hackney 3.2.0

Refactor

• Replace all cowlib modules with hackney-native implementations
• Remove src/libs/ directory (all modules moved to src/)

Performance

• HTTP/2 state machine optimizations:
  • Stream caching for recently accessed streams
  • gb_sets for lingering streams (O(log N) vs O(N) lookups)
  • IOList accumulation for header fragments
• HPACK and QPACK header compression with O(1) static table lookups
• WebSocket: use rand:bytes/1 instead of crypto:strong_rand_bytes/1 for mask keys

Added

• h2spec HTTP/2 compliance testing (95% pass rate - 139/146 tests)
  • h2spec_server.erl: Minimal HTTP/2 server for compliance testing
  • h2spec_SUITE.erl: CT suite for running h2spec tests
  • Makefile target: make h2spec-test
• HTTP/3 E2E tests against real servers
  • hackney_http3_e2e_SUITE.erl: Tests against Cloudflare, Google, quic.tech
  • Makefile targets: make http3-e2e-test, make all-e2e-test
• HTTP/2 machine benchmarks (hackney_http2_machine_bench.erl)

Bug Fixes

• Fix HTTP/2 flow control for body sending (use send_or_queue_data/4)
• Fix async 204/304/HEAD responses not sending done message
• Fix unknown HTTP/2 frame types not being ignored (RFC 7540 4.1)
• Fix HTTP/2 frame size validation

3.1.2

Dependencies

• Bump quic dependency to 0.10.1

hackney 3.1.1

Bug Fixes

• Fix HTTP/3 Fin flag handling for HEAD requests and responses without body
• Bump quic dependency to 0.7.1 (fixes packet number reconstruction)

Added

• Add TLS options support in hackney_quic (verify, cacerts, cacertfile, SNI)
• Add redirect following in hackney_h3 (follow_redirect, max_redirect options)
• Add HTTP/3 integration and redirect test suites (36 new tests)

3.1.0

Refactor

• Replace QUIC NIF with pure Erlang implementation. HTTP/3 now works with zero external dependencies - no CMake, Go, or C compiler needed. Just rebar3 compile.

Removed

• Remove c_src/ directory containing lsquic, BoringSSL, and NIF code (~1.3M lines of C)
• Remove do_cmake.sh and do_quic.sh build scripts

Added

• Add hackney_qpack.erl for QPACK header compression (RFC 9204)

Changed

• hackney_quic:is_available/0 now always returns true (pure Erlang is always available)
• Update documentation to reflect no C dependencies

Dependencies

• Add quic ~>0.5.1 (pure Erlang QUIC implementation)

3.0.3

Bug Fixes

• Restore function-based streaming body support (#821). Functions passed to send_body/2 now work correctly for iterative body streaming, supporting both stateless fun() -> {ok, Data} | eof and stateful fun(State) -> {ok, Data, NewState} | eof forms.

CI

• Fix FreeBSD CI job by adding pcre2 package to resolve git linker error

3.0.2

Bug Fixes

• Add default Content-Type: application/octet-stream header when sending a body without explicit Content-Type (#823). This restores 1.x behavior and follows RFC 7231 recommendations.

Dependencies

• Bump certifi to 2.16.0 (#824)

1.25.0 - 2025-07-24

IMPORTANT CHANGE

• change: insecure_basic_auth now defaults to true instead of false

  This restores backward compatibility with pre-1.24.0 behavior where basic auth
  was allowed over HTTP connections. If you need strict HTTPS-only basic auth:

  • Set globally: application:set_env(hackney, insecure_basic_auth, false)
  • Or per-request: {insecure_basic_auth, false} in options

Hex.pm : https://hex.pm/packages/hackney/1.25.0
Doc: https://hexdocs.pm/hackney/readme.html

1.24.1 - 2025-05-26

Changes

1.24.1 - 2025-05-26

• fix: remove unused variable warning in hackney.erl

1.24.0 - 2025-05-26

• security: fix basic auth credential exposure vulnerability
• security: add application variable support for insecure_basic_auth
• fix: NXDOMAIN error in Docker Compose environments (issue #764)
• fix: stream_body timeout after first chunk (issue #762)
• fix: SSL hostname verification with custom ssl_options and SSL message leak in async streaming
• fix: pool connections not freed on 307 redirects and multiple pool/timer race conditions
• fix: socket leaks, process deadlocks, ETS memory leaks, and infinite gen_server calls
• fix: controlling_process error handling in happy eyeballs and connection pool return
• improvement: update GitHub Actions to ubuntu-22.04 and bump certifi/mimerl dependencies

Breaking Change

The new insecure_basic_auth application variable defaults to false for security.
If your application relies on insecure basic auth over HTTP, you must explicitly set
application:set_env(hackney, insecure_basic_auth, true) to maintain previous behavior.

Hex.pm : https://hex.pm/packages/hackney/1.24.1
Doc: https://hexdocs.pm/hackney/readme.html

1.24.0 - 2025-05-26

Changes

• security: fix basic auth credential exposure vulnerability
• security: add application variable support for insecure_basic_auth
• fix: NXDOMAIN error in Docker Compose environments (issue #764)
• fix: stream_body timeout after first chunk (issue #762)
• fix: SSL hostname verification with custom ssl_options and SSL message leak in async streaming
• fix: pool connections not freed on 307 redirects and multiple pool/timer race conditions
• fix: socket leaks, process deadlocks, ETS memory leaks, and infinite gen_server calls
• fix: controlling_process error handling in happy eyeballs and connection pool return
• improvement: update GitHub Actions to ubuntu-22.04 and bump certifi/mimerl dependencies

Available on hex.pm

** Breaking Change **

The new insecure_basic_auth application variable defaults to false for security. If your application relies on insecure basic auth over HTTP, you must explicitly set application:set_env(hackney, insecure_basic_auth, true) to maintain previous behavior.

Full Changelog: 1.23.0...1.24.0

1.23.0 - 2025-02-25

Changes:

fix: happy eyeball use correct timeout during connectino
fix: don't wrap conection error
improvement: eyeballonly spawn ipv6 worker when needed

Available on hex.pm https://hexdocs.pm/hackney/1.23.0/