoosh/swoosh#1124

Full Changelog: swoosh/swoosh@v1.25.0...v1.25.1

v1.25.0 🚀

• Prepare minor release 1.25.0 @​copilot-swe-agent (#1122)

✨ Features

• feat: Add Swoosh.Adapters.Sandbox @​aidalgol (#1120)

📝 Documentation

• Improve discoverability and HexDocs coverage for Swoosh.Adapters.Sandbox @​copilot-swe-agent (#1121)

🧰 Maintenance

• Add release-published workflow to comment on released PRs @​copilot-swe-agent (#1118)

⛓️ Dependency

• Bump bandit from 1.10.3 to 1.10.4 @​dependabot (#1119)

v1.24.0 🚀

✨ Features

• feat: Add AzureCommunicationServices adapter @​jamilbk (#1116)

New Contributors

• @​jamilbk made their first contribution in swoosh/swoosh#1116

Full Changelog: swoosh/swoosh@v1.23.1...v1.24.0

v1.23.1 🚀

✨ Features

• Add tracking options to the mailjet adapter @​wkirschbaum (#1114)

... (truncated)

Changelog

Sourced from swoosh's changelog.

1.25.1

🐛 Bug Fixes

• Escape email content in mailbox preview UI @​mogest (#1124)
• fix: assert_no_email_sent and refute_email_sent now catch deliver_many @​donleandro (#1123)

1.25.0

✨ Features

• Add Swoosh.Adapters.Sandbox @​aidalgol (#1120)

📝 Documentation

• Improve discoverability and HexDocs coverage for Swoosh.Adapters.Sandbox @​copilot-swe-agent (#1121)

🧰 Maintenance

• Add release-published workflow to comment on released PRs @​copilot-swe-agent (#1118)

1.24.0

✨ Features

• Add Azure Communication Services adapter @​jamilbk (#1116)

1.23.1

✨ Features

• Add tracking options to the mailjet adapter @​wkirschbaum (#1114)

🧰 Maintenance

• Remove unused require Logger compilation warning @​wkirschbaum (#1115)

1.23.0

✨ Features

• Make deliver/1 and deliver/2 overridable in Swoosh.Mailer @​copilot-swe-agent (#1109)

1.22.1

🐛 Bug Fixes

• Fix mailbox preview text-body clipping by removing negative top offset @​copilot-swe-agent (#1108)

1.22.0

... (truncated)

Commits

• 2aa9af4 Bump version to 1.25.1 (#1127)
• df97f1c Bump plug_cowboy from 2.8.0 to 2.8.1 (#1126)
• 397562e Regenerate styles with Tailwind CSS
• 3e4ff5f fix: use github.ref_name instead of github.ref for tailwind branch name
• f0b12c0 Escape email content in mailbox preview UI (#1124)
• 0b5c091 fix: assert_no_email_sent and refute_email_sent now catch deliver_many (#1123)
• 422d062 Bump release comment action to v0.5.1
• 3bd1c43 Prepare minor release 1.25.0 metadata (#1122)
• 60601c3 Bump bandit from 1.10.3 to 1.10.4 (#1119)
• a5ebfff Improve discoverability and HexDocs coverage for Swoosh.Adapters.Sandbox (#...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions