chore(deps): update mix dependencies #552

Open
renovate wants to merge 1 commit from renovate/mix-dependencies into main
Collaborator

This PR contains the following updates:

Package Type Update Change
ash (source) prod minor 3.27.73.29.3
ash_authentication prod minor 4.13.74.14.1
ash_authentication_phoenix (source) prod minor 2.16.02.17.1
ash_phoenix (source) prod patch 2.3.222.3.23
ash_postgres (source) prod minor 2.9.12.10.0
bandit (source) prod minor 1.11.11.12.0
credo (source) dev patch 1.7.181.7.19
ecto_sql (source) prod minor 3.13.53.14.0
hammer (source) prod minor 7.3.07.4.0
igniter (source) dev patch 0.8.10.8.2
live_debugger (source) dev patch 1.0.01.0.1
phoenix (source) prod patch 1.8.71.8.8
phoenix_live_view (source) prod minor ~> 1.1.0-rc.3~> 1.2.0
req (source) prod minor ~> 0.5~> 0.6
sourceror (source) dev patch 1.12.01.12.2
swoosh (source) prod minor 1.25.11.26.2
tailwind (source) prod minor ~> 0.4~> 0.5
tidewave (source) dev minor ~> 0.5~> 0.6
tz (source) prod patch 0.28.10.28.2

Release Notes

ash-project/ash (ash)

v3.29.3

Compare Source

Bug Fixes:

Fixes CVE-2026-55736

v3.29.2

Compare Source

Bug Fixes:
Improvements:
  • add explanatory comment on backwards compat config by @​zachdaniel

v3.29.1

Compare Source

Bug Fixes:

v3.29.0

Compare Source

Features:
  • add Ash.update_many/4 by Zach Daniel
Bug Fixes:
  • look up field policies by calc_name when authorizing calculation sorts (#​2754) by Jesse Williams (#​2754)

  • ensure modules are loaded before optional callback checks (#​2753) by Vasilis Spilka

  • relate_actor with field: raises BadMapError for belongs_to (#​2751) by diogomrts (#​2751)

Improvements:
  • set upsert_action metadata in ETS and Mnesia by Zach Daniel

  • allow partial identity join sorting (#​2746) by Jechol Lee (#​2746)

  • Make attribute_in delegate to one_of (#​1713) (#​2748) by nashjar000 (#​2748)

  • Prompt to add use Ash.Domain when module exists but is not a domain (#​2744) by gixtrem (#​2744)

v3.28.0

Compare Source

Features:
Bug Fixes:
Improvements:
  • verify types before codes run, catching unspecified or unusable types. (#​2739) by torazar (#​2739)

v3.27.8

Compare Source

Bug Fixes:
Improvements:
team-alembic/ash_authentication_phoenix (ash_authentication_phoenix)

v2.17.1

Compare Source

v2.17.0

Compare Source

ash-project/ash_phoenix (ash_phoenix)

v2.3.23

Compare Source

Bug Fixes:
ash-project/ash_postgres (ash_postgres)

v2.10.0

Compare Source

Features:
  • add update_many callback by Zach Daniel
Bug Fixes:
  • Filter out empty snapshot directories (#​765) by Rutgerdj

  • move table schema migrations (#​758) by febarnett3

  • rewrite belongs_to reference indexes when multitenancy changes (#​762) by Jinkyou Son

  • handle skipped references and delete constraint errors (#​759) by ChivukulaVirinchi

  • ignore migrate false resources in drop detection (#​757) by ChivukulaVirinchi

  • place atomics in binding 1, not 0 by Zach Daniel

Improvements:
  • Implement upserts with MERGE (17+) by Zach Daniel

  • Warning for reviewing operations (#​777) by colenelson0

  • add more generic table renaming by Zach Daniel

  • Add migrate_extensions? callback to allow repos to opt out of extension migrations (#​761) by gixtrem

  • allow specifying global vs private statements (#​751) by CyanideDragon

  • ash_postgres.gen.resources: many-to-many, views, no-PK tables, and prompt UX (#​748) by Johannes Welebil

mtrudel/bandit (bandit)

v1.12.0

Compare Source

Changes
Fixes
Enhancements
  • Internal improvements to HTTP/1 body read functions (#​588)
rrrene/credo (credo)

v1.7.19

Compare Source

  • Fix compatibility & compiler warnings with Elixir 1.20.0
elixir-ecto/ecto_sql (ecto_sql)

v3.14.0

Compare Source

Enhancements
  • [migrations] Allow table modifiers such as UNLOGGED tables
  • [migrations] Add Safe Ecto Migration guides
  • [mysql] Support insert_mode: :ignore
  • [postgres] Set a default timezone on mix ecto.create
  • [sandbox] Label the sandbox owner process
  • [sql] Allow fragment tuple sources in adapters
  • [sql] Allow pid repos in Ecto.Adapters.SQL.table_exists?
  • [sql] Accept counter option in to_sql/4
  • [sql] Support {:unsafe_fragment, ...} support to RETURNING clause
ExHammer/hammer (hammer)

v7.4.0

Compare Source

  • Add :fix_window_per_key algorithm for ETS and Atomic backends — a fixed-window variant whose window is anchored to first hit per key instead of a globally-aligned wall-clock epoch. Same one-entry-per-key memory profile as :fix_window. The 2x boundary burst is still possible per key, but boundaries are no longer globally synchronized. (#​181)
ash-project/igniter (igniter)

v0.8.2

Compare Source

Bug Fixes:
  • handle empty list in configures_key by Zach Daniel
Improvements:
  • Add scoped configure/6 options for runtime env blocks (#​385) by RhettPoole

  • Send issue output to stderr (#​384) by daphnerosepurcell

  • allow remapping modules to their file locations w/ regexes (#​378) by aheiner2001

  • add --except to igniter.upgrade --all (#​383) by febarnett3

  • intercept --help for igniter.new and other tasks. (#​382) by CaydenLords

software-mansion/live-debugger (live_debugger)

v1.0.1

Compare Source

Enhancements
  • Enhancement: Improve tracing performance in #​989
Bug fixes
  • Fix MapSet assign summary updates in #​988

phoenixframework/phoenix (phoenix)

v1.8.8

Compare Source

phoenixframework/phoenix_live_view (phoenix_live_view)

v1.2.5

Compare Source

Enhancements
  • Ensure Phoenix.LiveView.TagEngine's EEx.Engine deprecation warning includes file and line information
  • Ensure a failing custom UploadWriter does not crash the LiveView process (#​4320)

v1.2.4

Compare Source

Bug fixes
  • Only warn about missing form ID when recovery actually applies (#​4315)
  • Add common img attributes to live_img_preview/1 that were missing after cleaning the global attribute list in 1.2.0 (#​4316)
  • Fix colocated CSS attributes being dropped if using colocated JS in the same component (#​4319)

v1.2.3

Compare Source

This is a followup release to v1.2.2 that fixes the TypeScript declaration files being in the wrong subfolder.
Again, it does not contain any changes to the Elixir or JavaScript code itself.

v1.2.2

Compare Source

This release fixes the npm package missing the TypeScript declaration files.
It does not contain any changes to the Elixir or JavaScript code itself, except small documentation improvements.

v1.2.1

Compare Source

Bug fixes
  • Fix stale events from the previous LiveView being sent to the new LiveView after a live redirect (#​4291)

v1.2.0

Compare Source

Bug fixes
  • Only warn about missing form ID when recovery actually applies (#​4315)
  • Add common img attributes to live_img_preview/1 that were missing after cleaning the global attribute list in 1.2.0 (#​4316)
  • Fix colocated CSS attributes being dropped if using colocated JS in the same component (#​4319)

v1.1.32

Compare Source

Bug fixes
  • Fix stale events from the previous LiveView being sent to the new LiveView after a live redirect (#​4291)
wojtekmach/req (req)

v0.6.2

Compare Source

  • Use finch ~> 0.21.

v0.6.1

Compare Source

  • [compressed], [decompress_body]: Disable automatic decompression

    Decompression is now opt-in by setting compressed: true.

v0.6.0

Compare Source

  • [encode_body]: Security fix for :form_multipart header injection
    (GHSA-px9f-whj3-246m).

    The multipart encoder interpolated the per-part name, filename, and
    content_type into the part headers without escaping, so an
    attacker-controlled value could inject extra headers or smuggle additional
    parts into the request. These values are now escaped per RFC 7578 / WHATWG
    form-data (", CR, and LF are percent-encoded).

    Thanks to @​PJUllrich for reporting it.

    • [decode_body]: Drop automatic zip/tar/tgz/gz/zst/csv decoding,
      (GHSA-655f-mp8p-96gv).

      Req previously auto-decoded archive and compressed response bodies (zip,
      tar, tgz, gz, zst, and csv) based on the server-supplied
      content-type, materialising the full decompressed contents in memory with
      no size cap. An attacker-controlled (or redirect-reachable) endpoint could
      return a tiny "decompression bomb" that expanded to gigabytes and exhausted
      the node's memory.

      Now only JSON is decoded by default. Other formats are opt-in via the new
      :decoders option, which defaults to [:json, :json_api]. Setting it
      replaces the default (include :json to keep JSON decoding), and false
      disables all decoding:

opt into archives (only for endpoints you trust):

    Req.get!(url, decoders: [:json, :zip])

**Note**: The decoded zip/tar is still list of
`{filename :: charlist(), contents :: binary}` tuples.
In the future release, this will be list of
`{filename :: binary(), contents :: binary()}` tuples.

While automatic CSV decoding wasn't a security issue, the behaviour based
on presence/absence of `nimble_csv` dependency was suprising. CSV support
is still built-in but need to be enabled with `decoders: [:csv]`.

Custom decoders are supported via `{format, codec}` tuples, where `codec` is
a module exporting `decode/1` or a 1-arity function returning an `:ok`/`:error`
tuple, for example:

    Req.get!(url, decoders: [:json, ics: &{:ok, ICal.from_ics(&1)}])

Thanks to @​PJUllrich for reporting it.
doorgan/sourceror (sourceror)

v1.12.2

Compare Source

Bug Fixes
  • make get_start_position return the default for nodes without metadata (#​210) (df0cf31)

v1.12.1

Compare Source

Bug Fixes
Performance Improvements
swoosh/swoosh (swoosh)

v1.26.2

Compare Source

🐛 Bug Fixes

v1.26.1

Compare Source

🐛 Bug Fixes

v1.26.0

Compare Source

Features
📝 Documentation
  • Document the new Mailpit adapter in the README

v1.25.3

Compare Source

📝 Documentation
🧰 Maintenance

v1.25.2

Compare Source

🐛 Bug Fixes
phoenixframework/tailwind (tailwind)

v0.5.1

Compare Source

  • Fix executable name on Windows

v0.5.0

Compare Source

  • Allow configuring :version per profile
  • Allow env values to be lists, joined by the OS path separator
tidewave-ai/tidewave_phoenix (tidewave)

v0.6.1

  • Enhancements
    • Improve out of the box experience for remote control

v0.6.0

Compare Source

  • Deprecations
    • The search_package_docs tool has been moved to the Hex CLI
mathieuprog/tz (tz)

v0.28.2

Compare Source


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between day 1 and 7 of the month (* * 1-7 * *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [ash](https://hex.pm/packages/ash) ([source](https://github.com/ash-project/ash)) | prod | minor | `3.27.7` → `3.29.3` | | [ash_authentication](https://hex.pm/packages/ash_authentication) | prod | minor | `4.13.7` → `4.14.1` | | [ash_authentication_phoenix](https://hex.pm/packages/ash_authentication_phoenix) ([source](https://github.com/team-alembic/ash_authentication_phoenix)) | prod | minor | `2.16.0` → `2.17.1` | | [ash_phoenix](https://hex.pm/packages/ash_phoenix) ([source](https://github.com/ash-project/ash_phoenix)) | prod | patch | `2.3.22` → `2.3.23` | | [ash_postgres](https://hex.pm/packages/ash_postgres) ([source](https://github.com/ash-project/ash_postgres)) | prod | minor | `2.9.1` → `2.10.0` | | [bandit](https://hex.pm/packages/bandit) ([source](https://github.com/mtrudel/bandit)) | prod | minor | `1.11.1` → `1.12.0` | | [credo](https://hex.pm/packages/credo) ([source](https://github.com/rrrene/credo)) | dev | patch | `1.7.18` → `1.7.19` | | [ecto_sql](https://hex.pm/packages/ecto_sql) ([source](https://github.com/elixir-ecto/ecto_sql)) | prod | minor | `3.13.5` → `3.14.0` | | [hammer](https://hex.pm/packages/hammer) ([source](https://github.com/ExHammer/hammer)) | prod | minor | `7.3.0` → `7.4.0` | | [igniter](https://hex.pm/packages/igniter) ([source](https://github.com/ash-project/igniter)) | dev | patch | `0.8.1` → `0.8.2` | | [live_debugger](https://hex.pm/packages/live_debugger) ([source](https://github.com/software-mansion/live-debugger)) | dev | patch | `1.0.0` → `1.0.1` | | [phoenix](https://hex.pm/packages/phoenix) ([source](https://github.com/phoenixframework/phoenix)) | prod | patch | `1.8.7` → `1.8.8` | | [phoenix_live_view](https://hex.pm/packages/phoenix_live_view) ([source](https://github.com/phoenixframework/phoenix_live_view)) | prod | minor | `~> 1.1.0-rc.3` → `~> 1.2.0` | | [req](https://hex.pm/packages/req) ([source](https://github.com/wojtekmach/req)) | prod | minor | `~> 0.5` → `~> 0.6` | | [sourceror](https://hex.pm/packages/sourceror) ([source](https://github.com/doorgan/sourceror)) | dev | patch | `1.12.0` → `1.12.2` | | [swoosh](https://hex.pm/packages/swoosh) ([source](https://github.com/swoosh/swoosh)) | prod | minor | `1.25.1` → `1.26.2` | | [tailwind](https://hex.pm/packages/tailwind) ([source](https://github.com/phoenixframework/tailwind)) | prod | minor | `~> 0.4` → `~> 0.5` | | [tidewave](https://hex.pm/packages/tidewave) ([source](https://github.com/tidewave-ai/tidewave_phoenix)) | dev | minor | `~> 0.5` → `~> 0.6` | | [tz](https://hex.pm/packages/tz) ([source](https://github.com/mathieuprog/tz)) | prod | patch | `0.28.1` → `0.28.2` | --- ### Release Notes <details> <summary>ash-project/ash (ash)</summary> ### [`v3.29.3`](https://github.com/ash-project/ash/blob/HEAD/CHANGELOG.md#v3293-2026-06-23) [Compare Source](https://github.com/ash-project/ash/compare/v3.29.2...v3.29.3) ##### Bug Fixes: - scrub private arguments w/ string values by [@&#8203;zachdaniel](https://github.com/zachdaniel) Fixes CVE-2026-55736 ### [`v3.29.2`](https://github.com/ash-project/ash/blob/HEAD/CHANGELOG.md#v3292-2026-06-22) [Compare Source](https://github.com/ash-project/ash/compare/v3.29.1...v3.29.2) ##### Bug Fixes: - properly retain override messages on list of errors by [@&#8203;zachdaniel](https://github.com/zachdaniel) - narrow input/2 spec to no\_return for resources without actions ([#&#8203;2758](https://github.com/ash-project/ash/issues/2758)) by diogomrts [(#&#8203;2758)](https://github.com/ash-project/ash/pull/2758) - respect actor from scope: in bulk actions under require\_actor? ([#&#8203;2757](https://github.com/ash-project/ash/issues/2757)) by [@&#8203;emadshaaban92](https://github.com/emadshaaban92) [(#&#8203;2757)](https://github.com/ash-project/ash/pull/2757) - support uuidv7 generation when Ecto isn't started by [@&#8203;zachdaniel](https://github.com/zachdaniel) - ensure calc context is added to m2m through query by [@&#8203;zachdaniel](https://github.com/zachdaniel) ##### Improvements: - add explanatory comment on backwards compat config by [@&#8203;zachdaniel](https://github.com/zachdaniel) ### [`v3.29.1`](https://github.com/ash-project/ash/blob/HEAD/CHANGELOG.md#v3291-2026-06-14) [Compare Source](https://github.com/ash-project/ash/compare/v3.29.0...v3.29.1) ##### Bug Fixes: - handle all hook types in update\_many by [@&#8203;zachdaniel](https://github.com/zachdaniel) - require primary keys explicitly as update\_many targets by [@&#8203;zachdaniel](https://github.com/zachdaniel) ### [`v3.29.0`](https://github.com/ash-project/ash/blob/HEAD/CHANGELOG.md#v3290-2026-06-14) [Compare Source](https://github.com/ash-project/ash/compare/v3.28.0...v3.29.0) ##### Features: - add `Ash.update_many/4` by Zach Daniel ##### Bug Fixes: - look up field policies by calc\_name when authorizing calculation sorts ([#&#8203;2754](https://github.com/ash-project/ash/issues/2754)) by Jesse Williams [(#&#8203;2754)](https://github.com/ash-project/ash/pull/2754) - ensure modules are loaded before optional callback checks ([#&#8203;2753](https://github.com/ash-project/ash/issues/2753)) by Vasilis Spilka - relate\_actor with field: raises BadMapError for belongs\_to ([#&#8203;2751](https://github.com/ash-project/ash/issues/2751)) by diogomrts [(#&#8203;2751)](https://github.com/ash-project/ash/pull/2751) ##### Improvements: - set `upsert_action` metadata in ETS and Mnesia by Zach Daniel - allow partial identity join sorting ([#&#8203;2746](https://github.com/ash-project/ash/issues/2746)) by Jechol Lee [(#&#8203;2746)](https://github.com/ash-project/ash/pull/2746) - Make attribute\_in delegate to one\_of ([#&#8203;1713](https://github.com/ash-project/ash/issues/1713)) ([#&#8203;2748](https://github.com/ash-project/ash/issues/2748)) by nashjar000 [(#&#8203;2748)](https://github.com/ash-project/ash/pull/2748) - Prompt to add use Ash.Domain when module exists but is not a domain ([#&#8203;2744](https://github.com/ash-project/ash/issues/2744)) by gixtrem [(#&#8203;2744)](https://github.com/ash-project/ash/pull/2744) ### [`v3.28.0`](https://github.com/ash-project/ash/blob/HEAD/CHANGELOG.md#v3280-2026-06-11) [Compare Source](https://github.com/ash-project/ash/compare/v3.27.8...v3.28.0) ##### Features: - Add byte\_size validation ([#&#8203;2741](https://github.com/ash-project/ash/issues/2741)) by charlieaten [(#&#8203;2741)](https://github.com/ash-project/ash/pull/2741) ##### Bug Fixes: - use proper embedded casting for fields in composite types by [@&#8203;zachdaniel](https://github.com/zachdaniel) - preserve changeset context in `generate_many/2` ([#&#8203;2742](https://github.com/ash-project/ash/issues/2742)) by [@&#8203;nallwhy](https://github.com/nallwhy) [(#&#8203;2742)](https://github.com/ash-project/ash/pull/2742) - validate multitenancy attribute by [@&#8203;zachdaniel](https://github.com/zachdaniel) - pass the index to Ash.DataLayer.upsert so it is included in the sql statement. ([#&#8203;2740](https://github.com/ash-project/ash/issues/2740)) by David Corwin [(#&#8203;2740)](https://github.com/ash-project/ash/pull/2740) ##### Improvements: - verify types before codes run, catching unspecified or unusable types. ([#&#8203;2739](https://github.com/ash-project/ash/issues/2739)) by torazar [(#&#8203;2739)](https://github.com/ash-project/ash/pull/2739) ### [`v3.27.8`](https://github.com/ash-project/ash/blob/HEAD/CHANGELOG.md#v3278-2026-06-05) [Compare Source](https://github.com/ash-project/ash/compare/v3.27.7...v3.27.8) ##### Bug Fixes: - crash loading nested aggregate over a multi-hop inner aggregate ([#&#8203;2732](https://github.com/ash-project/ash/issues/2732)) by [@&#8203;joshprice](https://github.com/joshprice) [(#&#8203;2732)](https://github.com/ash-project/ash/pull/2732) - propagate include\_source? from union to inner embedded type constraints ([#&#8203;2716](https://github.com/ash-project/ash/issues/2716)) by [@&#8203;Munksgaard](https://github.com/Munksgaard) [(#&#8203;2716)](https://github.com/ash-project/ash/pull/2716) - auto-detect argument vs attribute in validation ([#&#8203;2714](https://github.com/ash-project/ash/issues/2714)) by [@&#8203;ThomaseLucas](https://github.com/ThomaseLucas) [(#&#8203;2714)](https://github.com/ash-project/ash/pull/2714) - ensure lock is passed in read\_one/read\_first ([#&#8203;2711](https://github.com/ash-project/ash/issues/2711)) by Alt-iOS [(#&#8203;2711)](https://github.com/ash-project/ash/pull/2711) - propagate parent query's context.shared into aggregate authorization filters ([#&#8203;2730](https://github.com/ash-project/ash/issues/2730)) by [@&#8203;nallwhy](https://github.com/nallwhy) [(#&#8203;2730)](https://github.com/ash-project/ash/pull/2730) - Error when passing in {:ok, \[]} to Ash.load ([#&#8203;2722](https://github.com/ash-project/ash/issues/2722)) by [@&#8203;cheerfulstoic](https://github.com/cheerfulstoic) [(#&#8203;2722)](https://github.com/ash-project/ash/pull/2722) - match `ci_string` join keys case-insensitively when loading `many_to_many` relationships ([#&#8203;2731](https://github.com/ash-project/ash/issues/2731)) by sevenseacat [(#&#8203;2731)](https://github.com/ash-project/ash/pull/2731) ##### Improvements: - switch to uuidv7 ecto's generator ([#&#8203;2734](https://github.com/ash-project/ash/issues/2734)) by Kenneth Kostrešević [(#&#8203;2734)](https://github.com/ash-project/ash/pull/2734) - Include all constraints in `Ash.Type.Decimal.generator/1` ([#&#8203;2717](https://github.com/ash-project/ash/issues/2717)) by David Corwin [(#&#8203;2717)](https://github.com/ash-project/ash/pull/2717) </details> <details> <summary>team-alembic/ash_authentication_phoenix (ash_authentication_phoenix)</summary> ### [`v2.17.1`](https://github.com/team-alembic/ash_authentication_phoenix/compare/2.17.0...v2.17.1) [Compare Source](https://github.com/team-alembic/ash_authentication_phoenix/compare/2.17.0...v2.17.1) ### [`v2.17.0`](https://github.com/team-alembic/ash_authentication_phoenix/compare/v2.16.0...2.17.0) [Compare Source](https://github.com/team-alembic/ash_authentication_phoenix/compare/v2.16.0...2.17.0) </details> <details> <summary>ash-project/ash_phoenix (ash_phoenix)</summary> ### [`v2.3.23`](https://github.com/ash-project/ash_phoenix/blob/HEAD/CHANGELOG.md#v2323-2026-06-05) [Compare Source](https://github.com/ash-project/ash_phoenix/compare/v2.3.22...v2.3.23) ##### Bug Fixes: - unwrap `NewType` in auto-form `map_type?` check ([#&#8203;475](https://github.com/ash-project/ash_phoenix/issues/475)) by sevenseacat [(#&#8203;475)](https://github.com/ash-project/ash_phoenix/pull/475) - Skip embed form standalone validation ([#&#8203;474](https://github.com/ash-project/ash_phoenix/issues/474)) by sevenseacat [(#&#8203;474)](https://github.com/ash-project/ash_phoenix/pull/474) - propagate shared context to nested forms in add\_form and validate ([#&#8203;472](https://github.com/ash-project/ash_phoenix/issues/472)) by [@&#8203;nallwhy](https://github.com/nallwhy) [(#&#8203;472)](https://github.com/ash-project/ash_phoenix/pull/472) </details> <details> <summary>ash-project/ash_postgres (ash_postgres)</summary> ### [`v2.10.0`](https://github.com/ash-project/ash_postgres/blob/HEAD/CHANGELOG.md#v2100-2026-06-14) [Compare Source](https://github.com/ash-project/ash_postgres/compare/v2.9.1...v2.10.0) ##### Features: - add `update_many` callback by Zach Daniel ##### Bug Fixes: - Filter out empty snapshot directories ([#&#8203;765](https://github.com/ash-project/ash_postgres/issues/765)) by Rutgerdj - move table schema migrations ([#&#8203;758](https://github.com/ash-project/ash_postgres/issues/758)) by febarnett3 - rewrite belongs\_to reference indexes when multitenancy changes ([#&#8203;762](https://github.com/ash-project/ash_postgres/issues/762)) by Jinkyou Son - handle skipped references and delete constraint errors ([#&#8203;759](https://github.com/ash-project/ash_postgres/issues/759)) by ChivukulaVirinchi - ignore migrate false resources in drop detection ([#&#8203;757](https://github.com/ash-project/ash_postgres/issues/757)) by ChivukulaVirinchi - place atomics in binding `1`, not `0` by Zach Daniel ##### Improvements: - Implement upserts with MERGE (17+) by Zach Daniel - Warning for reviewing operations ([#&#8203;777](https://github.com/ash-project/ash_postgres/issues/777)) by colenelson0 - add more generic table renaming by Zach Daniel - Add migrate\_extensions? callback to allow repos to opt out of extension migrations ([#&#8203;761](https://github.com/ash-project/ash_postgres/issues/761)) by gixtrem - allow specifying global vs private statements ([#&#8203;751](https://github.com/ash-project/ash_postgres/issues/751)) by CyanideDragon - ash\_postgres.gen.resources: many-to-many, views, no-PK tables, and prompt UX ([#&#8203;748](https://github.com/ash-project/ash_postgres/issues/748)) by Johannes Welebil </details> <details> <summary>mtrudel/bandit (bandit)</summary> ### [`v1.12.0`](https://github.com/mtrudel/bandit/blob/HEAD/CHANGELOG.md#1120-5-June-2026) [Compare Source](https://github.com/mtrudel/bandit/compare/1.11.1...1.12.0) ##### Changes - Incorporate changes from Thousand Island 1.5, improving the separation of local GenServer timeouts and network facing timeouts ([#&#8203;597](https://github.com/mtrudel/bandit/issues/597) & <https://thousand-island.hexdocs.pm/changelog.html#1-5-0-1-jun-2026>) ##### Fixes - Properly handle mixed-case Transfer-Encoding headers ([#&#8203;590](https://github.com/mtrudel/bandit/issues/590), thanks [@&#8203;mize85](https://github.com/mize85)!) ##### Enhancements - Internal improvements to HTTP/1 body read functions ([#&#8203;588](https://github.com/mtrudel/bandit/issues/588)) </details> <details> <summary>rrrene/credo (credo)</summary> ### [`v1.7.19`](https://github.com/rrrene/credo/blob/HEAD/CHANGELOG.md#1719) [Compare Source](https://github.com/rrrene/credo/compare/v1.7.18...v1.7.19) - Fix compatibility & compiler warnings with Elixir 1.20.0 </details> <details> <summary>elixir-ecto/ecto_sql (ecto_sql)</summary> ### [`v3.14.0`](https://github.com/elixir-ecto/ecto_sql/blob/HEAD/CHANGELOG.md#v3140-2026-05-19) [Compare Source](https://github.com/elixir-ecto/ecto_sql/compare/v3.13.5...v3.14.0) ##### Enhancements - \[migrations] Allow table modifiers such as UNLOGGED tables - \[migrations] Add Safe Ecto Migration guides - \[mysql] Support `insert_mode: :ignore` - \[postgres] Set a default timezone on `mix ecto.create` - \[sandbox] Label the sandbox owner process - \[sql] Allow fragment tuple sources in adapters - \[sql] Allow pid repos in Ecto.Adapters.SQL.table\_exists? - \[sql] Accept counter option in `to_sql/4` - \[sql] Support `{:unsafe_fragment, ...}` support to RETURNING clause </details> <details> <summary>ExHammer/hammer (hammer)</summary> ### [`v7.4.0`](https://github.com/ExHammer/hammer/blob/HEAD/CHANGELOG.md#740---2026-05-19) [Compare Source](https://github.com/ExHammer/hammer/compare/7.3.0...7.4.0) - Add `:fix_window_per_key` algorithm for ETS and Atomic backends — a fixed-window variant whose window is anchored to first hit per key instead of a globally-aligned wall-clock epoch. Same one-entry-per-key memory profile as `:fix_window`. The 2x boundary burst is still possible per key, but boundaries are no longer globally synchronized. ([#&#8203;181](https://github.com/ExHammer/hammer/issues/181)) </details> <details> <summary>ash-project/igniter (igniter)</summary> ### [`v0.8.2`](https://github.com/ash-project/igniter/blob/HEAD/CHANGELOG.md#v082-2026-06-24) [Compare Source](https://github.com/ash-project/igniter/compare/v0.8.1...v0.8.2) ##### Bug Fixes: - handle empty list in `configures_key` by Zach Daniel ##### Improvements: - Add scoped configure/6 options for runtime env blocks ([#&#8203;385](https://github.com/ash-project/igniter/issues/385)) by RhettPoole - Send issue output to stderr ([#&#8203;384](https://github.com/ash-project/igniter/issues/384)) by daphnerosepurcell - allow remapping modules to their file locations w/ regexes ([#&#8203;378](https://github.com/ash-project/igniter/issues/378)) by aheiner2001 - add --except to igniter.upgrade --all ([#&#8203;383](https://github.com/ash-project/igniter/issues/383)) by febarnett3 - intercept --help for igniter.new and other tasks. ([#&#8203;382](https://github.com/ash-project/igniter/issues/382)) by CaydenLords </details> <details> <summary>software-mansion/live-debugger (live_debugger)</summary> ### [`v1.0.1`](https://github.com/software-mansion/live-debugger/blob/HEAD/CHANGELOG.md#101-2026-06-03) [Compare Source](https://github.com/software-mansion/live-debugger/compare/v1.0.0...v1.0.1) ##### Enhancements - Enhancement: Improve tracing performance in [#&#8203;989](https://github.com/software-mansion/live-debugger/pull/989) ##### Bug fixes - Fix MapSet assign summary updates in [#&#8203;988](https://github.com/software-mansion/live-debugger/pull/988) *** </details> <details> <summary>phoenixframework/phoenix (phoenix)</summary> ### [`v1.8.8`](https://github.com/phoenixframework/phoenix/compare/v1.8.7...v1.8.8) [Compare Source](https://github.com/phoenixframework/phoenix/compare/v1.8.7...v1.8.8) </details> <details> <summary>phoenixframework/phoenix_live_view (phoenix_live_view)</summary> ### [`v1.2.5`](https://github.com/phoenixframework/phoenix_live_view/blob/HEAD/CHANGELOG.md#v125-2026-06-30) [Compare Source](https://github.com/phoenixframework/phoenix_live_view/compare/v1.2.4...v1.2.5) ##### Enhancements - Ensure `Phoenix.LiveView.TagEngine`'s `EEx.Engine` deprecation warning includes file and line information - Ensure a failing custom UploadWriter does not crash the LiveView process ([#&#8203;4320](https://github.com/phoenixframework/phoenix_live_view/pull/4320)) ### [`v1.2.4`](https://github.com/phoenixframework/phoenix_live_view/blob/HEAD/CHANGELOG.md#v124-2026-06-29) [Compare Source](https://github.com/phoenixframework/phoenix_live_view/compare/v1.2.3...v1.2.4) ##### Bug fixes - Only warn about missing form ID when recovery actually applies ([#&#8203;4315](https://github.com/phoenixframework/phoenix_live_view/pull/4315)) - Add common img attributes to `live_img_preview/1` that were missing after cleaning the global attribute list in 1.2.0 ([#&#8203;4316](https://github.com/phoenixframework/phoenix_live_view/issues/4316)) - Fix colocated CSS attributes being dropped if using colocated JS in the same component ([#&#8203;4319](https://github.com/phoenixframework/phoenix_live_view/pull/4319)) ### [`v1.2.3`](https://github.com/phoenixframework/phoenix_live_view/blob/HEAD/CHANGELOG.md#v123-2026-06-12) [Compare Source](https://github.com/phoenixframework/phoenix_live_view/compare/v1.2.2...v1.2.3) This is a followup release to v1.2.2 that fixes the TypeScript declaration files being in the wrong subfolder. Again, it does not contain any changes to the Elixir or JavaScript code itself. ### [`v1.2.2`](https://github.com/phoenixframework/phoenix_live_view/blob/HEAD/CHANGELOG.md#v122-2026-06-12) [Compare Source](https://github.com/phoenixframework/phoenix_live_view/compare/v1.2.1...v1.2.2) This release fixes the [npm package](https://www.npmjs.com/package/phoenix_live_view) missing the TypeScript declaration files. It does not contain any changes to the Elixir or JavaScript code itself, except small documentation improvements. ### [`v1.2.1`](https://github.com/phoenixframework/phoenix_live_view/blob/HEAD/CHANGELOG.md#v121-2026-06-11) [Compare Source](https://github.com/phoenixframework/phoenix_live_view/compare/v1.2.0...v1.2.1) ##### Bug fixes - Fix stale events from the previous LiveView being sent to the new LiveView after a live redirect ([#&#8203;4291](https://github.com/phoenixframework/phoenix_live_view/pull/4291)) ### [`v1.2.0`](https://github.com/phoenixframework/phoenix_live_view/blob/HEAD/CHANGELOG.md#v124-2026-06-29) [Compare Source](https://github.com/phoenixframework/phoenix_live_view/compare/v1.1.32...v1.2.0) ##### Bug fixes - Only warn about missing form ID when recovery actually applies ([#&#8203;4315](https://github.com/phoenixframework/phoenix_live_view/pull/4315)) - Add common img attributes to `live_img_preview/1` that were missing after cleaning the global attribute list in 1.2.0 ([#&#8203;4316](https://github.com/phoenixframework/phoenix_live_view/issues/4316)) - Fix colocated CSS attributes being dropped if using colocated JS in the same component ([#&#8203;4319](https://github.com/phoenixframework/phoenix_live_view/pull/4319)) ### [`v1.1.32`](https://github.com/phoenixframework/phoenix_live_view/releases/tag/v1.1.32) [Compare Source](https://github.com/phoenixframework/phoenix_live_view/compare/v1.1.31...v1.1.32) ##### Bug fixes - Fix stale events from the previous LiveView being sent to the new LiveView after a live redirect ([#&#8203;4291](https://github.com/phoenixframework/phoenix_live_view/pull/4291)) </details> <details> <summary>wojtekmach/req (req)</summary> ### [`v0.6.2`](https://github.com/wojtekmach/req/blob/HEAD/CHANGELOG.md#v062-2026-06-19) [Compare Source](https://github.com/wojtekmach/req/compare/v0.6.1...v0.6.2) - Use finch \~> 0.21. ### [`v0.6.1`](https://github.com/wojtekmach/req/blob/HEAD/CHANGELOG.md#v061-2026-06-08) [Compare Source](https://github.com/wojtekmach/req/compare/v0.6.0...v0.6.1) - \[`compressed`], \[`decompress_body`]: Disable automatic decompression Decompression is now opt-in by setting `compressed: true`. ### [`v0.6.0`](https://github.com/wojtekmach/req/blob/HEAD/CHANGELOG.md#v060-2026-06-08) [Compare Source](https://github.com/wojtekmach/req/compare/v0.5.18...v0.6.0) - \[`encode_body`]: Security fix for `:form_multipart` header injection ([GHSA-px9f-whj3-246m](https://github.com/wojtekmach/req/security/advisories/GHSA-px9f-whj3-246m)). The multipart encoder interpolated the per-part `name`, `filename`, and `content_type` into the part headers without escaping, so an attacker-controlled value could inject extra headers or smuggle additional parts into the request. These values are now escaped per RFC 7578 / WHATWG form-data (`"`, CR, and LF are percent-encoded). Thanks to [@&#8203;PJUllrich](https://github.com/PJUllrich) for reporting it. - \[`decode_body`]: Drop automatic zip/tar/tgz/gz/zst/csv decoding, ([GHSA-655f-mp8p-96gv](https://github.com/wojtekmach/req/security/advisories/GHSA-655f-mp8p-96gv)). Req previously auto-decoded archive and compressed response bodies (`zip`, `tar`, `tgz`, `gz`, `zst`, and `csv`) based on the server-supplied `content-type`, materialising the full decompressed contents in memory with no size cap. An attacker-controlled (or redirect-reachable) endpoint could return a tiny "decompression bomb" that expanded to gigabytes and exhausted the node's memory. Now only JSON is decoded by default. Other formats are opt-in via the new `:decoders` option, which defaults to `[:json, :json_api]`. Setting it replaces the default (include `:json` to keep JSON decoding), and `false` disables all decoding: ### opt into archives (only for endpoints you trust): ``` Req.get!(url, decoders: [:json, :zip]) **Note**: The decoded zip/tar is still list of `{filename :: charlist(), contents :: binary}` tuples. In the future release, this will be list of `{filename :: binary(), contents :: binary()}` tuples. While automatic CSV decoding wasn't a security issue, the behaviour based on presence/absence of `nimble_csv` dependency was suprising. CSV support is still built-in but need to be enabled with `decoders: [:csv]`. Custom decoders are supported via `{format, codec}` tuples, where `codec` is a module exporting `decode/1` or a 1-arity function returning an `:ok`/`:error` tuple, for example: Req.get!(url, decoders: [:json, ics: &{:ok, ICal.from_ics(&1)}]) Thanks to @&#8203;PJUllrich for reporting it. ``` </details> <details> <summary>doorgan/sourceror (sourceror)</summary> ### [`v1.12.2`](https://github.com/doorgan/sourceror/blob/HEAD/CHANGELOG.md#1122-2026-06-16) [Compare Source](https://github.com/doorgan/sourceror/compare/v1.12.1...v1.12.2) ##### Bug Fixes - make get\_start\_position return the default for nodes without metadata ([#&#8203;210](https://github.com/doorgan/sourceror/issues/210)) ([df0cf31](https://github.com/doorgan/sourceror/commit/df0cf31770d0f2756c14d10f03a62d7f6fb6207c)) ### [`v1.12.1`](https://github.com/doorgan/sourceror/blob/HEAD/CHANGELOG.md#1121-2026-06-16) [Compare Source](https://github.com/doorgan/sourceror/compare/v1.12.0...v1.12.1) ##### Bug Fixes - clear all sourceror compilation warnings ([#&#8203;208](https://github.com/doorgan/sourceror/issues/208)) ([f5bcdf9](https://github.com/doorgan/sourceror/commit/f5bcdf9a0d6fb38bf3735f40fead7f046dfc4b37)) ##### Performance Improvements - make compare\_positions extract metadata once ([#&#8203;206](https://github.com/doorgan/sourceror/issues/206)) ([7014665](https://github.com/doorgan/sourceror/commit/7014665d95310a02802d694d6771e470444126c0)) </details> <details> <summary>swoosh/swoosh (swoosh)</summary> ### [`v1.26.2`](https://github.com/swoosh/swoosh/blob/HEAD/CHANGELOG.md#1262) [Compare Source](https://github.com/swoosh/swoosh/compare/v1.26.1...1.26.2) ##### 🐛 Bug Fixes - Fix Postmark adapter not adding the recipient name to the Reply-To header [@&#8203;vickz84259](https://github.com/vickz84259) ([#&#8203;1166](https://github.com/swoosh/swoosh/issues/1166)) ### [`v1.26.1`](https://github.com/swoosh/swoosh/blob/HEAD/CHANGELOG.md#1261) [Compare Source](https://github.com/swoosh/swoosh/compare/v1.26.0...v1.26.1) ##### 🐛 Bug Fixes - Fix inline attachment `cid` handling for Mailpit adapter [@&#8203;waseigo](https://github.com/waseigo) ([#&#8203;1155](https://github.com/swoosh/swoosh/issues/1155)) ### [`v1.26.0`](https://github.com/swoosh/swoosh/blob/HEAD/CHANGELOG.md#1260) [Compare Source](https://github.com/swoosh/swoosh/compare/1.25.3...v1.26.0) ##### ✨ Features - Add self-hosted Mailpit adapter [@&#8203;waseigo](https://github.com/waseigo) ([#&#8203;1152](https://github.com/swoosh/swoosh/issues/1152)) ##### 📝 Documentation - Document the new Mailpit adapter in the README ### [`v1.25.3`](https://github.com/swoosh/swoosh/blob/HEAD/CHANGELOG.md#1253) [Compare Source](https://github.com/swoosh/swoosh/compare/v1.25.2...1.25.3) ##### 📝 Documentation - Document runtime Postmark server keys [@&#8203;dl-alexandre](https://github.com/dl-alexandre) ([#&#8203;1135](https://github.com/swoosh/swoosh/issues/1135)) ##### 🧰 Maintenance - update to support hackney less than 5.0 [@&#8203;allenwyma](https://github.com/allenwyma) ([#&#8203;1132](https://github.com/swoosh/swoosh/issues/1132)) - Allow usage of idna 7.x [@&#8203;sax](https://github.com/sax) ([#&#8203;1142](https://github.com/swoosh/swoosh/issues/1142)) - Fix Elixir 1.20 compilation warnings [@&#8203;gilbertwong96](https://github.com/gilbertwong96) ([#&#8203;1150](https://github.com/swoosh/swoosh/issues/1150)) ### [`v1.25.2`](https://github.com/swoosh/swoosh/blob/HEAD/CHANGELOG.md#1252) [Compare Source](https://github.com/swoosh/swoosh/compare/v1.25.1...v1.25.2) ##### 🐛 Bug Fixes - fix(config): prioritize runtime config for Mailer [@&#8203;ukashazia](https://github.com/ukashazia) ([#&#8203;1134](https://github.com/swoosh/swoosh/issues/1134)) </details> <details> <summary>phoenixframework/tailwind (tailwind)</summary> ### [`v0.5.1`](https://github.com/phoenixframework/tailwind/blob/HEAD/CHANGELOG.md#v051-2026-06-16) [Compare Source](https://github.com/phoenixframework/tailwind/compare/v0.5.0...v0.5.1) - Fix executable name on Windows ### [`v0.5.0`](https://github.com/phoenixframework/tailwind/blob/HEAD/CHANGELOG.md#v050-2026-06-11) [Compare Source](https://github.com/phoenixframework/tailwind/compare/v0.4.1...v0.5.0) - Allow configuring `:version` per profile - Allow `env` values to be lists, joined by the OS path separator </details> <details> <summary>tidewave-ai/tidewave_phoenix (tidewave)</summary> ### [`v0.6.1`](https://github.com/tidewave-ai/tidewave_phoenix/blob/HEAD/CHANGELOG.md#v061-2026-06-22) - Enhancements - Improve out of the box experience for remote control ### [`v0.6.0`](https://github.com/tidewave-ai/tidewave_phoenix/blob/HEAD/CHANGELOG.md#v060-2026-06-14) [Compare Source](https://github.com/tidewave-ai/tidewave_phoenix/compare/v0.5.6...v0.6.0) - Deprecations - The `search_package_docs` tool has been moved to the Hex CLI </details> <details> <summary>mathieuprog/tz (tz)</summary> ### [`v0.28.2`](https://github.com/mathieuprog/tz/compare/v0.28.1...v0.28.2) [Compare Source](https://github.com/mathieuprog/tz/compare/v0.28.1...v0.28.2) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Between day 1 and 7 of the month (`* * 1-7 * *`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNjUuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE2NS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJhdXRvbWF0ZWQiLCJkZXBlbmRlbmNpZXMiLCJyZW5vdmF0ZSJdfQ==-->
renovate added 1 commit 2026-07-01 02:10:14 +02:00
chore(deps): update mix dependencies
Some checks failed
renovate/artifacts Artifact file update failure
continuous-integration/drone/push Build is failing
ba39632c38
Author
Collaborator

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: mix.lock
Command failed: install-tool elixir v1.20.2

### ⚠️ Artifact update problem Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is. ♻ Renovate will retry this branch, including artifacts, only when one of the following happens: - any of the package files in this branch needs updating, or - the branch becomes conflicted, or - you click the rebase/retry checkbox if found above, or - you rename this PR's title to start with "rebase!" to trigger it manually The artifact failure details are included below: ##### File name: mix.lock ``` Command failed: install-tool elixir v1.20.2 ```
Some checks are pending
renovate/artifacts Artifact file update failure
continuous-integration/drone/push Build is failing
continuous-integration/drone/promote/production
Required
Some required checks are missing.
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin renovate/mix-dependencies:renovate/mix-dependencies
git checkout renovate/mix-dependencies
Sign in to join this conversation.
No description provided.