Skip to content

Bump the mix-production-dependencies group across 1 directory with 6 updates#40

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/hex/src/flagd-ui/mix-production-dependencies-2b47dc0835
Open

Bump the mix-production-dependencies group across 1 directory with 6 updates#40
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/hex/src/flagd-ui/mix-production-dependencies-2b47dc0835

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 16, 2026

Copy link
Copy Markdown
Contributor

Bumps the mix-production-dependencies group with 6 updates in the /src/flagd-ui directory:

Package From To
bandit 1.11.1 1.12.0
phoenix 1.8.7 1.8.8
phoenix_live_view 1.1.30 1.2.3
req 0.5.18 0.6.2
swoosh 1.25.2 1.26.1
tailwind 0.4.1 0.5.1

Updates bandit from 1.11.1 to 1.12.0

Changelog

Sourced from bandit's changelog.

1.12.0 (5 June 2026)

Changes

Fixes

  • Properly handle mixed-case Transfer-Encoding headers (#590, thanks @​mize85!)

Enhancements

  • Internal improvements to HTTP/1 body read functions (#588)
Commits

Updates phoenix from 1.8.7 to 1.8.8

Changelog

Sourced from phoenix's changelog.

1.8.8 (2026-06-10)

Enhancements

  • [phx.new] Use LiveView 1.2.0
Commits
  • 99df0a9 Release v1.8.8
  • 729f781 Generator changes for LiveView 1.2 (#6696)
  • d453e37 Use Elixir's builtin consolidation from v1.19, closes #4951
  • f30fa36 Clarify channel payloads can be any serializable value (#6695)
  • e1e7912 Replace all hexdocs URLs with the subdomain format (#6693)
  • cf9dd26 Add README template for Phoenix umbrella (#6691)
  • 39eb5dd Refactor template override backward compatibility test (#6684)
  • e1c3816 chore: small typo fix in controllers.md (#6689)
  • b6a4e31 Make websocket disconnect codes explicit (#6678)
  • eea4895 Add eex suffix to phx.gen.auth template override test (#6680)
  • Additional commits viewable in compare view

Updates phoenix_live_view from 1.1.30 to 1.2.3

Release notes

Sourced from phoenix_live_view's releases.

v1.2.3

This is a followup release to v1.2.2 that fixes the TypeScript declaration files being in the wrong subfolder. Again, it does not contain any changes to the Elixir or JavaScript code itself.

v1.2.2

This release fixes the npm package missing the TypeScript declaration files. It does not contain any changes to the Elixir or JavaScript code itself, except small documentation improvements.

v1.2.1

Bug fixes

  • Fix stale events from the previous LiveView being sent to the new LiveView after a live redirect (#4291)

v1.2.0

Enhancements

  • Support events pushed when connected mount redirects (#4269)

Bug fixes

  • Ensure for comprehensions in HEEx use deterministic variables
  • Ensure connect_params are kept when following redirects in LiveViewTest (#4005)
  • Ensure exceptions during LiveComponent renders are emitted as :telemetry event (#4258)
  • Fix whitespace handling of EEx nodes in HEEx compiler (#4277)

v1.2.0-rc.3

Enhancements

Bug fixes

  • Fix nested assign change tracking (#4225)
  • Ensure Phoenix.LiveViewTest.live_redirect/2 properly passes the URI as a string in handle_params (#4247)

v1.2.0-rc.2

Bug fixes

  • Ensure internal phx-viewport hook does not crash on update if no scroll container is used (#4214)

v1.2.0-rc.1

Enhancements

... (truncated)

Changelog

Sourced from phoenix_live_view's changelog.

v1.2.3 (2026-06-12)

This is a followup release to v1.2.2 that fixes the TypeScript declaration files being in the wrong subfolder. Again, it does not contain any changes to the Elixir or JavaScript code itself.

v1.2.2 (2026-06-12)

This release fixes the npm package missing the TypeScript declaration files. It does not contain any changes to the Elixir or JavaScript code itself, except small documentation improvements.

v1.2.1 (2026-06-11)

Bug fixes

  • Fix stale events from the previous LiveView being sent to the new LiveView after a live redirect (#4291)

v1.2.0 (2026-06-10) 🚀

Enhancements

  • Support events pushed when connected mount redirects (#4269)

Bug fixes

  • Ensure for comprehensions in HEEx use deterministic variables
  • Ensure connect_params are kept when following redirects in LiveViewTest (#4005)
  • Ensure exceptions during LiveComponent renders are emitted as :telemetry event (#4258)
  • Fix whitespace handling of EEx nodes in HEEx compiler (#4277)

v1.2.0-rc.3 (2026-05-29)

Enhancements

Bug fixes

  • Fix nested assign change tracking (#4225)
  • Ensure Phoenix.LiveViewTest.live_redirect/2 properly passes the URI as a string in handle_params (#4247)

v1.2.0-rc.2 (2026-05-05)

Bug fixes

  • Ensure internal phx-viewport hook does not crash on update if no scroll container is used (#4214)

v1.2.0-rc.1 (2026-05-04)

Enhancements

... (truncated)

Commits

Updates req from 0.5.18 to 0.6.2

Release notes

Sourced from req's releases.

v0.6.1

v0.6.0

  • encode_body: Security fix for :form_multipart header injection (GHSA-px9f-whj3-246m).

    The multipart encoder interpolated the per-part name, filename, and content_type into the part headers without escaping, so an attacker-controlled value could inject extra headers or smuggle additional parts into the request. These values are now escaped per RFC 7578 / WHATWG form-data (", CR, and LF are percent-encoded).

    Thanks to @​PJUllrich for reporting it.

  • decode_body: Drop automatic zip/tar/tgz/gz/zst/csv decoding, (GHSA-655f-mp8p-96gv).

    Req previously auto-decoded archive and compressed response bodies (zip, tar, tgz, gz, zst, and csv) based on the server-supplied content-type, materialising the full decompressed contents in memory with no size cap. An attacker-controlled (or redirect-reachable) endpoint could return a tiny "decompression bomb" that expanded to gigabytes and exhausted the node's memory.

    Now only JSON is decoded by default. Other formats are opt-in via the new :decoders option, which defaults to [:json, :json_api]. Setting it replaces the default (include :json to keep JSON decoding), and false disables all decoding:

    # opt into archives (only for endpoints you trust):
    Req.get!(url, decoders: [:json, :zip])
    

    Note: The decoded zip/tar is still list of {filename :: charlist(), contents :: binary} tuples. In the future release, this will be list of {filename :: binary(), contents :: binary()} tuples.

    While automatic CSV decoding wasn't a security issue, the behaviour based on presence/absence of nimble_csv dependency was suprising. CSV support is still built-in but need to be enabled with decoders: [:csv].

... (truncated)

Changelog

Sourced from req's changelog.

v0.6.2 (2026-06-19)

  • Use finch ~> 0.21.

v0.6.1 (2026-06-08)

  • [compressed], [decompress_body]: Disable automatic decompression

    Decompression is now opt-in by setting compressed: true.

v0.6.0 (2026-06-08)

  • [encode_body]: Security fix for :form_multipart header injection (GHSA-px9f-whj3-246m).

    The multipart encoder interpolated the per-part name, filename, and content_type into the part headers without escaping, so an attacker-controlled value could inject extra headers or smuggle additional parts into the request. These values are now escaped per RFC 7578 / WHATWG form-data (", CR, and LF are percent-encoded).

    Thanks to @​PJUllrich for reporting it.

  • [decode_body]: Drop automatic zip/tar/tgz/gz/zst/csv decoding, (GHSA-655f-mp8p-96gv).

    Req previously auto-decoded archive and compressed response bodies (zip, tar, tgz, gz, zst, and csv) based on the server-supplied content-type, materialising the full decompressed contents in memory with no size cap. An attacker-controlled (or redirect-reachable) endpoint could return a tiny "decompression bomb" that expanded to gigabytes and exhausted the node's memory.

    Now only JSON is decoded by default. Other formats are opt-in via the new :decoders option, which defaults to [:json, :json_api]. Setting it replaces the default (include :json to keep JSON decoding), and false disables all decoding:

    # opt into archives (only for endpoints you trust):
    Req.get!(url, decoders: [:json, :zip])
    

    Note: The decoded zip/tar is still list of {filename :: charlist(), contents :: binary} tuples. In the future release, this will be list of {filename :: binary(), contents :: binary()} tuples.

    While automatic CSV decoding wasn't a security issue, the behaviour based on presence/absence of nimble_csv dependency was suprising. CSV support is still built-in but need to be enabled with decoders: [:csv].

... (truncated)

Commits

Updates swoosh from 1.25.2 to 1.26.1

Release notes

Sourced from swoosh's releases.

v1.26.1 🚀

🐛 Bug Fixes

  • fix fat-fingering content_id instead of cid, added tests, fixed outdated expected response in mua_test.exs @​waseigo (#1155)

🧰 Maintenance

v1.26.0 🚀

✨ Features

⛓️ Dependency

New Contributors

Full Changelog: swoosh/swoosh@1.25.3...v1.26.0

v1.25.3 🚀

📝 Documentation

🧰 Maintenance

New Contributors

Full Changelog: swoosh/swoosh@v1.25.2...1.25.3

Changelog

Sourced from swoosh's changelog.

1.26.1

🐛 Bug Fixes

1.26.0

✨ Features

📝 Documentation

  • Document the new Mailpit adapter in the README

1.25.3

📝 Documentation

🧰 Maintenance

Commits

Updates tailwind from 0.4.1 to 0.5.1

Changelog

Sourced from tailwind's changelog.

v0.5.1 (2026-06-16)

  • Fix executable name on Windows

v0.5.0 (2026-06-11)

  • Allow configuring :version per profile
  • Allow env values to be lists, joined by the OS path separator
Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file elixir Pull requests that update elixir code labels Jun 16, 2026
…updates

Bumps the mix-production-dependencies group with 6 updates in the /src/flagd-ui directory:

| Package | From | To |
| --- | --- | --- |
| [bandit](https://github.com/mtrudel/bandit) | `1.11.1` | `1.12.0` |
| [phoenix](https://github.com/phoenixframework/phoenix) | `1.8.7` | `1.8.8` |
| [phoenix_live_view](https://github.com/phoenixframework/phoenix_live_view) | `1.1.30` | `1.2.3` |
| [req](https://github.com/wojtekmach/req) | `0.5.18` | `0.6.2` |
| [swoosh](https://github.com/swoosh/swoosh) | `1.25.2` | `1.26.1` |
| [tailwind](https://github.com/phoenixframework/tailwind) | `0.4.1` | `0.5.1` |



Updates `bandit` from 1.11.1 to 1.12.0
- [Changelog](https://github.com/mtrudel/bandit/blob/main/CHANGELOG.md)
- [Commits](mtrudel/bandit@1.11.1...1.12.0)

Updates `phoenix` from 1.8.7 to 1.8.8
- [Release notes](https://github.com/phoenixframework/phoenix/releases)
- [Changelog](https://github.com/phoenixframework/phoenix/blob/main/CHANGELOG.md)
- [Commits](phoenixframework/phoenix@v1.8.7...v1.8.8)

Updates `phoenix_live_view` from 1.1.30 to 1.2.3
- [Release notes](https://github.com/phoenixframework/phoenix_live_view/releases)
- [Changelog](https://github.com/phoenixframework/phoenix_live_view/blob/main/CHANGELOG.md)
- [Commits](phoenixframework/phoenix_live_view@v1.1.30...v1.2.3)

Updates `req` from 0.5.18 to 0.6.2
- [Release notes](https://github.com/wojtekmach/req/releases)
- [Changelog](https://github.com/wojtekmach/req/blob/main/CHANGELOG.md)
- [Commits](https://github.com/wojtekmach/req/commits)

Updates `swoosh` from 1.25.2 to 1.26.1
- [Release notes](https://github.com/swoosh/swoosh/releases)
- [Changelog](https://github.com/swoosh/swoosh/blob/main/CHANGELOG.md)
- [Commits](swoosh/swoosh@v1.25.2...v1.26.1)

Updates `tailwind` from 0.4.1 to 0.5.1
- [Changelog](https://github.com/phoenixframework/tailwind/blob/main/CHANGELOG.md)
- [Commits](phoenixframework/tailwind@v0.4.1...v0.5.1)

---
updated-dependencies:
- dependency-name: bandit
  dependency-version: 1.12.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: mix-production-dependencies
- dependency-name: phoenix
  dependency-version: 1.8.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: mix-production-dependencies
- dependency-name: phoenix_live_view
  dependency-version: 1.2.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: mix-production-dependencies
- dependency-name: req
  dependency-version: 0.6.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: mix-production-dependencies
- dependency-name: swoosh
  dependency-version: 1.26.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: mix-production-dependencies
- dependency-name: tailwind
  dependency-version: 0.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: mix-production-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/hex/src/flagd-ui/mix-production-dependencies-2b47dc0835 branch from efde542 to 073a1cf Compare June 23, 2026 03:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file elixir Pull requests that update elixir code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants