1.24.1 - 2025-05-26

Changes

1.24.1 - 2025-05-26

• fix: remove unused variable warning in hackney.erl

1.24.0 - 2025-05-26

• security: fix basic auth credential exposure vulnerability
• security: add application variable support for insecure_basic_auth
• fix: NXDOMAIN error in Docker Compose environments (issue #764)
• fix: stream_body timeout after first chunk (issue #762)
• fix: SSL hostname verification with custom ssl_options and SSL message leak in async streaming
• fix: pool connections not freed on 307 redirects and multiple pool/timer race conditions
• fix: socket leaks, process deadlocks, ETS memory leaks, and infinite gen_server calls
• fix: controlling_process error handling in happy eyeballs and connection pool return
• improvement: update GitHub Actions to ubuntu-22.04 and bump certifi/mimerl dependencies

Breaking Change

The new insecure_basic_auth application variable defaults to false for security.
If your application relies on insecure basic auth over HTTP, you must explicitly set
application:set_env(hackney, insecure_basic_auth, true) to maintain previous behavior.

Hex.pm : https://hex.pm/packages/hackney/1.24.1
Doc: https://hexdocs.pm/hackney/readme.html

1.24.0 - 2025-05-26

Changes

• security: fix basic auth credential exposure vulnerability
• security: add application variable support for insecure_basic_auth
• fix: NXDOMAIN error in Docker Compose environments (issue #764)
• fix: stream_body timeout after first chunk (issue #762)
• fix: SSL hostname verification with custom ssl_options and SSL message leak in async streaming
• fix: pool connections not freed on 307 redirects and multiple pool/timer race conditions
• fix: socket leaks, process deadlocks, ETS memory leaks, and infinite gen_server calls
• fix: controlling_process error handling in happy eyeballs and connection pool return
• improvement: update GitHub Actions to ubuntu-22.04 and bump certifi/mimerl dependencies

Available on hex.pm

** Breaking Change **

The new insecure_basic_auth application variable defaults to false for security. If your application relies on insecure basic auth over HTTP, you must explicitly set application:set_env(hackney, insecure_basic_auth, true) to maintain previous behavior.

Full Changelog: 1.23.0...1.24.0

1.23.0 - 2025-02-25

Changes:

fix: happy eyeball use correct timeout during connectino
fix: don't wrap conection error
improvement: eyeballonly spawn ipv6 worker when needed

Available on hex.pm https://hexdocs.pm/hackney/1.23.0/

1.22.0 - 2025-02-20

Changes

• feature: prefer to connect using IPv6. happy eyeball strategy
• improvement: fully support no_proxy environment variable
• doc: migrated to ex_doc

1.21.0 - 2025-02-20

1.21.0 - 2025-02-20

fix: remove SSL options incompatible with tls 1.3
fix: url parsing handle "/" path correctly
fix: simplify integration test suite
fix: handle chunked response in redirect responses
fix: handle http & https proxies separately
fix: skip junk lines in 1.xx response

** security fixes ***

fix URL parsing to prevent SSRF . (related to CVE-2025-1211)
use latest SSL certificate bundle

Available on hex.pm : https://hex.pm/packages/hackney

1.20.1

Changes

• fix multipart: handle case where Length is undefined

Config

• rebar.config : {hackney, "1.20.1"}
• erlang.mk: dep_hackney = hex 1.20.1
• mix.exs= {:hackney, "~> 1.21"}

Hex.pm: https://hex.pm/packages/hackney

1.20.0

Changes

• handle * in path encoding
• Support LF separators: since rfc7230-3.5 allows for LF-only
• fix recv stream fix fetching trailers during streaming
• fix CI
• Improve documentation

Config

• rebar.config : {hackney, "1.20.0"}
• erlang.mk: dep_hackney = hex 1.20.0
• mix.exs= {:hackney, "~> 1.20"}

Hex.pm: https://hex.pm/packages/hackney

1.19.0

Changes:

• fix: recv: if expected size < BufSize fallback to old behaviour. Fix issue with negative length
• feature: add support for proxy environment setting

1.18.0

1.18.0 - 2021-09-28

• security: update default CA bundle
• fix pool: make checkout synchrounous (remove unwanted messages)

Hackney 1.17.0

• fix SSL compatibility with erlang OTP 23
• handle empty trailers
• fix race condition in connection pool
• fix memory leak in connection pool
• IDNA update to unicode 13.0.0
• fix build on macosx with OTP >= 20.1
• fix network Location on redirect
• produce uppercase hexadecimal in URLS
• pool queue count metric is now named queue_count
• miscellaneous fixes in documentation

possible breaking changes

• The pool queue count metric is now named queue_count. You should update your dashboard to reflect it.
• Possible breaking changes when producing uppercase hexadecimal in urls. This change the behaviour of urlencode and pathencode to produce uppercase hexadecimal to comply with the RFC3986 which may affect systems using URL as signature or in an hash.