feat: Update rebar config, use shotgun ~> 1.2#187
Conversation
This version of shotgun brings in gun 2.2, which has multiple CVEs, causing app authors to be aware and explicitly override gun or shotgun.
kinyoklion
changed the title
|
Hello @matt-savvy, Let me make sure this will work with a reasonable set of rebar3 versions. The problem is that rebar3 versions are not semantic versions. When working with hex is treats them that way, but when you use rebar you basically get the same behavior as adding In your hex package you can override the version in the interim. Thank you, |
|
Hey @kinyoklion - yup, I'm not well versed in Rebar, so please do check. If you do need to leave this set to a specific version, you probably at least want to use
FWIW, the |
|
Looks like version 3.0+ should support the syntax. So we should be good. |
|
Maybe we should have changed this to |
🤖 I have created a release *beep* *boop* --- ## [3.11.0](v3.10.1...v3.11.0) (2026-06-17) ### Features * Ensure shotgun dependency is at least 1.2.2. ([#189](#189)) ([b06a5c6](b06a5c6)) * Update rebar config, use shotgun ~> 1.2 ([#187](#187)) ([6c3e626](6c3e626)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Mechanical version and changelog updates only; no runtime or dependency file changes in this diff. > > **Overview** > **Release 3.11.0** bumps the package version from **3.10.1** to **3.11.0** across Release Please metadata (`.release-please-manifest.json`), `ldclient.app.src`, and the `VERSION` macro in `ldclient_config.erl`, and adds the matching **CHANGELOG** entry. > > The release notes call out **shotgun** dependency work already landed on main: **rebar** now uses `shotgun ~> 1.2` with a floor of **1.2.2**. This PR does not change `rebar.config` or SDK logic—only version and changelog artifacts for the release. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 81c5ae2. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY --> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
It should be fine, I don't know about Rebar but Mix will always use the latest available version that meets the constraints. You shouldn't ever even up with 1.2.0. But this does mean that any new minor versions (1.3.0) of |
2 participants
Description
This version of
shotgunbrings ingun2.2, which has multipleCVEs, causing app authors to be aware and explicitly override
gunor
shotgun.Changes
Update rebar.config to use
shotgun~> 1.2.Before
With this change
Note
Low Risk
Single-line rebar dependency constraint change with no Erlang source edits; risk is limited to minor HTTP client library behavior differences in shotgun/gun.
Overview
Dependency-only change in
rebar.config:shotgunmoves from a pinned1.2.1to~> 1.2, so rebar can resolve a newer 1.2.x release.That pulls
gun2.4.1 (via shotgun 1.2.2) instead ofgun2.2.0, which had known CVEs and often forced downstream apps to overridegunorshotgunexplicitly. HTTP/SSE behavior still goes through shotgun; this is a transitive security bump, not an application code change.Reviewed by Cursor Bugbot for commit 0eb2c90. Bugbot is set up for automated code reviews on this repo. Configure here.