Update dependency req to ~> 0.6 #43

Open

renovate wants to merge 1 commit from renovate/req-0.x into main

pull from: renovate/req-0.x

merge into: ludonauts:main

ludonauts:main

ludonauts:renovate/major-phoenix-packages

ludonauts:renovate/https-github.com-cachix-cachix-action-17.x

ludonauts:renovate/actions-cache-5.x

ludonauts:renovate/actions-checkout-6.x

ludonauts:renovate/lock-file-maintenance

ludonauts:renovate/phoenix-packages

ludonauts:renovate/gettext-1.x

Conversation 1 Commits 1 Files changed 1 +1 -1

renovate commented 2026-06-16 10:28:37 +00:00

Contributor

Copy link

This PR contains the following updates:

Package	Type	Update	Change
req (source)	prod	minor	~> 0.5 → ~> 0.6

---

Release Notes

wojtekmach/req (req)

v0.6.1

Compare Source

• [compressed], [decompress_body]: Disable automatic decompression

  Decompression is now opt-in by setting compressed: true.

v0.6.0

Compare Source

• [encode_body]: Security fix for :form_multipart header injection
  (GHSA-px9f-whj3-246m).

  The multipart encoder interpolated the per-part name, filename, and
  content_type into the part headers without escaping, so an
  attacker-controlled value could inject extra headers or smuggle additional
  parts into the request. These values are now escaped per RFC 7578 / WHATWG
  form-data (", CR, and LF are percent-encoded).

  Thanks to @​PJUllrich for reporting it.

  • [decode_body]: Drop automatic zip/tar/tgz/gz/zst/csv decoding,
    (GHSA-655f-mp8p-96gv).

    Req previously auto-decoded archive and compressed response bodies (zip,
    tar, tgz, gz, zst, and csv) based on the server-supplied
    content-type, materialising the full decompressed contents in memory with
    no size cap. An attacker-controlled (or redirect-reachable) endpoint could
    return a tiny "decompression bomb" that expanded to gigabytes and exhausted
    the node's memory.

    Now only JSON is decoded by default. Other formats are opt-in via the new
    :decoders option, which defaults to [:json, :json_api]. Setting it
    replaces the default (include :json to keep JSON decoding), and false
    disables all decoding:

opt into archives (only for endpoints you trust):

    Req.get!(url, decoders: [:json, :zip])

**Note**: The decoded zip/tar is still list of
`{filename :: charlist(), contents :: binary}` tuples.
In the future release, this will be list of
`{filename :: binary(), contents :: binary()}` tuples.

While automatic CSV decoding wasn't a security issue, the behaviour based
on presence/absence of `nimble_csv` dependency was suprising. CSV support
is still built-in but need to be enabled with `decoders: [:csv]`.

Custom decoders are supported via `{format, codec}` tuples, where `codec` is
a module exporting `decode/1` or a 1-arity function returning an `:ok`/`:error`
tuple, for example:

    Req.get!(url, decoders: [:json, ics: &{:ok, ICal.from_ics(&1)}])

Thanks to @​PJUllrich for reporting it.

v0.5.18

Compare Source

• [run_finch]: Allow :finch option with IPv6 URLs.

  • [run_finch]: Normalize Finch.TransportError and Finch.HTTPError
    (introduced in Finch v0.22.0) into Req.TransportError and Req.HTTPError.

  • [retry]: Automatically retry on :pool_not_available.

  • Require Finch ~> 0.21.0 or ~> 0.22.0.

v0.5.17

Compare Source

• [retry]: Use default delay if retry-after is "negative"

  Previously, we were only handling "negative" retry-after in "http date"
  format and slept for zero seconds. We were crashing on retry-after with
  negative seconds.

  Now, we're using the default delay (1s, 2s, 4s, ...) in either format.

v0.5.16

Compare Source

• [Req.Test]: Fix verify_on_exit! accidentally using Mox name
  • [auth]: Support MFArgs
  • [auth]: Support digest auth
  • [put_aws_sigv4]: Support MFArgs
  • [put_path_params]: Encode :path_params even with reserved characters
  • [put_path_params]: Set :path_params_template on empty params
  • [run_plug]: Handle compressed request body

---

Configuration

📅 Schedule: (in timezone UTC)

• Branch creation
  • Between 10:00 AM and 10:59 AM (* 10 * * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [req](https://hex.pm/packages/req) ([source](https://github.com/wojtekmach/req)) | prod | minor | `~> 0.5` → `~> 0.6` | --- ### Release Notes <details> <summary>wojtekmach/req (req)</summary> ### [`v0.6.1`](https://github.com/wojtekmach/req/blob/HEAD/CHANGELOG.md#v061-2026-06-08) [Compare Source](https://github.com/wojtekmach/req/compare/v0.6.0...v0.6.1) - \[`compressed`], \[`decompress_body`]: Disable automatic decompression Decompression is now opt-in by setting `compressed: true`. ### [`v0.6.0`](https://github.com/wojtekmach/req/blob/HEAD/CHANGELOG.md#v060-2026-06-08) [Compare Source](https://github.com/wojtekmach/req/compare/v0.5.18...v0.6.0) - \[`encode_body`]: Security fix for `:form_multipart` header injection ([GHSA-px9f-whj3-246m](https://github.com/wojtekmach/req/security/advisories/GHSA-px9f-whj3-246m)). The multipart encoder interpolated the per-part `name`, `filename`, and `content_type` into the part headers without escaping, so an attacker-controlled value could inject extra headers or smuggle additional parts into the request. These values are now escaped per RFC 7578 / WHATWG form-data (`"`, CR, and LF are percent-encoded). Thanks to [@&#8203;PJUllrich](https://github.com/PJUllrich) for reporting it. - \[`decode_body`]: Drop automatic zip/tar/tgz/gz/zst/csv decoding, ([GHSA-655f-mp8p-96gv](https://github.com/wojtekmach/req/security/advisories/GHSA-655f-mp8p-96gv)). Req previously auto-decoded archive and compressed response bodies (`zip`, `tar`, `tgz`, `gz`, `zst`, and `csv`) based on the server-supplied `content-type`, materialising the full decompressed contents in memory with no size cap. An attacker-controlled (or redirect-reachable) endpoint could return a tiny "decompression bomb" that expanded to gigabytes and exhausted the node's memory. Now only JSON is decoded by default. Other formats are opt-in via the new `:decoders` option, which defaults to `[:json, :json_api]`. Setting it replaces the default (include `:json` to keep JSON decoding), and `false` disables all decoding: ### opt into archives (only for endpoints you trust): ``` Req.get!(url, decoders: [:json, :zip]) **Note**: The decoded zip/tar is still list of `{filename :: charlist(), contents :: binary}` tuples. In the future release, this will be list of `{filename :: binary(), contents :: binary()}` tuples. While automatic CSV decoding wasn't a security issue, the behaviour based on presence/absence of `nimble_csv` dependency was suprising. CSV support is still built-in but need to be enabled with `decoders: [:csv]`. Custom decoders are supported via `{format, codec}` tuples, where `codec` is a module exporting `decode/1` or a 1-arity function returning an `:ok`/`:error` tuple, for example: Req.get!(url, decoders: [:json, ics: &{:ok, ICal.from_ics(&1)}]) Thanks to @&#8203;PJUllrich for reporting it. ``` ### [`v0.5.18`](https://github.com/wojtekmach/req/blob/HEAD/CHANGELOG.md#v0518-2026-05-20) [Compare Source](https://github.com/wojtekmach/req/compare/v0.5.17...v0.5.18) - \[`run_finch`]: Allow :finch option with IPv6 URLs. - \[`run_finch`]: Normalize `Finch.TransportError` and `Finch.HTTPError` (introduced in Finch v0.22.0) into `Req.TransportError` and `Req.HTTPError`. - \[`retry`]: Automatically retry on `:pool_not_available`. - Require Finch \~> 0.21.0 or \~> 0.22.0. ### [`v0.5.17`](https://github.com/wojtekmach/req/blob/HEAD/CHANGELOG.md#v0517-2026-01-22) [Compare Source](https://github.com/wojtekmach/req/compare/v0.5.16...v0.5.17) - \[`retry`]: Use default delay if `retry-after` is "negative" Previously, we were only handling "negative" retry-after in "http date" format and slept for zero seconds. We were crashing on retry-after with negative seconds. Now, we're using the default delay (1s, 2s, 4s, ...) in either format. ### [`v0.5.16`](https://github.com/wojtekmach/req/blob/HEAD/CHANGELOG.md#v0516-2025-11-10) [Compare Source](https://github.com/wojtekmach/req/compare/v0.5.15...v0.5.16) - \[`Req.Test`]: Fix `verify_on_exit!` accidentally using Mox name - \[`auth`]: Support MFArgs - \[`auth`]: Support digest auth - \[`put_aws_sigv4`]: Support MFArgs - \[`put_path_params`]: Encode `:path_params` even with reserved characters - \[`put_path_params`]: Set `:path_params_template` on empty params - \[`run_plug`]: Handle compressed request body </details> --- ### Configuration 📅 **Schedule**: (in timezone UTC) - Branch creation - Between 10:00 AM and 10:59 AM (`* 10 * * *`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS42Mi4zIiwidXBkYXRlZEluVmVyIjoiNDMuMjI2LjEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbInJlbm92YXRlIl19-->

renovate added the

renovate

label 2026-06-16 10:28:37 +00:00

renovate added 1 commit 2026-06-16 10:28:37 +00:00

Update dependency req to ~> 0.6 8a51e7b082

renovate scheduled this pull request to auto merge when all checks succeed 2026-06-16 10:28:38 +00:00

renovate commented 2026-06-16 10:28:38 +00:00

Author

Contributor

Copy link

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: mix.lock

Command failed: install-tool elixir v1.20.1

### ⚠️ Artifact update problem Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is. ♻ Renovate will retry this branch, including artifacts, only when one of the following happens: - any of the package files in this branch needs updating, or - the branch becomes conflicted, or - you click the rebase/retry checkbox if found above, or - you rename this PR's title to start with "rebase!" to trigger it manually The artifact failure details are included below: ##### File name: mix.lock ``` Command failed: install-tool elixir v1.20.1 ```

wizardfrag was assigned by renovate 2026-06-16 11:28:26 +00:00

renovate requested review from wizardfrag 2026-06-16 11:28:26 +00:00

renovate force-pushed renovate/req-0.x from 8a51e7b082 to b4c11f7008 2026-06-16 13:28:29 +00:00 Compare

Commenting is not possible because the repository is archived.

Reviewers

No reviewers

wizardfrag

Labels

Clear labels

  

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

invalid

Something is wrong

  

question

More information is needed

  

renovate

Automated - added by renovate bot

  

wontfix

This won't be fixed

No labels

bug

duplicate

enhancement

help wanted

invalid

question

renovate

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

wizardfrag

1 participant

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

ludonauts/jupiter!43

No description provided.